SSL/TLS in ProxySQL
ProxySQL supports SSL/TLS for both frontend connections (application to ProxySQL) and backend connections (ProxySQL to MySQL). This encrypts all database traffic in transit — essential for production environments, especially when ProxySQL and MySQL are on different network segments.
| Connection | Direction | Config Location |
|---|---|---|
| Frontend SSL | App → ProxySQL | global_variables (mysql-have_ssl) |
| Backend SSL | ProxySQL → MySQL | mysql_servers (use_ssl=1) |
| Admin SSL | DBA → Admin interface | global_variables (admin-ssl_*) |
Step 1 — Generate SSL Certificates
BASH — Generate SSL Certificates
# Generate CA key and certificate
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/CN=ProxySQL-CA"
# Generate ProxySQL server key and certificate
openssl genrsa -out server-key.pem 4096
openssl req -new -key server-key.pem -out server-csr.pem -subj "/CN=proxysql-server"
openssl x509 -req -days 3650 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
# Generate client key and certificate
openssl genrsa -out client-key.pem 4096
openssl req -new -key client-key.pem -out client-csr.pem -subj "/CN=proxysql-client"
openssl x509 -req -days 3650 -in client-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem
# Copy to ProxySQL data directory
cp ca-cert.pem server-cert.pem server-key.pem /var/lib/proxysql/
chmod 600 /var/lib/proxysql/*.pem
chown proxysql:proxysql /var/lib/proxysql/*.pem Step 2 — Enable Frontend SSL in ProxySQL
SQL — Enable Frontend SSL
-- Connect to ProxySQL Admin
-- Enable SSL for frontend connections (apps to ProxySQL)
UPDATE global_variables SET variable_value='true'
WHERE variable_name='mysql-have_ssl';
-- Set certificate paths
UPDATE global_variables SET variable_value='/var/lib/proxysql/server-cert.pem'
WHERE variable_name='mysql-ssl_p2s_cert';
UPDATE global_variables SET variable_value='/var/lib/proxysql/server-key.pem'
WHERE variable_name='mysql-ssl_p2s_key';
UPDATE global_variables SET variable_value='/var/lib/proxysql/ca-cert.pem'
WHERE variable_name='mysql-ssl_p2s_ca';
-- Set TLS version (TLSv1.2 minimum recommended)
UPDATE global_variables SET variable_value='TLSv1.2,TLSv1.3'
WHERE variable_name='mysql-ssl_p2s_tls_versions';
LOAD MYSQL VARIABLES TO RUNTIME;
SAVE MYSQL VARIABLES TO DISK; Step 3 — Enable Backend SSL (ProxySQL to MySQL)
SQL — Enable Backend SSL
-- Enable SSL for specific backend servers
UPDATE mysql_servers SET use_ssl=1
WHERE hostgroup_id IN (10, 20);
LOAD MYSQL SERVERS TO RUNTIME;
SAVE MYSQL SERVERS TO DISK;
-- Verify SSL is configured on MySQL backend
-- Run this on MySQL server:
-- SHOW VARIABLES LIKE '%ssl%';
-- SHOW STATUS LIKE 'Ssl_cipher'; Step 4 — Require SSL for Specific Users
SQL — Force SSL per User
-- Force a user to always use SSL
UPDATE mysql_users SET use_ssl=1
WHERE username='appuser';
LOAD MYSQL USERS TO RUNTIME;
SAVE MYSQL USERS TO DISK; Step 5 — Test SSL Connection
BASH — Test SSL Connection
# Connect to ProxySQL with SSL
mysql -u appuser -pAppPass123! -h 192.168.1.10 -P 6033 --ssl-ca=/path/to/ca-cert.pem --ssl-cert=/path/to/client-cert.pem --ssl-key=/path/to/client-key.pem -e "SHOW STATUS LIKE 'Ssl_cipher';"
# Verify SSL is active on the connection
mysql -u appuser -pAppPass123! -h 192.168.1.10 -P 6033 --ssl-mode=REQUIRED -e "SELECT @@hostname, @@port;" SSL Variables Reference
| Variable | Description |
|---|---|
| mysql-have_ssl | Enable SSL support for frontend |
| mysql-ssl_p2s_ca | Path to CA certificate file |
| mysql-ssl_p2s_cert | Path to server certificate |
| mysql-ssl_p2s_key | Path to server private key |
| mysql-ssl_p2s_tls_versions | Allowed TLS versions |
| mysql-ssl_p2s_cipher | Allowed cipher suites |
| mysql_servers.use_ssl | Use SSL for backend connection (0/1) |
| mysql_users.use_ssl | Require SSL for this user (0/1) |
⚠ Warning: Enabling SSL adds CPU overhead. Use hardware acceleration (AES-NI) and TLSv1.3 for best performance. Always test throughput after enabling SSL in production.
