phpMyAdmin连接MySQL配置SSL证书

视频演示：https://www.bilibili.com/video/BV1oy4y1b7yR/

phpMyAdmin连接 localhost上的MySQL Server是通过unix socket通信的。

phpMyAdmin连接远程MySQL服务器，如果期望加密通信数据，此时通过配置SSL来实现。

以Ubuntu为例，MySQL 安装后默认是开启SSL的，在数据目录/var/lib/mysql下通常会有以下文件

ca.pem

client-cert.pem

client-key.pem

只需要把这3个文件复制到phpMyAdmin所在的服务器上，然后修改phpMyAdmin SSL配置即可。

切到 phpMyAdmin 部署的根目录，复制文件libraries/config.default.php里面有关ssl的选项到根目录下的config.inc.php中。

也就是说，在根目录文件config.inc.php中添加下面的配置

如果根目录没有config.inc.php，应该复制config.sample.inc.php为config.inc.php

/**
* Use SSL for connecting to MySQL server?
*
* @global boolean $cfg['Servers'][$i]['ssl']
*/
$cfg['Servers'][$i]['ssl'] = true;

/**
* Path to the key file when using SSL for connecting to the MySQL server
*
* @global string $cfg['Servers'][$i]['ssl_key']
*/
$cfg['Servers'][$i]['ssl_key'] = 'path/to/client-key.pem';

/**
* Path to the cert file when using SSL for connecting to the MySQL server
*
* @global string $cfg['Servers'][$i]['ssl_cert']
*/
$cfg['Servers'][$i]['ssl_cert'] = 'path/to/client-cert.pem';

/**
* Path to the CA file when using SSL for connecting to the MySQL server
*
* @global string $cfg['Servers'][$i]['ssl_ca']
*/
$cfg['Servers'][$i]['ssl_ca'] = 'path/to/ca.pem';

/**
* Directory containing trusted SSL CA certificates in PEM format
*
* @global string $cfg['Servers'][$i]['ssl_ca_path']
*/
$cfg['Servers'][$i]['ssl_ca_path'] = 'path/to/';

/**
* List of allowable ciphers for SSL connections to the MySQL server
*
* @global string $cfg['Servers'][$i]['ssl_ciphers']
*/
$cfg['Servers'][$i]['ssl_ciphers'] = null;

/**
* MySQL 5.6 or later triggers the mysqlnd driver in PHP to validate the
* peer_name of the SSL certifcate
* For most self-signed certificates this is a problem. Setting this to false
* will disable the check and allow the connection (PHP 5.6.16 or later)
*
* @link https://bugs.php.net/68344
* @global string $cfg['Servers'][$i]['ssl_verify']
*/
$cfg['Servers'][$i]['ssl_verify'] = true;

配置中的路径为上述三个证书相关文件的实际路径。

此时，需要确认MySQL是否允许远程连接，

MySQL配置文件路径 /etc/mysql/mysql.conf.d/mysqld.cnf

bind-address = 127.0.0.1

表示只允许本地连接，应该在行首加#注释此行，

再次，确认MySQL服务器是否允许入站端口3306 ，

此时应该就可以安全的连接MySQL了。