Mysql

MySQL 伺服器不會在非標準埠上啟動

  • October 16, 2017

我試圖允許外部客戶端通過極其嚴格的大學防火牆訪問我的數據庫伺服器,即只打開埠 80 和 443。為了允許客戶端與伺服器通信,我計劃將伺服器偵聽的埠從(MySQL 預設)埠 3306 更改為埠 80。更改 /var/mysql/my.cnf 文件中的設置以反映更改我想弄,mysql伺服器拒絕啟動。

Server: Debian 8.0 x64
MySQL Server: 5.5.57-0+deb8u1

MySQL的配置:(/etc/mysql/my.cnf)

[client]
port        = 80
socket      = /var/run/mysqld/mysqld.sock

[mysqld_safe]
socket      = /var/run/mysqld/mysqld.sock
nice        = 0

[mysqld]
user        = mysql
pid-file    = /var/run/mysqld/mysqld.pid
socket      = /var/run/mysqld/mysqld.sock
port        = 80
basedir     = /usr
datadir     = /var/lib/mysql
tmpdir      = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
#bind-address       = 127.0.0.1
key_buffer      = 16M
max_allowed_packet  = 16M
thread_stack        = 192K
thread_cache_size       = 8
myisam-recover         = BACKUP
#max_connections        = 100
#table_cache            = 64
#thread_concurrency     = 10
query_cache_limit   = 1M
query_cache_size        = 16M
#general_log_file        = /var/log/mysql/mysql.log
#general_log             = 1
log_error = /var/log/mysql/error.log
expire_logs_days    = 10
max_binlog_size         = 100M

[mysqldump]
quick
quote-names
max_allowed_packet  = 16M

[mysql]
#no-auto-rehash # faster start of mysql but no tab completition

[isamchk]
key_buffer      = 16M

!includedir /etc/mysql/conf.d/

注意:所做的唯一更改是

$$ client $$港口,$$ mysqld $$埠,並評論了“綁定地址”。 在嘗試啟動伺服器時,日誌 (/var/log/mysql/error.log) 指出:

171013  1:25:50 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.
171013  1:25:50 [Note] Plugin 'FEDERATED' is disabled.
171013  1:25:50 InnoDB: The InnoDB memory heap is disabled
171013  1:25:50 InnoDB: Mutexes and rw_locks use GCC atomic builtins
171013  1:25:50 InnoDB: Compressed tables use zlib 1.2.8
171013  1:25:50 InnoDB: Using Linux native AIO
171013  1:25:50 InnoDB: Initializing buffer pool, size = 128.0M
171013  1:25:50 InnoDB: Completed initialization of buffer pool
171013  1:25:50 InnoDB: highest supported file format is Barracuda.
171013  1:25:51  InnoDB: Waiting for the background threads to start
171013  1:25:52 InnoDB: 5.5.57 started; log sequence number 1595685
171013  1:25:52 [Note] Server hostname (bind-address): '0.0.0.0'; port: 80
171013  1:25:52 [Note]   - '0.0.0.0' resolves to '0.0.0.0';
171013  1:25:52 [Note] Server socket created on IP: '0.0.0.0'.
171013  1:25:52 [ERROR] Can't start server: Bind on TCP/IP port: Permission denied
171013  1:25:52 [ERROR] Do you already have another mysqld server running on port: 80 ?
171013  1:25:52 [ERROR] Aborting

171013  1:25:52  InnoDB: Starting shutdown...
171013  1:25:52  InnoDB: Shutdown completed; log sequence number 1595685
171013  1:25:52 [Note] /usr/sbin/mysqld: Shutdown complete

這表明埠 80 正在被另一個程序使用,但對於全新安裝的伺服器而言,情況並非如此。僅額外安裝了 MySQL-server 和 Fail2Ban,其他程序無法使用它。

’netstat -pln’ 證實了這一點:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3070/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      3070/sshd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  2      [ ACC ]     SEQPACKET  LISTENING     969834547 1/systemd           /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     969834550 1/systemd           /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     970364573 1/systemd           /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     972931518 5692/python         /var/run/fail2ban/fail2ban.sock

任何人都可以建議對此進行修復和/或解釋為什麼伺服器不會從埠 80 開始?

正如 Esa Jokinen 所建議的,我關閉了伺服器的 HTTPS 埠 - 並將其專用於 SSH。然後我被允許通過帶有隧道的大學防火牆,因為內容沒有被過濾。使用 PuTTY,我能夠創建此隧道並為其分配一個埠以允許 MySQL 流量通過 - 真是太好了!

對於希望在 Windows 上執行相同操作的任何人,我都遵循了本指南;

https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/

鑑於這些限制

  • 只有埠80443可用

並牢記安全

  • MySQL 不應以 root 身份執行(特權埠< 1024需要 root 訪問權限)
  • 最好避免讓 MySQL 監聽公共 IP

**我建議讓 SSH 或 OpenVPN 監聽 port 443。**這樣,您可以將 MySQL 保持在預設埠上3306,並且只允許從localhost(在 SSH 隧道的情況下)或 OpenVPN 使用的內部 IP 池進行訪問。使這種方法更好的其他原因包括:

  • 防火牆可能對埠進行內容過濾80。透明代理會丟棄 MySQL 流量,因為它只假設 HTTP 流量。
  • 嘗試在 port 上檢測加密的非 HTTPS 流量很難且不常見443。因此,SSH 和 OpenVPN 都可以在大多數遠端位置上執行。
  • 您最終不會單獨保留埠80443MySQL。這意味著您最多可以允許 2 種不同的協議,而使用 SSH 隧道或 VPN,如果將來服務數量增加,您將沒有任何限制。

引用自:https://serverfault.com/questions/878247

相關問答

Firewall

如何在 Centos7 上使用防火牆刪除對埠的訪問?

  • November 7, 2021
檢視問答
Firewall

systemd-timesyncd 需要打開傳入的臨時埠

  • September 23, 2021
檢視問答
Ubuntu

在 ubuntu 上打開埠 5432

  • July 19, 2021
檢視問答
Domain-Name-System

根據主機名而不是 IP 地址授予對 MySQL 實例的訪問權限?

  • June 11, 2021
檢視問答
Linux

變數“general_log_file”不能設置為“/var/lib/msyql/ubuntu.log”的值

  • June 8, 2021
檢視問答
Mysql

MySQL Slave 卡在單個 bin 日誌 + bin 日誌位置 17 小時以上

  • February 26, 2021
檢視問答