https://github.com/cppforlife/mysql-proxy

MySQL proxy for terminating TLS
https://github.com/cppforlife/mysql-proxy

Last synced: 7 months ago
JSON representation

MySQL proxy for terminating TLS

• Host: GitHub
• URL: https://github.com/cppforlife/mysql-proxy
• Owner: cppforlife
• License: apache-2.0
• Created: 2018-10-08T22:25:26.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2023-10-16T10:59:07.000Z (over 2 years ago)
• Last Synced: 2025-04-24T01:05:29.772Z (10 months ago)
• Language: Go
• Homepage:
• Size: 11.7 KB
• Stars: 10
• Watchers: 1
• Forks: 4
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
## mysql-proxy

MySQL proxy that terminates TLS before proxying connection to MySQL server (without TLS). It does not require any changes to server or clients.

```bash

$ go build proxy.go

$ ./proxy 3306 3307 ./server.crt ./server.key

```

## Protocol

### No TLS

Proxy forwards initial handshakes and auth results without any modifications.

```

Server     Proxy      Client

  <-----------------------        tcp connection initiated

  ----------------------->        server sends handshake packet

  <-----------------------        client responds with full handshake (with hashed password)

  ----------------------->        if password is correct, reply with auth ok

  (packet seq reset to 0)

  (copying both ways)

```

### With TLS

Without proxy:

```

Server                Client

  <-----------------------        tcp connection initiated

  ----------------------->        server sends handshake packet

  <-----------------------        client responds with short handshake

  <-----------------------        tls connection initialized

  <-----------------------        client responds with full handshake

  ----------------------->        if password is correct, reply with auth ok

  (packet seq reset to 0)

  (copying both ways)

```

Proxy drops client's short handshake and rewrites full handshake packet to disable SSL.

```

Server     Proxy      Client

  <-----------------------        tcp connection initiated

  ----------------------->        server sends handshake packet

             <------------        client responds with short handshake

                                  proxy will drop short handshake

                                  proxy prepares to receive tls handshake from client

             <------------        tls connection initialized

  <-------- ~~~ <---------        client responds with full handshake

                                  proxy rewrites packet seq number

                                  proxy removes "client supports ssl" flag

  --------> ~~~ --------->        if password is correct, server replies with auth ok

                                  proxy rewrites packet seq number

  (packet seq reset to 0)

  (copying both ways)

```

Reference:

- [go-sql-driver/mysql's writeHandshakeResponsePacket](https://github.com/go-sql-driver/mysql/blob/7ac0064e822156a17a6b598957ddf5e0287f8288/packets.go#L246)

- [mysql's packet-Protocol::SSLRequest](https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::SSLRequest)

## TODO

- add connection deadlines

- set connection tcp keepalive