MySQL 伺服器不會在非標準埠上啟動
我試圖允許外部客戶端通過極其嚴格的大學防火牆訪問我的數據庫伺服器,即只打開埠 80 和 443。為了允許客戶端與伺服器通信,我計劃將伺服器偵聽的埠從(MySQL 預設)埠 3306 更改為埠 80。更改 /var/mysql/my.cnf 文件中的設置以反映更改我想弄,mysql伺服器拒絕啟動。
Server: Debian 8.0 x64 MySQL Server: 5.5.57-0+deb8u1
MySQL的配置:(/etc/mysql/my.cnf)
[client] port = 80 socket = /var/run/mysqld/mysqld.sock [mysqld_safe] socket = /var/run/mysqld/mysqld.sock nice = 0 [mysqld] user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 80 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp lc-messages-dir = /usr/share/mysql skip-external-locking #bind-address = 127.0.0.1 key_buffer = 16M max_allowed_packet = 16M thread_stack = 192K thread_cache_size = 8 myisam-recover = BACKUP #max_connections = 100 #table_cache = 64 #thread_concurrency = 10 query_cache_limit = 1M query_cache_size = 16M #general_log_file = /var/log/mysql/mysql.log #general_log = 1 log_error = /var/log/mysql/error.log expire_logs_days = 10 max_binlog_size = 100M [mysqldump] quick quote-names max_allowed_packet = 16M [mysql] #no-auto-rehash # faster start of mysql but no tab completition [isamchk] key_buffer = 16M !includedir /etc/mysql/conf.d/
注意:所做的唯一更改是
$$ client $$港口,$$ mysqld $$埠,並評論了“綁定地址”。 在嘗試啟動伺服器時,日誌 (/var/log/mysql/error.log) 指出:
171013 1:25:50 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead. 171013 1:25:50 [Note] Plugin 'FEDERATED' is disabled. 171013 1:25:50 InnoDB: The InnoDB memory heap is disabled 171013 1:25:50 InnoDB: Mutexes and rw_locks use GCC atomic builtins 171013 1:25:50 InnoDB: Compressed tables use zlib 1.2.8 171013 1:25:50 InnoDB: Using Linux native AIO 171013 1:25:50 InnoDB: Initializing buffer pool, size = 128.0M 171013 1:25:50 InnoDB: Completed initialization of buffer pool 171013 1:25:50 InnoDB: highest supported file format is Barracuda. 171013 1:25:51 InnoDB: Waiting for the background threads to start 171013 1:25:52 InnoDB: 5.5.57 started; log sequence number 1595685 171013 1:25:52 [Note] Server hostname (bind-address): '0.0.0.0'; port: 80 171013 1:25:52 [Note] - '0.0.0.0' resolves to '0.0.0.0'; 171013 1:25:52 [Note] Server socket created on IP: '0.0.0.0'. 171013 1:25:52 [ERROR] Can't start server: Bind on TCP/IP port: Permission denied 171013 1:25:52 [ERROR] Do you already have another mysqld server running on port: 80 ? 171013 1:25:52 [ERROR] Aborting 171013 1:25:52 InnoDB: Starting shutdown... 171013 1:25:52 InnoDB: Shutdown completed; log sequence number 1595685 171013 1:25:52 [Note] /usr/sbin/mysqld: Shutdown complete
這表明埠 80 正在被另一個程序使用,但對於全新安裝的伺服器而言,情況並非如此。僅額外安裝了 MySQL-server 和 Fail2Ban,其他程序無法使用它。
’netstat -pln’ 證實了這一點:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3070/sshd tcp6 0 0 :::22 :::* LISTEN 3070/sshd Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] SEQPACKET LISTENING 969834547 1/systemd /run/udev/control unix 2 [ ACC ] STREAM LISTENING 969834550 1/systemd /run/systemd/journal/stdout unix 2 [ ACC ] STREAM LISTENING 970364573 1/systemd /run/systemd/private unix 2 [ ACC ] STREAM LISTENING 972931518 5692/python /var/run/fail2ban/fail2ban.sock
任何人都可以建議對此進行修復和/或解釋為什麼伺服器不會從埠 80 開始?
正如 Esa Jokinen 所建議的,我關閉了伺服器的 HTTPS 埠 - 並將其專用於 SSH。然後我被允許通過帶有隧道的大學防火牆,因為內容沒有被過濾。使用 PuTTY,我能夠創建此隧道並為其分配一個埠以允許 MySQL 流量通過 - 真是太好了!
對於希望在 Windows 上執行相同操作的任何人,我都遵循了本指南;
https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/
鑑於這些限制
- 只有埠
80
和443
可用並牢記安全
- MySQL 不應以 root 身份執行(特權埠
< 1024
需要 root 訪問權限)- 最好避免讓 MySQL 監聽公共 IP
**我建議讓 SSH 或 OpenVPN 監聽 port
443
。**這樣,您可以將 MySQL 保持在預設埠上3306
,並且只允許從localhost
(在 SSH 隧道的情況下)或 OpenVPN 使用的內部 IP 池進行訪問。使這種方法更好的其他原因包括:
- 防火牆可能對埠進行內容過濾
80
。透明代理會丟棄 MySQL 流量,因為它只假設 HTTP 流量。- 嘗試在 port 上檢測加密的非 HTTPS 流量很難且不常見
443
。因此,SSH 和 OpenVPN 都可以在大多數遠端位置上執行。- 您最終不會單獨保留埠
80
或443
MySQL。這意味著您最多可以允許 2 種不同的協議,而使用 SSH 隧道或 VPN,如果將來服務數量增加,您將沒有任何限制。