diff --git a/README.md b/README.md index 1447ef6..e6a5c51 100644 --- a/README.md +++ b/README.md @@ -2,3 +2,31 @@ Docker environment for DataGrip testing Also see https://github.com/DataGrip/docker-env-oracle for Oracle 11 and https://github.com/DataGrip/docker-env-db2 for Db2 + + +### Create certificates + +For creating self-signed certificates run: + +#### With default values: +`./generatessl.sh` + +#### With custom values: +`CERT_DIR= CERT_CN="" DOMAIN= EXTRA_DOMAINS="192.168.1.10,api.myapp.local" DAYS= KEY_SIZE= ./generatessl.sh` + +#### With ECDSA instead of RSA +`USE_ECDSA=true ./generatessl.sh` + + +**The default values are:** +CERT_DIR = ./certs +CERT_CN = Universal +DOMAIN = localhost +DAYS = 3650 +KEY_SIZE = 2048 + +Example: +`CERT_DIR=./clickhouse/ssl/25/certs CERT_CN="Clickhouse" DOMAIN=my.domain EXTRA_DOMAINS="192.168.1.10" DAYS=30 KEY_SIZE=4096 ./generatessl.bash` + +Check the certificate: +`openssl.exe x509 -in path/to/your/cert -noout -text` diff --git a/cassandra/5-ssl/Dockerfile b/cassandra/5-ssl/Dockerfile new file mode 100644 index 0000000..9378572 --- /dev/null +++ b/cassandra/5-ssl/Dockerfile @@ -0,0 +1,14 @@ +FROM registry.jetbrains.team/p/datagrip/containers/cassandra:5 + +COPY ./certs/keystore.node0 "$CASSANDRA_CONFIG" +COPY ./certs/node0.cer "$CASSANDRA_CONFIG" +COPY ./certs/node0.cer.pem "$CASSANDRA_CONFIG" +COPY ./certs/node0.key.pem "$CASSANDRA_CONFIG" +COPY ./certs/node0.p12 "$CASSANDRA_CONFIG" +COPY ./certs/truststore.node0 "$CASSANDRA_CONFIG" + +COPY ./cassandra.yaml "$CASSANDRA_CONFIG" + +EXPOSE 9042 +EXPOSE 9142 + diff --git a/cassandra/5-ssl/cassandra.yaml b/cassandra/5-ssl/cassandra.yaml new file mode 100644 index 0000000..606f41b --- /dev/null +++ b/cassandra/5-ssl/cassandra.yaml @@ -0,0 +1,2139 @@ + +# Cassandra storage config YAML + +# NOTE: +# See https://cassandra.apache.org/doc/latest/configuration/ for +# full explanations of configuration directives +# /NOTE + +# The name of the cluster. This is mainly used to prevent machines in +# one logical cluster from joining another. +cluster_name: 'Test Cluster' + +# This defines the number of tokens randomly assigned to this node on the ring +# The more tokens, relative to other nodes, the larger the proportion of data +# that this node will store. You probably want all nodes to have the same number +# of tokens assuming they have equal hardware capability. +# +# If you leave this unspecified, Cassandra will use the default of 1 token for legacy compatibility, +# and will use the initial_token as described below. +# +# Specifying initial_token will override this setting on the node's initial start, +# on subsequent starts, this setting will apply even if initial token is set. +# +# See https://cassandra.apache.org/doc/latest/getting-started/production.html#tokens for +# best practice information about num_tokens. +# +num_tokens: 16 + +# Triggers automatic allocation of num_tokens tokens for this node. The allocation +# algorithm attempts to choose tokens in a way that optimizes replicated load over +# the nodes in the datacenter for the replica factor. +# +# The load assigned to each node will be close to proportional to its number of +# vnodes. +# +# Only supported with the Murmur3Partitioner. + +# Replica factor is determined via the replication strategy used by the specified +# keyspace. +# allocate_tokens_for_keyspace: KEYSPACE + +# Replica factor is explicitly set, regardless of keyspace or datacenter. +# This is the replica factor within the datacenter, like NTS. +allocate_tokens_for_local_replication_factor: 3 + +# initial_token allows you to specify tokens manually. While you can use it with +# vnodes (num_tokens > 1, above) -- in which case you should provide a +# comma-separated list -- it's primarily used when adding nodes to legacy clusters +# that do not have vnodes enabled. +# initial_token: + +# May either be "true" or "false" to enable globally +hinted_handoff_enabled: true + +# When hinted_handoff_enabled is true, a black list of data centers that will not +# perform hinted handoff +# hinted_handoff_disabled_datacenters: +# - DC1 +# - DC2 + +# this defines the maximum amount of time a dead host will have hints +# generated. After it has been dead this long, new hints for it will not be +# created until it has been seen alive and gone down again. +# Min unit: ms +max_hint_window: 3h + +# Maximum throttle in KiBs per second, per delivery thread. This will be +# reduced proportionally to the number of nodes in the cluster. (If there +# are two nodes in the cluster, each delivery thread will use the maximum +# rate; if there are three, each will throttle to half of the maximum, +# since we expect two nodes to be delivering hints simultaneously.) +# Min unit: KiB +hinted_handoff_throttle: 1024KiB + +# Number of threads with which to deliver hints; +# Consider increasing this number when you have multi-dc deployments, since +# cross-dc handoff tends to be slower +max_hints_delivery_threads: 2 + +# Directory where Cassandra should store hints. +# If not set, the default directory is $CASSANDRA_HOME/data/hints. +# hints_directory: /var/lib/cassandra/hints + +# How often hints should be flushed from the internal buffers to disk. +# Will *not* trigger fsync. +# Min unit: ms +hints_flush_period: 10000ms + +# Maximum size for a single hints file, in mebibytes. +# Min unit: MiB +max_hints_file_size: 128MiB + +# The file size limit to store hints for an unreachable host, in mebibytes. +# Once the local hints files have reached the limit, no more new hints will be created. +# Set a non-positive value will disable the size limit. +# max_hints_size_per_host: 0MiB + +# Enable / disable automatic cleanup for the expired and orphaned hints file. +# Disable the option in order to preserve those hints on the disk. +auto_hints_cleanup_enabled: false + +# Enable/disable transfering hints to a peer during decommission. Even when enabled, this does not guarantee +# consistency for logged batches, and it may delay decommission when coupled with a strict hinted_handoff_throttle. +# Default: true +# transfer_hints_on_decommission: true + +# Compression to apply to the hint files. If omitted, hints files +# will be written uncompressed. LZ4, Snappy, and Deflate compressors +# are supported. +#hints_compression: +# - class_name: LZ4Compressor +# parameters: +# - + +# Directory where Cassandra should store results of a One-Shot troubleshooting heapdump for uncaught exceptions. +# Note: this value can be overridden by the -XX:HeapDumpPath JVM env param with a relative local path for testing if +# so desired. +# If not set, the default directory is $CASSANDRA_HOME/heapdump +# heap_dump_path: /var/lib/cassandra/heapdump + +# Enable / disable automatic dump of heap on first uncaught exception +# If not set, the default value is false +# dump_heap_on_uncaught_exception: true + +# Enable / disable persistent hint windows. +# +# If set to false, a hint will be stored only in case a respective node +# that hint is for is down less than or equal to max_hint_window. +# +# If set to true, a hint will be stored in case there is not any +# hint which was stored earlier than max_hint_window. This is for cases +# when a node keeps to restart and hints are not delivered yet, we would be saving +# hints for that node indefinitely. +# +# Defaults to true. +# +# hint_window_persistent_enabled: true + +# Maximum throttle in KiBs per second, total. This will be +# reduced proportionally to the number of nodes in the cluster. +# Min unit: KiB +batchlog_replay_throttle: 1024KiB + +# Authentication backend, implementing IAuthenticator; used to identify users +# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator, +# PasswordAuthenticator}. +# +# - AllowAllAuthenticator performs no checks - set it to disable authentication. +# - PasswordAuthenticator relies on username/password pairs to authenticate +# users. It keeps usernames and hashed passwords in system_auth.roles table. +# Please increase system_auth keyspace replication factor if you use this authenticator. +# If using PasswordAuthenticator, CassandraRoleManager must also be used (see below) +authenticator: + class_name : org.apache.cassandra.auth.PasswordAuthenticator +# MutualTlsAuthenticator can be configured using the following configuration. One can add their own validator +# which implements MutualTlsCertificateValidator class and provide logic for extracting identity out of certificates +# and validating certificates. +# class_name : org.apache.cassandra.auth.MutualTlsAuthenticator +# parameters : +# validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator + +# Authorization backend, implementing IAuthorizer; used to limit access/provide permissions +# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer, +# CassandraAuthorizer}. +# +# - AllowAllAuthorizer allows any action to any user - set it to disable authorization. +# - CassandraAuthorizer stores permissions in system_auth.role_permissions table. Please +# increase system_auth keyspace replication factor if you use this authorizer. +authorizer: CassandraAuthorizer + +# Part of the Authentication & Authorization backend, implementing IRoleManager; used +# to maintain grants and memberships between roles. +# Out of the box, Cassandra provides org.apache.cassandra.auth.CassandraRoleManager, +# which stores role information in the system_auth keyspace. Most functions of the +# IRoleManager require an authenticated login, so unless the configured IAuthenticator +# actually implements authentication, most of this functionality will be unavailable. +# +# - CassandraRoleManager stores role data in the system_auth keyspace. Please +# increase system_auth keyspace replication factor if you use this role manager. +role_manager: CassandraRoleManager + +# Network authorization backend, implementing INetworkAuthorizer; used to restrict user +# access to certain DCs +# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllNetworkAuthorizer, +# CassandraNetworkAuthorizer}. +# +# - AllowAllNetworkAuthorizer allows access to any DC to any user - set it to disable authorization. +# - CassandraNetworkAuthorizer stores permissions in system_auth.network_permissions table. Please +# increase system_auth keyspace replication factor if you use this authorizer. +network_authorizer: AllowAllNetworkAuthorizer + +# CIDR authorization backend, implementing ICIDRAuthorizer; used to restrict user +# access from certain CIDRs +# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllCIDRAuthorizer, +# CassandraCIDRAuthorizer}. +# - AllowAllCIDRAuthorizer allows access from any CIDR to any user - set it to disable CIDR authorization. +# - CassandraCIDRAuthorizer stores user's CIDR permissions in system_auth.cidr_permissions table. Please +# increase system_auth keyspace replication factor if you use this authorizer, otherwise any changes to +# system_auth tables being used by this feature may be lost when a host goes down. +cidr_authorizer: + class_name: AllowAllCIDRAuthorizer + # Below parameters are used only when CIDR authorizer is enabled + # parameters: + # CIDR authorizer when enabled, i.e, CassandraCIDRAuthorizer, is applicable for non-superusers only by default. + # Set this setting to true, to enable CIDR authorization for superusers as well. + # Note: CIDR checks cannot be performed for JMX calls + # cidr_checks_for_superusers: true + + # CIDR authorizer when enabled, supports MONITOR and ENFORCE modes. Default mode is MONITOR + # In MONITOR mode, CIDR checks are NOT enforced. Instead, CIDR groups of users accesses are logged using + # nospamlogger. A warning message would be logged if a user accesses from unauthorized CIDR group (but access won't + # be rejected). An info message would be logged otherwise. + # In ENFORCE mode, CIDR checks are enforced, i.e, users accesses would be rejected if attempted from unauthorized + # CIDR groups. + # cidr_authorizer_mode: MONITOR + + # Refresh interval for CIDR groups cache, this value is considered in minutes + # cidr_groups_cache_refresh_interval: 5 + + # Maximum number of entries an IP to CIDR groups cache can accommodate + # ip_cache_max_size: 100 + +# Depending on the auth strategy of the cluster, it can be beneficial to iterate +# from root to table (root -> ks -> table) instead of table to root (table -> ks -> root). +# As the auth entries are whitelisting, once a permission is found you know it to be +# valid. We default to false as the legacy behavior is to query at the table level then +# move back up to the root. See CASSANDRA-17016 for details. +# traverse_auth_from_root: false + +# Validity period for roles cache (fetching granted roles can be an expensive +# operation depending on the role manager, CassandraRoleManager is one example) +# Granted roles are cached for authenticated sessions in AuthenticatedUser and +# after the period specified here, become eligible for (async) reload. +# Defaults to 2000, set to 0 to disable caching entirely. +# Will be disabled automatically for AllowAllAuthenticator. +# For a long-running cache using roles_cache_active_update, consider +# setting to something longer such as a daily validation: 86400000 +# Min unit: ms +roles_validity: 2000ms + +# Refresh interval for roles cache (if enabled). +# After this interval, cache entries become eligible for refresh. Upon next +# access, an async reload is scheduled and the old value returned until it +# completes. If roles_validity is non-zero, then this must be +# also. +# This setting is also used to inform the interval of auto-updating if +# using roles_cache_active_update. +# Defaults to the same value as roles_validity. +# For a long-running cache, consider setting this to 60000 (1 hour) etc. +# Min unit: ms +# roles_update_interval: 2000ms + +# If true, cache contents are actively updated by a background task at the +# interval set by roles_update_interval. If false, cache entries +# become eligible for refresh after their update interval. Upon next access, +# an async reload is scheduled and the old value returned until it completes. +# roles_cache_active_update: false + +# Validity period for permissions cache (fetching permissions can be an +# expensive operation depending on the authorizer, CassandraAuthorizer is +# one example). Defaults to 2000, set to 0 to disable. +# Will be disabled automatically for AllowAllAuthorizer. +# For a long-running cache using permissions_cache_active_update, consider +# setting to something longer such as a daily validation: 86400000ms +# Min unit: ms +permissions_validity: 2000ms + +# Refresh interval for permissions cache (if enabled). +# After this interval, cache entries become eligible for refresh. Upon next +# access, an async reload is scheduled and the old value returned until it +# completes. If permissions_validity is non-zero, then this must be +# also. +# This setting is also used to inform the interval of auto-updating if +# using permissions_cache_active_update. +# Defaults to the same value as permissions_validity. +# For a longer-running permissions cache, consider setting to update hourly (60000) +# Min unit: ms +# permissions_update_interval: 2000ms + +# If true, cache contents are actively updated by a background task at the +# interval set by permissions_update_interval. If false, cache entries +# become eligible for refresh after their update interval. Upon next access, +# an async reload is scheduled and the old value returned until it completes. +# permissions_cache_active_update: false + +# Validity period for credentials cache. This cache is tightly coupled to +# the provided PasswordAuthenticator implementation of IAuthenticator. If +# another IAuthenticator implementation is configured, this cache will not +# be automatically used and so the following settings will have no effect. +# Please note, credentials are cached in their encrypted form, so while +# activating this cache may reduce the number of queries made to the +# underlying table, it may not bring a significant reduction in the +# latency of individual authentication attempts. +# Defaults to 2000, set to 0 to disable credentials caching. +# For a long-running cache using credentials_cache_active_update, consider +# setting to something longer such as a daily validation: 86400000 +# Min unit: ms +credentials_validity: 2000ms + +# Refresh interval for credentials cache (if enabled). +# After this interval, cache entries become eligible for refresh. Upon next +# access, an async reload is scheduled and the old value returned until it +# completes. If credentials_validity is non-zero, then this must be +# also. +# This setting is also used to inform the interval of auto-updating if +# using credentials_cache_active_update. +# Defaults to the same value as credentials_validity. +# For a longer-running permissions cache, consider setting to update hourly (60000) +# Min unit: ms +# credentials_update_interval: 2000ms + +# If true, cache contents are actively updated by a background task at the +# interval set by credentials_update_interval. If false (default), cache entries +# become eligible for refresh after their update interval. Upon next access, +# an async reload is scheduled and the old value returned until it completes. +# credentials_cache_active_update: false + +# The partitioner is responsible for distributing groups of rows (by +# partition key) across nodes in the cluster. The partitioner can NOT be +# changed without reloading all data. If you are adding nodes or upgrading, +# you should set this to the same partitioner that you are currently using. +# +# The default partitioner is the Murmur3Partitioner. Older partitioners +# such as the RandomPartitioner, ByteOrderedPartitioner, and +# OrderPreservingPartitioner have been included for backward compatibility only. +# For new clusters, you should NOT change this value. +# +partitioner: org.apache.cassandra.dht.Murmur3Partitioner + +# Directories where Cassandra should store data on disk. If multiple +# directories are specified, Cassandra will spread data evenly across +# them by partitioning the token ranges. +# If not set, the default directory is $CASSANDRA_HOME/data/data. +# data_file_directories: +# - /var/lib/cassandra/data + +# Directory were Cassandra should store the data of the local system keyspaces. +# By default Cassandra will store the data of the local system keyspaces in the first of the data directories specified +# by data_file_directories. +# This approach ensures that if one of the other disks is lost Cassandra can continue to operate. For extra security +# this setting allows to store those data on a different directory that provides redundancy. +# local_system_data_file_directory: + +# commit log. when running on magnetic HDD, this should be a +# separate spindle than the data directories. +# If not set, the default directory is $CASSANDRA_HOME/data/commitlog. +# commitlog_directory: /var/lib/cassandra/commitlog + +# Enable / disable CDC functionality on a per-node basis. This modifies the logic used +# for write path allocation rejection (standard: never reject. cdc: reject Mutation +# containing a CDC-enabled table if at space limit in cdc_raw_directory). +cdc_enabled: false + +# Specify whether writes to the CDC-enabled tables should be blocked when CDC data on disk has reached to the limit. +# When setting to false, the writes will not be blocked and the oldest CDC data on disk will be deleted to +# ensure the size constraint. The default is true. +# cdc_block_writes: true + +# Specify whether CDC mutations are replayed through the write path on streaming, e.g. repair. +# When enabled, CDC data streamed to the destination node will be written into commit log first. When setting to false, +# the streamed CDC data is written into SSTables just the same as normal streaming. The default is true. +# If this is set to false, streaming will be considerably faster however it's possible that, in extreme situations +# (losing > quorum # nodes in a replica set), you may have data in your SSTables that never makes it to the CDC log. +# cdc_on_repair_enabled: true + +# CommitLogSegments are moved to this directory on flush if cdc_enabled: true and the +# segment contains mutations for a CDC-enabled table. This should be placed on a +# separate spindle than the data directories. If not set, the default directory is +# $CASSANDRA_HOME/data/cdc_raw. +# cdc_raw_directory: /var/lib/cassandra/cdc_raw + +# Policy for accessing disk: +# +# auto +# Enable mmap on both data and index files on a 64-bit JVM. +# +# standard +# Disable mmap entirely. +# +# mmap +# Map index and data files. mmap can cause excessive paging if all actively read SSTables do not fit into RAM. +# +# mmap_index_only +# Similar to mmap but maps only index files. Using this setting might also help if you observe high number of page +# faults or steals along with increased latencies. This setting is default. +# +# disk_access_mode: mmap_index_only + +# Policy for data disk failures: +# +# die +# shut down gossip and client transports and kill the JVM for any fs errors or +# single-sstable errors, so the node can be replaced. +# +# stop_paranoid +# shut down gossip and client transports even for single-sstable errors, +# kill the JVM for errors during startup. +# +# stop +# shut down gossip and client transports, leaving the node effectively dead, but +# can still be inspected via JMX, kill the JVM for errors during startup. +# +# best_effort +# stop using the failed disk and respond to requests based on +# remaining available sstables. This means you WILL see obsolete +# data at CL.ONE! +# +# ignore +# ignore fatal errors and let requests fail, as in pre-1.2 Cassandra +disk_failure_policy: stop + +# Policy for commit disk failures: +# +# die +# shut down the node and kill the JVM, so the node can be replaced. +# +# stop +# shut down the node, leaving the node effectively dead, but +# can still be inspected via JMX. +# +# stop_commit +# shutdown the commit log, letting writes collect but +# continuing to service reads, as in pre-2.0.5 Cassandra +# +# ignore +# ignore fatal errors and let the batches fail +commit_failure_policy: stop + +# Maximum size of the native protocol prepared statement cache +# +# Valid values are either "auto" (omitting the value) or a value greater 0. +# +# Note that specifying a too large value will result in long running GCs and possbily +# out-of-memory errors. Keep the value at a small fraction of the heap. +# +# If you constantly see "prepared statements discarded in the last minute because +# cache limit reached" messages, the first step is to investigate the root cause +# of these messages and check whether prepared statements are used correctly - +# i.e. use bind markers for variable parts. +# +# Do only change the default value, if you really have more prepared statements than +# fit in the cache. In most cases it is not neccessary to change this value. +# Constantly re-preparing statements is a performance penalty. +# +# Default value ("auto") is 1/256th of the heap or 10MiB, whichever is greater +# Min unit: MiB +prepared_statements_cache_size: + +# Maximum size of the key cache in memory. +# +# Each key cache hit saves 1 seek and each row cache hit saves 2 seeks at the +# minimum, sometimes more. The key cache is fairly tiny for the amount of +# time it saves, so it's worthwhile to use it at large numbers. +# The row cache saves even more time, but must contain the entire row, +# so it is extremely space-intensive. It's best to only use the +# row cache if you have hot rows or static rows. +# +# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup. +# +# Default value is empty to make it "auto" (min(5% of Heap (in MiB), 100MiB)). Set to 0 to disable key cache. +# +# This is only relevant to SSTable formats that use key cache, e.g. BIG. +# Min unit: MiB +key_cache_size: + +# Duration in seconds after which Cassandra should +# save the key cache. Caches are saved to saved_caches_directory as +# specified in this configuration file. +# +# Saved caches greatly improve cold-start speeds, and is relatively cheap in +# terms of I/O for the key cache. Row cache saving is much more expensive and +# has limited use. +# +# This is only relevant to SSTable formats that use key cache, e.g. BIG. +# Default is 14400 or 4 hours. +# Min unit: s +key_cache_save_period: 4h + +# Number of keys from the key cache to save +# Disabled by default, meaning all keys are going to be saved +# This is only relevant to SSTable formats that use key cache, e.g. BIG. +# key_cache_keys_to_save: 100 + +# Row cache implementation class name. Available implementations: +# +# org.apache.cassandra.cache.OHCProvider +# Fully off-heap row cache implementation (default). +# +# org.apache.cassandra.cache.SerializingCacheProvider +# This is the row cache implementation available +# in previous releases of Cassandra. +# row_cache_class_name: org.apache.cassandra.cache.OHCProvider + +# Maximum size of the row cache in memory. +# Please note that OHC cache implementation requires some additional off-heap memory to manage +# the map structures and some in-flight memory during operations before/after cache entries can be +# accounted against the cache capacity. This overhead is usually small compared to the whole capacity. +# Do not specify more memory that the system can afford in the worst usual situation and leave some +# headroom for OS block level cache. Do never allow your system to swap. +# +# Default value is 0, to disable row caching. +# Min unit: MiB +row_cache_size: 0MiB + +# Duration in seconds after which Cassandra should save the row cache. +# Caches are saved to saved_caches_directory as specified in this configuration file. +# +# Saved caches greatly improve cold-start speeds, and is relatively cheap in +# terms of I/O for the key cache. Row cache saving is much more expensive and +# has limited use. +# +# Default is 0 to disable saving the row cache. +# Min unit: s +row_cache_save_period: 0s + +# Number of keys from the row cache to save. +# Specify 0 (which is the default), meaning all keys are going to be saved +# row_cache_keys_to_save: 100 + +# Maximum size of the counter cache in memory. +# +# Counter cache helps to reduce counter locks' contention for hot counter cells. +# In case of RF = 1 a counter cache hit will cause Cassandra to skip the read before +# write entirely. With RF > 1 a counter cache hit will still help to reduce the duration +# of the lock hold, helping with hot counter cell updates, but will not allow skipping +# the read entirely. Only the local (clock, count) tuple of a counter cell is kept +# in memory, not the whole counter, so it's relatively cheap. +# +# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup. +# +# Default value is empty to make it "auto" (min(2.5% of Heap (in MiB), 50MiB)). Set to 0 to disable counter cache. +# NOTE: if you perform counter deletes and rely on low gcgs, you should disable the counter cache. +# Min unit: MiB +counter_cache_size: + +# Duration in seconds after which Cassandra should +# save the counter cache (keys only). Caches are saved to saved_caches_directory as +# specified in this configuration file. +# +# Default is 7200 or 2 hours. +# Min unit: s +counter_cache_save_period: 7200s + +# Number of keys from the counter cache to save +# Disabled by default, meaning all keys are going to be saved +# counter_cache_keys_to_save: 100 + +# saved caches +# If not set, the default directory is $CASSANDRA_HOME/data/saved_caches. +# saved_caches_directory: /var/lib/cassandra/saved_caches + +# Number of seconds the server will wait for each cache (row, key, etc ...) to load while starting +# the Cassandra process. Setting this to zero is equivalent to disabling all cache loading on startup +# while still having the cache during runtime. +# Min unit: s +# cache_load_timeout: 30s + +# commitlog_sync may be either "periodic", "group", or "batch." +# +# When in batch mode, Cassandra won't ack writes until the commit log +# has been flushed to disk. Each incoming write will trigger the flush task. +# +# group mode is similar to batch mode, where Cassandra will not ack writes +# until the commit log has been flushed to disk. The difference is group +# mode will wait up to commitlog_sync_group_window between flushes. +# +# Min unit: ms +# commitlog_sync_group_window: 1000ms +# +# the default option is "periodic" where writes may be acked immediately +# and the CommitLog is simply synced every commitlog_sync_period +# milliseconds. +commitlog_sync: periodic +# Min unit: ms +commitlog_sync_period: 10000ms + +# When in periodic commitlog mode, the number of milliseconds to block writes +# while waiting for a slow disk flush to complete. +# Min unit: ms +# periodic_commitlog_sync_lag_block: + +# The size of the individual commitlog file segments. A commitlog +# segment may be archived, deleted, or recycled once all the data +# in it (potentially from each columnfamily in the system) has been +# flushed to sstables. +# +# The default size is 32, which is almost always fine, but if you are +# archiving commitlog segments (see commitlog_archiving.properties), +# then you probably want a finer granularity of archiving; 8 or 16 MB +# is reasonable. +# Max mutation size is also configurable via max_mutation_size setting in +# cassandra.yaml. The default is half the size commitlog_segment_size in bytes. +# This should be positive and less than 2048. +# +# NOTE: If max_mutation_size is set explicitly then commitlog_segment_size must +# be set to at least twice the size of max_mutation_size +# +# Min unit: MiB +commitlog_segment_size: 32MiB + +# Compression to apply to the commit log. If omitted, the commit log +# will be written uncompressed. LZ4, Snappy, and Deflate compressors +# are supported. +# commitlog_compression: +# - class_name: LZ4Compressor +# parameters: +# - + +# Set the disk access mode for writing commitlog segments. The allowed values are: +# - auto: version dependent optimal setting +# - legacy: the default mode as used in Cassandra 4.x and earlier (standard I/O when the commitlog is either +# compressed or encrypted or mmap otherwise) +# - mmap: use memory mapped I/O - available only when the commitlog is neither compressed nor encrypted +# - direct: use direct I/O - available only when the commitlog is neither compressed nor encrypted +# - standard: use standard I/O - available only when the commitlog is compressed or encrypted +# The default setting is legacy when the storage compatibility is set to 4 or auto otherwise. +commitlog_disk_access_mode: legacy + +# Compression to apply to SSTables as they flush for compressed tables. +# Note that tables without compression enabled do not respect this flag. +# +# As high ratio compressors like LZ4HC, Zstd, and Deflate can potentially +# block flushes for too long, the default is to flush with a known fast +# compressor in those cases. Options are: +# +# none : Flush without compressing blocks but while still doing checksums. +# fast : Flush with a fast compressor. If the table is already using a +# fast compressor that compressor is used. +# table: Always flush with the same compressor that the table uses. This +# was the pre 4.0 behavior. +# +# flush_compression: fast + +# any class that implements the SeedProvider interface and has a +# constructor that takes a Map of parameters will do. +seed_provider: + # Addresses of hosts that are deemed contact points. + # Cassandra nodes use this list of hosts to find each other and learn + # the topology of the ring. You must change this if you are running + # multiple nodes! + - class_name: org.apache.cassandra.locator.SimpleSeedProvider + parameters: + # seeds is actually a comma-delimited list of addresses. + # Ex: ",," + - seeds: "172.18.0.2" + # If set to "true", SimpleSeedProvider will return all IP addresses for a DNS name, + # based on the configured name service on the system. Defaults to "false". + # resolve_multiple_ip_addresses_per_dns_record: "false" + +# For workloads with more data than can fit in memory, Cassandra's +# bottleneck will be reads that need to fetch data from +# disk. "concurrent_reads" should be set to (16 * number_of_drives) in +# order to allow the operations to enqueue low enough in the stack +# that the OS and drives can reorder them. Same applies to +# "concurrent_counter_writes", since counter writes read the current +# values before incrementing and writing them back. +# +# On the other hand, since writes are almost never IO bound, the ideal +# number of "concurrent_writes" is dependent on the number of cores in +# your system; (8 * number_of_cores) is a good rule of thumb. +concurrent_reads: 32 +concurrent_writes: 32 +concurrent_counter_writes: 32 + +# For materialized view writes, as there is a read involved, so this should +# be limited by the less of concurrent reads or concurrent writes. +concurrent_materialized_view_writes: 32 + +# Maximum memory to use for inter-node and client-server networking buffers. +# +# Defaults to the smaller of 1/16 of heap or 128MB. This pool is allocated off-heap, +# so is in addition to the memory allocated for heap. The cache also has on-heap +# overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size +# if the default 64k chunk size is used). +# Memory is only allocated when needed. +# Min unit: MiB +# networking_cache_size: 128MiB + +# Enable the sstable chunk cache. The chunk cache will store recently accessed +# sections of the sstable in-memory as uncompressed buffers. +# file_cache_enabled: false + +# Maximum memory to use for sstable chunk cache and buffer pooling. +# 32MB of this are reserved for pooling buffers, the rest is used for chunk cache +# that holds uncompressed sstable chunks. +# Defaults to the smaller of 1/4 of heap or 512MB. This pool is allocated off-heap, +# so is in addition to the memory allocated for heap. The cache also has on-heap +# overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size +# if the default 64k chunk size is used). +# Memory is only allocated when needed. +# Min unit: MiB +# file_cache_size: 512MiB + +# Flag indicating whether to allocate on or off heap when the sstable buffer +# pool is exhausted, that is when it has exceeded the maximum memory +# file_cache_size, beyond which it will not cache buffers but allocate on request. + +# buffer_pool_use_heap_if_exhausted: true + +# The strategy for optimizing disk read +# Possible values are: +# ssd (for solid state disks, the default) +# spinning (for spinning disks) +# disk_optimization_strategy: ssd + +# Total permitted memory to use for memtables. Cassandra will stop +# accepting writes when the limit is exceeded until a flush completes, +# and will trigger a flush based on memtable_cleanup_threshold +# If omitted, Cassandra will set both to 1/4 the size of the heap. +# Min unit: MiB +# memtable_heap_space: 2048MiB +# Min unit: MiB +# memtable_offheap_space: 2048MiB + +# memtable_cleanup_threshold is deprecated. The default calculation +# is the only reasonable choice. See the comments on memtable_flush_writers +# for more information. +# +# Ratio of occupied non-flushing memtable size to total permitted size +# that will trigger a flush of the largest memtable. Larger mct will +# mean larger flushes and hence less compaction, but also less concurrent +# flush activity which can make it difficult to keep your disks fed +# under heavy write load. +# +# memtable_cleanup_threshold defaults to 1 / (memtable_flush_writers + 1) +# memtable_cleanup_threshold: 0.11 + +# Specify the way Cassandra allocates and manages memtable memory. +# Options are: +# +# heap_buffers +# on heap nio buffers +# +# offheap_buffers +# off heap (direct) nio buffers +# +# offheap_objects +# off heap objects +memtable_allocation_type: heap_buffers + +# Limit memory usage for Merkle tree calculations during repairs. The default +# is 1/16th of the available heap. The main tradeoff is that smaller trees +# have less resolution, which can lead to over-streaming data. If you see heap +# pressure during repairs, consider lowering this, but you cannot go below +# one mebibyte. If you see lots of over-streaming, consider raising +# this or using subrange repair. +# +# For more details see https://issues.apache.org/jira/browse/CASSANDRA-14096. +# +# Min unit: MiB +# repair_session_space: + +# repair: +# # Configure the retries for each of the repair messages that support it. As of this moment retries use an exponential algorithm where each attempt sleeps longer based off the base_sleep_time and attempt. +# retries: +# max_attempts: 10 +# base_sleep_time: 200ms +# max_sleep_time: 1s +# # Increase the timeout of validation responses due to them containing the merkle tree +# merkle_tree_response: +# base_sleep_time: 30s +# max_sleep_time: 1m + +# Total space to use for commit logs on disk. +# +# If space gets above this value, Cassandra will flush every dirty CF +# in the oldest segment and remove it. So a small total commitlog space +# will tend to cause more flush activity on less-active columnfamilies. +# +# The default value is the smaller of 8192, and 1/4 of the total space +# of the commitlog volume. +# +# commitlog_total_space: 8192MiB + +# This sets the number of memtable flush writer threads per disk +# as well as the total number of memtables that can be flushed concurrently. +# These are generally a combination of compute and IO bound. +# +# Memtable flushing is more CPU efficient than memtable ingest and a single thread +# can keep up with the ingest rate of a whole server on a single fast disk +# until it temporarily becomes IO bound under contention typically with compaction. +# At that point you need multiple flush threads. At some point in the future +# it may become CPU bound all the time. +# +# You can tell if flushing is falling behind using the MemtablePool.BlockedOnAllocation +# metric which should be 0, but will be non-zero if threads are blocked waiting on flushing +# to free memory. +# +# memtable_flush_writers defaults to two for a single data directory. +# This means that two memtables can be flushed concurrently to the single data directory. +# If you have multiple data directories the default is one memtable flushing at a time +# but the flush will use a thread per data directory so you will get two or more writers. +# +# Two is generally enough to flush on a fast disk [array] mounted as a single data directory. +# Adding more flush writers will result in smaller more frequent flushes that introduce more +# compaction overhead. +# +# There is a direct tradeoff between number of memtables that can be flushed concurrently +# and flush size and frequency. More is not better you just need enough flush writers +# to never stall waiting for flushing to free memory. +# +# memtable_flush_writers: 2 + +# Total space to use for change-data-capture logs on disk. +# +# If space gets above this value, Cassandra will throw WriteTimeoutException +# on Mutations including tables with CDC enabled. A CDCCompactor is responsible +# for parsing the raw CDC logs and deleting them when parsing is completed. +# +# The default value is the min of 4096 MiB and 1/8th of the total space +# of the drive where cdc_raw_directory resides. +# Min unit: MiB +# cdc_total_space: 4096MiB + +# When we hit our cdc_raw limit and the CDCCompactor is either running behind +# or experiencing backpressure, we check at the following interval to see if any +# new space for cdc-tracked tables has been made available. Default to 250ms +# Min unit: ms +# cdc_free_space_check_interval: 250ms + +# A fixed memory pool size in MB for for SSTable index summaries. If left +# empty, this will default to 5% of the heap size. If the memory usage of +# all index summaries exceeds this limit, SSTables with low read rates will +# shrink their index summaries in order to meet this limit. However, this +# is a best-effort process. In extreme conditions Cassandra may need to use +# more than this amount of memory. +# Min unit: KiB +index_summary_capacity: + +# How frequently index summaries should be resampled. This is done +# periodically to redistribute memory from the fixed-size pool to sstables +# proportional their recent read rates. Setting to null value will disable this +# process, leaving existing index summaries at their current sampling level. +# Min unit: m +index_summary_resize_interval: 60m + +# Whether to, when doing sequential writing, fsync() at intervals in +# order to force the operating system to flush the dirty +# buffers. Enable this to avoid sudden dirty buffer flushing from +# impacting read latencies. Almost always a good idea on SSDs; not +# necessarily on platters. +trickle_fsync: false +# Min unit: KiB +trickle_fsync_interval: 10240KiB + +# TCP port, for commands and data +# For security reasons, you should not expose this port to the internet. Firewall it if needed. +storage_port: 7000 + +# SSL port, for legacy encrypted communication. This property is unused unless enabled in +# server_encryption_options (see below). As of cassandra 4.0, this property is deprecated +# as a single port can be used for either/both secure and insecure connections. +# For security reasons, you should not expose this port to the internet. Firewall it if needed. +ssl_storage_port: 7001 + +# Address or interface to bind to and tell other Cassandra nodes to connect to. +# You _must_ change this if you want multiple nodes to be able to communicate! +# +# Set listen_address OR listen_interface, not both. +# +# Leaving it blank leaves it up to InetAddress.getLocalHost(). This +# will always do the Right Thing _if_ the node is properly configured +# (hostname, name resolution, etc), and the Right Thing is to use the +# address associated with the hostname (it might not be). If unresolvable +# it will fall back to InetAddress.getLoopbackAddress(), which is wrong for production systems. +# +# Setting listen_address to 0.0.0.0 is always wrong. +# +listen_address: 172.18.0.2 + +# Set listen_address OR listen_interface, not both. Interfaces must correspond +# to a single address, IP aliasing is not supported. +# listen_interface: eth0 + +# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address +# you can specify which should be chosen using listen_interface_prefer_ipv6. If false the first ipv4 +# address will be used. If true the first ipv6 address will be used. Defaults to false preferring +# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6. +# listen_interface_prefer_ipv6: false + +# Address to broadcast to other Cassandra nodes +# Leaving this blank will set it to the same value as listen_address +broadcast_address: 172.18.0.2 + +# When using multiple physical network interfaces, set this +# to true to listen on broadcast_address in addition to +# the listen_address, allowing nodes to communicate in both +# interfaces. +# Ignore this property if the network configuration automatically +# routes between the public and private networks such as EC2. +# listen_on_broadcast_address: false + +# Internode authentication backend, implementing IInternodeAuthenticator; +# used to allow/disallow connections from peer nodes. +#internode_authenticator: +# class_name : org.apache.cassandra.auth.AllowAllInternodeAuthenticator +# parameters : +# MutualTlsInternodeAuthenticator can be configured using the following configuration.One can add their own validator +# which implements MutualTlsCertificateValidator class and provide logic for extracting identity out of certificates +# and validating certificates. +# class_name : org.apache.cassandra.auth.MutualTlsInternodeAuthenticator +# parameters : +# validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator +# trusted_peer_identities: "spiffe1,spiffe2" +# node_identity: "spiffe1" +# Whether to start the native transport server. +# The address on which the native transport is bound is defined by rpc_address. +start_native_transport: true +# port for the CQL native transport to listen for clients on +# For security reasons, you should not expose this port to the internet. Firewall it if needed. +native_transport_port: 9042 +# Enabling native transport encryption in client_encryption_options allows you to either use +# encryption for the standard port or to use a dedicated, additional port along with the unencrypted +# standard native_transport_port. +# Enabling client encryption and keeping native_transport_port_ssl disabled will use encryption +# for native_transport_port. Setting native_transport_port_ssl to a different value +# from native_transport_port will use encryption for native_transport_port_ssl while +# keeping native_transport_port unencrypted. +native_transport_port_ssl: 9142 +# The maximum threads for handling requests (note that idle threads are stopped +# after 30 seconds so there is not corresponding minimum setting). +# native_transport_max_threads: 128 +# +# The maximum size of allowed frame. Frame (requests) larger than this will +# be rejected as invalid. The default is 16MiB. If you're changing this parameter, +# you may want to adjust max_value_size accordingly. This should be positive and less than 2048. +# Min unit: MiB +# native_transport_max_frame_size: 16MiB + +# The maximum number of concurrent client connections. +# The default is -1, which means unlimited. +# native_transport_max_concurrent_connections: -1 + +# The maximum number of concurrent client connections per source ip. +# The default is -1, which means unlimited. +# native_transport_max_concurrent_connections_per_ip: -1 + +# Controls whether Cassandra honors older, yet currently supported, protocol versions. +# The default is true, which means all supported protocols will be honored. +native_transport_allow_older_protocols: true + +# Controls when idle client connections are closed. Idle connections are ones that had neither reads +# nor writes for a time period. +# +# Clients may implement heartbeats by sending OPTIONS native protocol message after a timeout, which +# will reset idle timeout timer on the server side. To close idle client connections, corresponding +# values for heartbeat intervals have to be set on the client side. +# +# Idle connection timeouts are disabled by default. +# Min unit: ms +# native_transport_idle_timeout: 60000ms + +# When enabled, limits the number of native transport requests dispatched for processing per second. +# Behavior once the limit has been breached depends on the value of THROW_ON_OVERLOAD specified in +# the STARTUP message sent by the client during connection establishment. (See section "4.1.1. STARTUP" +# in "CQL BINARY PROTOCOL v5".) With the THROW_ON_OVERLOAD flag enabled, messages that breach the limit +# are dropped, and an OverloadedException is thrown for the client to handle. When the flag is not +# enabled, the server will stop consuming messages from the channel/socket, putting backpressure on +# the client while already dispatched messages are processed. +# native_transport_rate_limiting_enabled: false +# native_transport_max_requests_per_second: 1000000 + +# The address or interface to bind the native transport server to. +# +# Set rpc_address OR rpc_interface, not both. +# +# Leaving rpc_address blank has the same effect as on listen_address +# (i.e. it will be based on the configured hostname of the node). +# +# Note that unlike listen_address, you can specify 0.0.0.0, but you must also +# set broadcast_rpc_address to a value other than 0.0.0.0. +# +# For security reasons, you should not expose this port to the internet. Firewall it if needed. +rpc_address: 0.0.0.0 + +# Set rpc_address OR rpc_interface, not both. Interfaces must correspond +# to a single address, IP aliasing is not supported. +# rpc_interface: eth1 + +# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address +# you can specify which should be chosen using rpc_interface_prefer_ipv6. If false the first ipv4 +# address will be used. If true the first ipv6 address will be used. Defaults to false preferring +# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6. +# rpc_interface_prefer_ipv6: false + +# RPC address to broadcast to drivers and other Cassandra nodes. This cannot +# be set to 0.0.0.0. If left blank, this will be set to the value of +# rpc_address. If rpc_address is set to 0.0.0.0, broadcast_rpc_address must +# be set. +broadcast_rpc_address: 172.18.0.2 + +# enable or disable keepalive on rpc/native connections +rpc_keepalive: true + +# Uncomment to set socket buffer size for internode communication +# Note that when setting this, the buffer size is limited by net.core.wmem_max +# and when not setting it it is defined by net.ipv4.tcp_wmem +# See also: +# /proc/sys/net/core/wmem_max +# /proc/sys/net/core/rmem_max +# /proc/sys/net/ipv4/tcp_wmem +# /proc/sys/net/ipv4/tcp_wmem +# and 'man tcp' +# Min unit: B +# internode_socket_send_buffer_size: + +# Uncomment to set socket buffer size for internode communication +# Note that when setting this, the buffer size is limited by net.core.wmem_max +# and when not setting it it is defined by net.ipv4.tcp_wmem +# Min unit: B +# internode_socket_receive_buffer_size: + +# Set to true to have Cassandra create a hard link to each sstable +# flushed or streamed locally in a backups/ subdirectory of all the +# keyspace data in this node. Removing these links is the operator's +# responsibility. The operator can also turn off incremental backups +# for specified table by setting table parameter incremental_backups to +# false, which is set to true by default. See CASSANDRA-15402 +incremental_backups: false + +# Whether or not to take a snapshot before each compaction. Be +# careful using this option, since Cassandra won't clean up the +# snapshots for you. Mostly useful if you're paranoid when there +# is a data format change. +snapshot_before_compaction: false + +# Whether or not a snapshot is taken of the data before keyspace truncation +# or dropping of column families. The STRONGLY advised default of true +# should be used to provide data safety. If you set this flag to false, you will +# lose data on truncation or drop. +auto_snapshot: true + +# Adds a time-to-live (TTL) to auto snapshots generated by table +# truncation or drop (when enabled). +# After the TTL is elapsed, the snapshot is automatically cleared. +# By default, auto snapshots *do not* have TTL, uncomment the property below +# to enable TTL on auto snapshots. +# Accepted units: d (days), h (hours) or m (minutes) +# auto_snapshot_ttl: 30d + +# The act of creating or clearing a snapshot involves creating or removing +# potentially tens of thousands of links, which can cause significant performance +# impact, especially on consumer grade SSDs. A non-zero value here can +# be used to throttle these links to avoid negative performance impact of +# taking and clearing snapshots +snapshot_links_per_second: 0 + +# The sstable formats configuration. SSTable formats implementations are +# loaded using the service loader mechanism. In this section, one can select +# the format for created sstables and pass additional parameters for the formats +# available on the classpath. +# The default format is "big", the legacy SSTable format in use since Cassandra 3.0. +# Cassandra versions 5.0 and later also support the trie-indexed "bti" format, +# which offers better performance. +#sstable: +# selected_format: big + +# Granularity of the collation index of rows within a partition. +# Applies to both BIG and BTI SSTable formats. In both formats, +# a smaller granularity results in faster lookup of rows within +# a partition, but a bigger index file size. +# Using smaller granularities with the BIG format is not recommended +# because bigger collation indexes cannot be cached efficiently +# or at all if they become sufficiently large. Further, if +# large rows, or a very large number of rows per partition are +# present, it is recommended to increase the index granularity +# or switch to the BTI SSTable format. +# +# Leave undefined to use a default suitable for the SSTable format +# in use (64 KiB for BIG, 16KiB for BTI). +# Min unit: KiB +# column_index_size: 4KiB + +# Per sstable indexed key cache entries (the collation index in memory +# mentioned above) exceeding this size will not be held on heap. +# This means that only partition information is held on heap and the +# index entries are read from disk. +# +# Note that this size refers to the size of the +# serialized index information and not the size of the partition. +# +# This is only relevant to SSTable formats that use key cache, e.g. BIG. +# Min unit: KiB +column_index_cache_size: 2KiB + +# Default compaction strategy, applied when a table's parameters do not +# specify compaction. +# The selected compaction strategy will also apply to system tables. +# +# The default is to use SizeTieredCompactionStrategy, with its default +# compaction parameters. +# +# default_compaction: +# class_name: UnifiedCompactionStrategy +# parameters: +# scaling_parameters: T4 +# target_sstable_size: 1GiB + + +# Number of simultaneous compactions to allow, NOT including +# validation "compactions" for anti-entropy repair. Simultaneous +# compactions can help preserve read performance in a mixed read/write +# workload, by mitigating the tendency of small sstables to accumulate +# during a single long running compactions. The default is usually +# fine and if you experience problems with compaction running too +# slowly or too fast, you should look at +# compaction_throughput first. +# +# concurrent_compactors defaults to the smaller of (number of disks, +# number of cores), with a minimum of 2 and a maximum of 8. +# +# If your data directories are backed by SSD, you should increase this +# to the number of cores. +# concurrent_compactors: 1 + +# Number of simultaneous repair validations to allow. If not set or set to +# a value less than 1, it defaults to the value of concurrent_compactors. +# To set a value greeater than concurrent_compactors at startup, the system +# property cassandra.allow_unlimited_concurrent_validations must be set to +# true. To dynamically resize to a value > concurrent_compactors on a running +# node, first call the bypassConcurrentValidatorsLimit method on the +# org.apache.cassandra.db:type=StorageService mbean +# concurrent_validations: 0 + +# Number of simultaneous materialized view builder tasks to allow. +concurrent_materialized_view_builders: 1 + +# Throttles compaction to the given total throughput across the entire +# system. The faster you insert data, the faster you need to compact in +# order to keep the sstable count down, but in general, setting this to +# 16 to 32 times the rate you are inserting data is more than sufficient. +# Setting this to 0 disables throttling. Note that this accounts for all types +# of compaction, including validation compaction (building Merkle trees +# for repairs). +compaction_throughput: 64MiB/s + +# When compacting, the replacement sstable(s) can be opened before they +# are completely written, and used in place of the prior sstables for +# any range that has been written. This helps to smoothly transfer reads +# between the sstables, reducing page cache churn and keeping hot rows hot +# Set sstable_preemptive_open_interval to null for disabled which is equivalent to +# sstable_preemptive_open_interval_in_mb being negative +# Min unit: MiB +sstable_preemptive_open_interval: 50MiB + +# Starting from 4.1 sstables support UUID based generation identifiers. They are disabled by default +# because once enabled, there is no easy way to downgrade. When the node is restarted with this option +# set to true, each newly created sstable will have a UUID based generation identifier and such files are +# not readable by previous Cassandra versions. At some point, this option will become true by default +# and eventually get removed from the configuration. +uuid_sstable_identifiers_enabled: false + +# When enabled, permits Cassandra to zero-copy stream entire eligible +# SSTables between nodes, including every component. +# This speeds up the network transfer significantly subject to +# throttling specified by entire_sstable_stream_throughput_outbound, +# and entire_sstable_inter_dc_stream_throughput_outbound +# for inter-DC transfers. +# Enabling this will reduce the GC pressure on sending and receiving node. +# When unset, the default is enabled. While this feature tries to keep the +# disks balanced, it cannot guarantee it. This feature will be automatically +# disabled if internode encryption is enabled. +# stream_entire_sstables: true + +# Throttles entire SSTable outbound streaming file transfers on +# this node to the given total throughput in Mbps. +# Setting this value to 0 it disables throttling. +# When unset, the default is 200 Mbps or 24 MiB/s. +# entire_sstable_stream_throughput_outbound: 24MiB/s + +# Throttles entire SSTable file streaming between datacenters. +# Setting this value to 0 disables throttling for entire SSTable inter-DC file streaming. +# When unset, the default is 200 Mbps or 24 MiB/s. +# entire_sstable_inter_dc_stream_throughput_outbound: 24MiB/s + +# Throttles all outbound streaming file transfers on this node to the +# given total throughput in Mbps. This is necessary because Cassandra does +# mostly sequential IO when streaming data during bootstrap or repair, which +# can lead to saturating the network connection and degrading rpc performance. +# When unset, the default is 200 Mbps or 24 MiB/s. +# stream_throughput_outbound: 24MiB/s + +# Throttles all streaming file transfer between the datacenters, +# this setting allows users to throttle inter dc stream throughput in addition +# to throttling all network stream traffic as configured with +# stream_throughput_outbound_megabits_per_sec +# When unset, the default is 200 Mbps or 24 MiB/s. +# inter_dc_stream_throughput_outbound: 24MiB/s + +# Server side timeouts for requests. The server will return a timeout exception +# to the client if it can't complete an operation within the corresponding +# timeout. Those settings are a protection against: +# 1) having client wait on an operation that might never terminate due to some +# failures. +# 2) operations that use too much CPU/read too much data (leading to memory build +# up) by putting a limit to how long an operation will execute. +# For this reason, you should avoid putting these settings too high. In other words, +# if you are timing out requests because of underlying resource constraints then +# increasing the timeout will just cause more problems. Of course putting them too +# low is equally ill-advised since clients could get timeouts even for successful +# operations just because the timeout setting is too tight. + +# How long the coordinator should wait for read operations to complete. +# Lowest acceptable value is 10 ms. +# Min unit: ms +read_request_timeout: 5000ms +# How long the coordinator should wait for seq or index scans to complete. +# Lowest acceptable value is 10 ms. +# Min unit: ms +range_request_timeout: 10000ms +# How long the coordinator should wait for writes to complete. +# Lowest acceptable value is 10 ms. +# Min unit: ms +write_request_timeout: 2000ms +# How long the coordinator should wait for counter writes to complete. +# Lowest acceptable value is 10 ms. +# Min unit: ms +counter_write_request_timeout: 5000ms +# How long a coordinator should continue to retry a CAS operation +# that contends with other proposals for the same row. +# Lowest acceptable value is 10 ms. +# Min unit: ms +cas_contention_timeout: 1000ms +# How long the coordinator should wait for truncates to complete +# (This can be much longer, because unless auto_snapshot is disabled +# we need to flush first so we can snapshot before removing the data.) +# Lowest acceptable value is 10 ms. +# Min unit: ms +truncate_request_timeout: 60000ms +# The default timeout for other, miscellaneous operations. +# Lowest acceptable value is 10 ms. +# Min unit: ms +request_timeout: 10000ms + +# Defensive settings for protecting Cassandra from true network partitions. +# See (CASSANDRA-14358) for details. +# +# The amount of time to wait for internode tcp connections to establish. +# Min unit: ms +# internode_tcp_connect_timeout: 2000ms +# +# The amount of time unacknowledged data is allowed on a connection before we throw out the connection +# Note this is only supported on Linux + epoll, and it appears to behave oddly above a setting of 30000 +# (it takes much longer than 30s) as of Linux 4.12. If you want something that high set this to 0 +# which picks up the OS default and configure the net.ipv4.tcp_retries2 sysctl to be ~8. +# Min unit: ms +# internode_tcp_user_timeout: 30000ms + +# The amount of time unacknowledged data is allowed on a streaming connection. +# The default is 5 minutes. Increase it or set it to 0 in order to increase the timeout. +# Min unit: ms +# internode_streaming_tcp_user_timeout: 300000ms + +# Global, per-endpoint and per-connection limits imposed on messages queued for delivery to other nodes +# and waiting to be processed on arrival from other nodes in the cluster. These limits are applied to the on-wire +# size of the message being sent or received. +# +# The basic per-link limit is consumed in isolation before any endpoint or global limit is imposed. +# Each node-pair has three links: urgent, small and large. So any given node may have a maximum of +# N*3*(internode_application_send_queue_capacity+internode_application_receive_queue_capacity) +# messages queued without any coordination between them although in practice, with token-aware routing, only RF*tokens +# nodes should need to communicate with significant bandwidth. +# +# The per-endpoint limit is imposed on all messages exceeding the per-link limit, simultaneously with the global limit, +# on all links to or from a single node in the cluster. +# The global limit is imposed on all messages exceeding the per-link limit, simultaneously with the per-endpoint limit, +# on all links to or from any node in the cluster. +# +# Min unit: B +# internode_application_send_queue_capacity: 4MiB +# internode_application_send_queue_reserve_endpoint_capacity: 128MiB +# internode_application_send_queue_reserve_global_capacity: 512MiB +# internode_application_receive_queue_capacity: 4MiB +# internode_application_receive_queue_reserve_endpoint_capacity: 128MiB +# internode_application_receive_queue_reserve_global_capacity: 512MiB + + +# How long before a node logs slow queries. Select queries that take longer than +# this timeout to execute, will generate an aggregated log message, so that slow queries +# can be identified. Set this value to zero to disable slow query logging. +# Min unit: ms +slow_query_log_timeout: 500ms + +# Enable operation timeout information exchange between nodes to accurately +# measure request timeouts. If disabled, replicas will assume that requests +# were forwarded to them instantly by the coordinator, which means that +# under overload conditions we will waste that much extra time processing +# already-timed-out requests. +# +# Warning: It is generally assumed that users have setup NTP on their clusters, and that clocks are modestly in sync, +# since this is a requirement for general correctness of last write wins. +# internode_timeout: true + +# Set period for idle state control messages for earlier detection of failed streams +# This node will send a keep-alive message periodically on the streaming's control channel. +# This ensures that any eventual SocketTimeoutException will occur within 2 keep-alive cycles +# If the node cannot send, or timeouts sending, the keep-alive message on the netty control channel +# the stream session is closed. +# Default value is 300s (5 minutes), which means stalled streams +# are detected within 10 minutes +# Specify 0 to disable. +# Min unit: s +# streaming_keep_alive_period: 300s + +# Limit number of connections per host for streaming +# Increase this when you notice that joins are CPU-bound rather that network +# bound (for example a few nodes with big files). +# streaming_connections_per_host: 1 + +# Settings for stream stats tracking; used by system_views.streaming table +# How long before a stream is evicted from tracking; this impacts both historic and currently running +# streams. +# streaming_state_expires: 3d +# How much memory may be used for tracking before evicting session from tracking; once crossed +# historic and currently running streams maybe impacted. +# streaming_state_size: 40MiB +# Enable/Disable tracking of streaming stats +# streaming_stats_enabled: true + +# Allows denying configurable access (rw/rr) to operations on configured ks, table, and partitions, intended for use by +# operators to manage cluster health vs application access. See CASSANDRA-12106 and CEP-13 for more details. +# partition_denylist_enabled: false + +# denylist_writes_enabled: true +# denylist_reads_enabled: true +# denylist_range_reads_enabled: true + +# The interval at which keys in the cache for denylisting will "expire" and async refresh from the backing DB. +# Note: this serves only as a fail-safe, as the usage pattern is expected to be "mutate state, refresh cache" on any +# changes to the underlying denylist entries. See documentation for details. +# Min unit: s +# denylist_refresh: 600s + +# In the event of errors on attempting to load the denylist cache, retry on this interval. +# Min unit: s +# denylist_initial_load_retry: 5s + +# We cap the number of denylisted keys allowed per table to keep things from growing unbounded. Nodes will warn above +# this limit while allowing new denylisted keys to be inserted. Denied keys are loaded in natural query / clustering +# ordering by partition key in case of overflow. +# denylist_max_keys_per_table: 1000 + +# We cap the total number of denylisted keys allowed in the cluster to keep things from growing unbounded. +# Nodes will warn on initial cache load that there are too many keys and be direct the operator to trim down excess +# entries to within the configured limits. +# denylist_max_keys_total: 10000 + +# Since the denylist in many ways serves to protect the health of the cluster from partitions operators have identified +# as being in a bad state, we usually want more robustness than just CL.ONE on operations to/from these tables to +# ensure that these safeguards are in place. That said, we allow users to configure this if they're so inclined. +# denylist_consistency_level: QUORUM + +# phi value that must be reached for a host to be marked down. +# most users should never need to adjust this. +# phi_convict_threshold: 8 + +# endpoint_snitch -- Set this to a class that implements +# IEndpointSnitch. The snitch has two functions: +# +# - it teaches Cassandra enough about your network topology to route +# requests efficiently +# - it allows Cassandra to spread replicas around your cluster to avoid +# correlated failures. It does this by grouping machines into +# "datacenters" and "racks." Cassandra will do its best not to have +# more than one replica on the same "rack" (which may not actually +# be a physical location) +# +# CASSANDRA WILL NOT ALLOW YOU TO SWITCH TO AN INCOMPATIBLE SNITCH +# ONCE DATA IS INSERTED INTO THE CLUSTER. This would cause data loss. +# This means that if you start with the default SimpleSnitch, which +# locates every node on "rack1" in "datacenter1", your only options +# if you need to add another datacenter are GossipingPropertyFileSnitch +# (and the older PFS). From there, if you want to migrate to an +# incompatible snitch like Ec2Snitch you can do it by adding new nodes +# under Ec2Snitch (which will locate them in a new "datacenter") and +# decommissioning the old ones. +# +# Out of the box, Cassandra provides: +# +# SimpleSnitch: +# Treats Strategy order as proximity. This can improve cache +# locality when disabling read repair. Only appropriate for +# single-datacenter deployments. +# +# GossipingPropertyFileSnitch +# This should be your go-to snitch for production use. The rack +# and datacenter for the local node are defined in +# cassandra-rackdc.properties and propagated to other nodes via +# gossip. If cassandra-topology.properties exists, it is used as a +# fallback, allowing migration from the PropertyFileSnitch. +# +# PropertyFileSnitch: +# Proximity is determined by rack and data center, which are +# explicitly configured in cassandra-topology.properties. +# +# AlibabaCloudSnitch: +# Snitch for getting dc and rack of a node from metadata service of Alibaba cloud. +# This snitch that assumes an ECS region is a DC and an ECS availability_zone is a rack. +# +# AzureSnitch: +# Gets datacenter from 'location' and rack from 'zone' fields of 'compute' object +# from instance metadata service. If the availability zone is not enabled, it will use the fault +# domain and get its respective value. +# +# CloudstackSnitch: +# A snitch that assumes a Cloudstack Zone follows the typical convention +# country-location-az and uses a country/location tuple as a datacenter +# and the availability zone as a rack. +# WARNING: This snitch is deprecated and it is scheduled to be removed +# in the next major version of Cassandra. +# +# Ec2Snitch: +# Appropriate for EC2 deployments in a single Region. Loads Region +# and Availability Zone information from the EC2 API. The Region is +# treated as the datacenter, and the Availability Zone as the rack. +# Only private IPs are used, so this will not work across multiple +# Regions. +# +# Ec2MultiRegionSnitch: +# Uses public IPs as broadcast_address to allow cross-region +# connectivity. (Thus, you should set seed addresses to the public +# IP as well.) You will need to open the storage_port or +# ssl_storage_port on the public IP firewall. (For intra-Region +# traffic, Cassandra will switch to the private IP after +# establishing a connection.) +# +# GoogleCloudSnitch: +# Snitch for getting dc and rack of a node from metadata service of Google cloud. +# This snitch that assumes an GCE region is a DC and an GCE availability_zone is a rack. +# +# RackInferringSnitch: +# Proximity is determined by rack and data center, which are +# assumed to correspond to the 3rd and 2nd octet of each node's IP +# address, respectively. Unless this happens to match your +# deployment conventions, this is best used as an example of +# writing a custom Snitch class and is provided in that spirit. +# +# You can use a custom Snitch by setting this to the full class name +# of the snitch, which will be assumed to be on your classpath. +endpoint_snitch: SimpleSnitch + +# controls how often to perform the more expensive part of host score +# calculation +# Min unit: ms +dynamic_snitch_update_interval: 100ms +# controls how often to reset all host scores, allowing a bad host to +# possibly recover +# Min unit: ms +dynamic_snitch_reset_interval: 600000ms +# if set greater than zero, this will allow +# 'pinning' of replicas to hosts in order to increase cache capacity. +# The badness threshold will control how much worse the pinned host has to be +# before the dynamic snitch will prefer other replicas over it. This is +# expressed as a double which represents a percentage. Thus, a value of +# 0.2 means Cassandra would continue to prefer the static snitch values +# until the pinned host was 20% worse than the fastest. +dynamic_snitch_badness_threshold: 1.0 + +# Configures Java crypto provider. By default, it will use DefaultCryptoProvider +# which will install Amazon Correto Crypto Provider. +# +# Amazon Correto Crypto Provider works currently for x86_64 and aarch_64 platforms. +# If this provider fails it will fall back to the default crypto provider in the JRE. +# +# To force failure when the provider was not installed properly, set the property "fail_on_missing_provider" to "true". +# +# To bypass the installation of a crypto provider use class 'org.apache.cassandra.security.JREProvider' +# +crypto_provider: + - class_name: org.apache.cassandra.security.DefaultCryptoProvider + parameters: + - fail_on_missing_provider: "false" + +# Configure server-to-server internode encryption +# +# JVM and netty defaults for supported SSL socket protocols and cipher suites can +# be replaced using custom encryption options. This is not recommended +# unless you have policies in place that dictate certain settings, or +# need to disable vulnerable ciphers or protocols in case the JVM cannot +# be updated. +# +# FIPS compliant settings can be configured at JVM level and should not +# involve changing encryption settings here: +# https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html +# +# **NOTE** this default configuration is an insecure configuration. If you need to +# enable server-to-server encryption generate server keystores (and truststores for mutual +# authentication) per: +# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore +# Then perform the following configuration changes: +# +# Step 1: Set internode_encryption= and explicitly set optional=true. Restart all nodes +# +# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual +# auth set require_client_auth=true. Restart all nodes +server_encryption_options: + # On outbound connections, determine which type of peers to securely connect to. + # The available options are : + # none : Do not encrypt outgoing connections + # dc : Encrypt connections to peers in other datacenters but not within datacenters + # rack : Encrypt connections to peers in other racks but not within racks + # all : Always use encrypted connections + internode_encryption: none + # When set to true, encrypted and unencrypted connections are allowed on the storage_port + # This should _only be true_ while in unencrypted or transitional operation + # optional defaults to true if internode_encryption is none + # optional: true + # If enabled, will open up an encrypted listening socket on ssl_storage_port. Should only be used + # during upgrade to 4.0; otherwise, set to false. + legacy_ssl_storage_port_enabled: false + # Set to a valid keystore if internode_encryption is dc, rack or all + keystore: conf/.keystore + #keystore_password: cassandra + # Configure the way Cassandra creates SSL contexts. + # To use PEM-based key material, see org.apache.cassandra.security.PEMBasedSslContextFactory + # ssl_context_factory: + # # Must be an instance of org.apache.cassandra.security.ISslContextFactory + # class_name: org.apache.cassandra.security.DefaultSslContextFactory + # During internode mTLS authentication, inbound connections (acting as servers) use keystore, keystore_password + # containing server certificate to create SSLContext and + # outbound connections (acting as clients) use outbound_keystore & outbound_keystore_password with client certificates + # to create SSLContext. By default, outbound_keystore is the same as keystore indicating mTLS is not enabled. +# outbound_keystore: conf/.keystore +# outbound_keystore_password: cassandra + # Verify peer server certificates + require_client_auth: false + # Set to a valid trustore if require_client_auth is true + truststore: conf/.truststore + #truststore_password: cassandra + # Verify that the host name in the certificate matches the connected host + require_endpoint_verification: false + # More advanced defaults: + # protocol: TLS + # store_type: JKS + # cipher_suites: [ + # TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, + # TLS_RSA_WITH_AES_256_CBC_SHA + # ] + +# Configure client-to-server encryption. +# +# **NOTE** this default configuration is an insecure configuration. If you need to +# enable client-to-server encryption generate server keystores (and truststores for mutual +# authentication) per: +# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore +# Then perform the following configuration changes: +# +# Step 1: Set enabled=true and explicitly set optional=true. Restart all nodes +# +# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual +# auth set require_client_auth=true. Restart all nodes +client_encryption_options: + # Enable client-to-server encryption + enabled: true + # When set to true, encrypted and unencrypted connections are allowed on the native_transport_port + # This should _only be true_ while in unencrypted or transitional operation + # optional defaults to true when enabled is false, and false when enabled is true. + optional: false + # Set keystore and keystore_password to valid keystores if enabled is true + keystore: /etc/cassandra/keystore.node0 + keystore_password: cassandra + # Configure the way Cassandra creates SSL contexts. + # To use PEM-based key material, see org.apache.cassandra.security.PEMBasedSslContextFactory + # ssl_context_factory: + # # Must be an instance of org.apache.cassandra.security.ISslContextFactory + # class_name: org.apache.cassandra.security.DefaultSslContextFactory + # Verify client certificates + require_client_auth: true + # require_endpoint_verification: false + # Set trustore and truststore_password if require_client_auth is true + truststore: /etc/cassandra/truststore.node0 + truststore_password: cassandra + # More advanced defaults: + protocol: TLS + store_type: JKS + cipher_suites: [ + # TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA + ] + +# internode_compression controls whether traffic between nodes is +# compressed. +# Can be: +# +# all +# all traffic is compressed +# +# dc +# traffic between different datacenters is compressed +# +# none +# nothing is compressed. +internode_compression: dc + +# Enable or disable tcp_nodelay for inter-dc communication. +# Disabling it will result in larger (but fewer) network packets being sent, +# reducing overhead from the TCP protocol itself, at the cost of increasing +# latency if you block for cross-datacenter responses. +inter_dc_tcp_nodelay: false + +# TTL for different trace types used during logging of the repair process. +# Min unit: s +trace_type_query_ttl: 1d +# Min unit: s +trace_type_repair_ttl: 7d + +# If unset, all GC Pauses greater than gc_log_threshold will log at +# INFO level +# UDFs (user defined functions) are disabled by default. +# As of Cassandra 3.0 there is a sandbox in place that should prevent execution of evil code. +user_defined_functions_enabled: true + +# Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from +# a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by +# the "key_alias" is the only key that will be used for encrypt opertaions; previously used keys +# can still (and should!) be in the keystore and will be used on decrypt operations +# (to handle the case of key rotation). +# +# It is strongly recommended to download and install Java Cryptography Extension (JCE) +# Unlimited Strength Jurisdiction Policy Files for your version of the JDK. +# (current link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) +# +# Currently, only the following file types are supported for transparent data encryption, although +# more are coming in future cassandra releases: commitlog, hints +transparent_data_encryption_options: + enabled: false + chunk_length_kb: 64 + cipher: AES/CBC/PKCS5Padding + key_alias: testing:1 + # CBC IV length for AES needs to be 16 bytes (which is also the default size) + # iv_length: 16 + key_provider: + - class_name: org.apache.cassandra.security.JKSKeyProvider + parameters: + - keystore: conf/.keystore + keystore_password: cassandra + store_type: JCEKS + key_password: cassandra + +# Storage Attached Indexing options. +# sai_options: + ## Total permitted memory allowed for writing SAI index segments. This memory + ## is split between all SAI indexes being built so more indexes will mean smaller + ## segment sizes. + # segment_write_buffer_size: 1024MiB + +##################### +# SAFETY THRESHOLDS # +##################### + +# When executing a scan, within or across a partition, we need to keep the +# tombstones seen in memory so we can return them to the coordinator, which +# will use them to make sure other replicas also know about the deleted rows. +# With workloads that generate a lot of tombstones, this can cause performance +# problems and even exaust the server heap. +# (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets) +# Adjust the thresholds here if you understand the dangers and want to +# scan more tombstones anyway. These thresholds may also be adjusted at runtime +# using the StorageService mbean. +tombstone_warn_threshold: 1000 +tombstone_failure_threshold: 100000 + +# Filtering and secondary index queries at read consistency levels above ONE/LOCAL_ONE use a +# mechanism called replica filtering protection to ensure that results from stale replicas do +# not violate consistency. (See CASSANDRA-8272 and CASSANDRA-15907 for more details.) This +# mechanism materializes replica results by partition on-heap at the coordinator. The more possibly +# stale results returned by the replicas, the more rows materialized during the query. +replica_filtering_protection: + # These thresholds exist to limit the damage severely out-of-date replicas can cause during these + # queries. They limit the number of rows from all replicas individual index and filtering queries + # can materialize on-heap to return correct results at the desired read consistency level. + # + # "cached_replica_rows_warn_threshold" is the per-query threshold at which a warning will be logged. + # "cached_replica_rows_fail_threshold" is the per-query threshold at which the query will fail. + # + # These thresholds may also be adjusted at runtime using the StorageService mbean. + # + # If the failure threshold is breached, it is likely that either the current page/fetch size + # is too large or one or more replicas is severely out-of-sync and in need of repair. + cached_rows_warn_threshold: 2000 + cached_rows_fail_threshold: 32000 + +# Log WARN on any multiple-partition batch size exceeding this value. 5KiB per batch by default. +# Caution should be taken on increasing the size of this threshold as it can lead to node instability. +# Min unit: KiB +batch_size_warn_threshold: 5KiB + +# Fail any multiple-partition batch exceeding this value. 50KiB (10x warn threshold) by default. +# Min unit: KiB +batch_size_fail_threshold: 50KiB + +# Log WARN on any batches not of type LOGGED than span across more partitions than this limit +unlogged_batch_across_partitions_warn_threshold: 10 + +# GC Pauses greater than 200 ms will be logged at INFO level +# This threshold can be adjusted to minimize logging if necessary +# Min unit: ms +# gc_log_threshold: 200ms + +# GC Pauses greater than gc_warn_threshold will be logged at WARN level +# Adjust the threshold based on your application throughput requirement. Setting to 0 +# will deactivate the feature. +# Min unit: ms +# gc_warn_threshold: 1000ms + +# Maximum size of any value in SSTables. Safety measure to detect SSTable corruption +# early. Any value size larger than this threshold will result into marking an SSTable +# as corrupted. This should be positive and less than 2GiB. +# Min unit: MiB +# max_value_size: 256MiB + +# ** Impact on keyspace creation ** +# If replication factor is not mentioned as part of keyspace creation, default_keyspace_rf would apply. +# Changing this configuration would only take effect for keyspaces created after the change, but does not impact +# existing keyspaces created prior to the change. +# ** Impact on keyspace alter ** +# When altering a keyspace from NetworkTopologyStrategy to SimpleStrategy, default_keyspace_rf is applied if rf is not +# explicitly mentioned. +# ** Impact on system keyspaces ** +# This would also apply for any system keyspaces that need replication factor. +# A further note about system keyspaces - system_traces and system_distributed keyspaces take RF of 2 or default, +# whichever is higher, and system_auth keyspace takes RF of 1 or default, whichever is higher. +# Suggested value for use in production: 3 +# default_keyspace_rf: 1 + +# Track a metric per keyspace indicating whether replication achieved the ideal consistency +# level for writes without timing out. This is different from the consistency level requested by +# each write which may be lower in order to facilitate availability. +# ideal_consistency_level: EACH_QUORUM + +# Automatically upgrade sstables after upgrade - if there is no ordinary compaction to do, the +# oldest non-upgraded sstable will get upgraded to the latest version +# automatic_sstable_upgrade: false +# Limit the number of concurrent sstable upgrades +# max_concurrent_automatic_sstable_upgrades: 1 + +# Audit logging - Logs every incoming CQL command request, authentication to a node. See the docs +# on audit_logging for full details about the various configuration options and production tips. +audit_logging_options: + enabled: false + logger: + - class_name: BinAuditLogger + # audit_logs_dir: + # included_keyspaces: + # excluded_keyspaces: system, system_schema, system_virtual_schema + # included_categories: + # excluded_categories: + # included_users: + # excluded_users: + # roll_cycle: HOURLY + # block: true + # max_queue_weight: 268435456 # 256 MiB + # max_log_size: 17179869184 # 16 GiB + # + ## If archive_command is empty or unset, Cassandra uses a built-in DeletingArchiver that deletes the oldest files if ``max_log_size`` is reached. + ## If archive_command is set, Cassandra does not use DeletingArchiver, so it is the responsibility of the script to make any required cleanup. + ## Example: "/path/to/script.sh %path" where %path is replaced with the file being rolled. + # archive_command: + # max_archive_retries: 10 + +# default options for full query logging - these can be overridden from command line when executing +# nodetool enablefullquerylog +# full_query_logging_options: + # log_dir: + # roll_cycle: HOURLY + # block: true + # max_queue_weight: 268435456 # 256 MiB + # max_log_size: 17179869184 # 16 GiB + ## archive command is "/path/to/script.sh %path" where %path is replaced with the file being rolled: + # archive_command: + ## note that enabling this allows anyone with JMX/nodetool access to run local shell commands as the user running cassandra + # allow_nodetool_archive_command: false + # max_archive_retries: 10 + +# validate tombstones on reads and compaction +# can be either "disabled", "warn" or "exception" +# corrupted_tombstone_strategy: disabled + +# Diagnostic Events # +# If enabled, diagnostic events can be helpful for troubleshooting operational issues. Emitted events contain details +# on internal state and temporal relationships across events, accessible by clients via JMX. +diagnostic_events_enabled: false + +# Use native transport TCP message coalescing. If on upgrade to 4.0 you found your throughput decreasing, and in +# particular you run an old kernel or have very fewer client connections, this option might be worth evaluating. +#native_transport_flush_in_batches_legacy: false + +# Enable tracking of repaired state of data during reads and comparison between replicas +# Mismatches between the repaired sets of replicas can be characterized as either confirmed +# or unconfirmed. In this context, unconfirmed indicates that the presence of pending repair +# sessions, unrepaired partition tombstones, or some other condition means that the disparity +# cannot be considered conclusive. Confirmed mismatches should be a trigger for investigation +# as they may be indicative of corruption or data loss. +# There are separate flags for range vs partition reads as single partition reads are only tracked +# when CL > 1 and a digest mismatch occurs. Currently, range queries don't use digests so if +# enabled for range reads, all range reads will include repaired data tracking. As this adds +# some overhead, operators may wish to disable it whilst still enabling it for partition reads +repaired_data_tracking_for_range_reads_enabled: false +repaired_data_tracking_for_partition_reads_enabled: false +# If false, only confirmed mismatches will be reported. If true, a separate metric for unconfirmed +# mismatches will also be recorded. This is to avoid potential signal:noise issues are unconfirmed +# mismatches are less actionable than confirmed ones. +report_unconfirmed_repaired_data_mismatches: false + +# configure the read and write consistency levels for modifications to auth tables +# auth_read_consistency_level: LOCAL_QUORUM +# auth_write_consistency_level: EACH_QUORUM + +# Delays on auth resolution can lead to a thundering herd problem on reconnects; this option will enable +# warming of auth caches prior to node completing startup. See CASSANDRA-16958 +# auth_cache_warming_enabled: false + +# If enabled, dynamic data masking allows to attach CQL masking functions to the columns of a table. +# Users without the UNMASK permission will see an obscured version of the values of the columns with an attached mask. +# If dynamic data masking is disabled it won't be allowed to create new column masks, although it will still be possible +# to drop any previously existing masks. Also, any existing mask will be ignored at query time, so all users will see +# the clear values of the masked columns. +# Defaults to false to disable dynamic data masking. +# dynamic_data_masking_enabled: false + +######################### +# EXPERIMENTAL FEATURES # +######################### + +# Enables materialized view creation on this node. +# Materialized views are considered experimental and are not recommended for production use. +materialized_views_enabled: true + +# Enables SASI index creation on this node. +# SASI indexes are considered experimental and are not recommended for production use. +sasi_indexes_enabled: true + +# Enables creation of transiently replicated keyspaces on this node. +# Transient replication is experimental and is not recommended for production use. +transient_replication_enabled: false + +# Enables the used of 'ALTER ... DROP COMPACT STORAGE' statements on this node. +# 'ALTER ... DROP COMPACT STORAGE' is considered experimental and is not recommended for production use. +drop_compact_storage_enabled: false + +# Whether or not USE is allowed. This is enabled by default to avoid failure on upgrade. +#use_statements_enabled: true + +# When the client triggers a protocol exception or unknown issue (Cassandra bug) we increment +# a client metric showing this; this logic will exclude specific subnets from updating these +# metrics +#client_error_reporting_exclusions: +# subnets: +# - 127.0.0.1 +# - 127.0.0.0/31 + +# Enables read thresholds (warn/fail) across all replicas for reporting back to the client. +# See: CASSANDRA-16850 +# read_thresholds_enabled: false # scheduled to be set true in 4.2 +# When read_thresholds_enabled: true, this tracks the materialized size of a query on the +# coordinator. If coordinator_read_size_warn_threshold is defined, this will emit a warning +# to clients with details on what query triggered this as well as the size of the result set; if +# coordinator_read_size_fail_threshold is defined, this will fail the query after it +# has exceeded this threshold, returning a read error to the user. +# coordinator_read_size_warn_threshold: +# coordinator_read_size_fail_threshold: +# When read_thresholds_enabled: true, this tracks the size of the local read (as defined by +# heap size), and will warn/fail based off these thresholds; undefined disables these checks. +# local_read_size_warn_threshold: +# local_read_size_fail_threshold: +# When read_thresholds_enabled: true, this tracks the expected memory size of the RowIndexEntry +# and will warn/fail based off these thresholds; undefined disables these checks +# row_index_read_size_warn_threshold: +# row_index_read_size_fail_threshold: + +# Guardrail to warn or fail when creating more user keyspaces than threshold. +# The two thresholds default to -1 to disable. +# keyspaces_warn_threshold: -1 +# keyspaces_fail_threshold: -1 +# +# Guardrail to warn or fail when creating more user tables than threshold. +# The two thresholds default to -1 to disable. +# tables_warn_threshold: -1 +# tables_fail_threshold: -1 +# +# Guardrail to enable or disable the ability to create uncompressed tables +# uncompressed_tables_enabled: true +# +# Guardrail to warn or fail when creating/altering a table with more columns per table than threshold. +# The two thresholds default to -1 to disable. +# columns_per_table_warn_threshold: -1 +# columns_per_table_fail_threshold: -1 +# +# Guardrail to warn or fail when creating more secondary indexes per table than threshold. +# The two thresholds default to -1 to disable. +# secondary_indexes_per_table_warn_threshold: -1 +# secondary_indexes_per_table_fail_threshold: -1 +# +# Guardrail to enable or disable the creation of secondary indexes +# secondary_indexes_enabled: true +# +# Guardrail to warn or fail when creating more materialized views per table than threshold. +# The two thresholds default to -1 to disable. +# materialized_views_per_table_warn_threshold: -1 +# materialized_views_per_table_fail_threshold: -1 +# +# Guardrail to warn about, ignore or reject properties when creating tables. By default all properties are allowed. +# table_properties_warned: [] +# table_properties_ignored: [] +# table_properties_disallowed: [] +# +# Guardrail to allow/disallow user-provided timestamps. Defaults to true. +# user_timestamps_enabled: true +# +# Guardrail to bound user-provided timestamps within a given range. Default is infinite (denoted by null). +# Accepted values are durations of the form 12h, 24h, etc. +# maximum_timestamp_warn_threshold: +# maximum_timestamp_fail_threshold: +# minimum_timestamp_warn_threshold: +# minimum_timestamp_fail_threshold: +# +# Guardrail to allow/disallow GROUP BY functionality. +# group_by_enabled: true +# +# Guardrail to allow/disallow TRUNCATE and DROP TABLE statements +# drop_truncate_table_enabled: true +# +# Guardrail to allow/disallow DROP KEYSPACE statements +# drop_keyspace_enabled: true +# +# Guardrail to warn or fail when using a page size greater than threshold. +# The two thresholds default to -1 to disable. +# page_size_warn_threshold: -1 +# page_size_fail_threshold: -1 +# +# Guardrail to allow/disallow list operations that require read before write, i.e. setting list element by index and +# removing list elements by either index or value. Defaults to true. +# read_before_write_list_operations_enabled: true +# +# Guardrail to warn or fail when querying with an IN restriction selecting more partition keys than threshold. +# The two thresholds default to -1 to disable. +# partition_keys_in_select_warn_threshold: -1 +# partition_keys_in_select_fail_threshold: -1 +# +# Guardrail to warn or fail when an IN query creates a cartesian product with a size exceeding threshold, +# eg. "a in (1,2,...10) and b in (1,2...10)" results in cartesian product of 100. +# The two thresholds default to -1 to disable. +# in_select_cartesian_product_warn_threshold: -1 +# in_select_cartesian_product_fail_threshold: -1 +# +# Guardrail to warn about or reject read consistency levels. By default, all consistency levels are allowed. +# read_consistency_levels_warned: [] +# read_consistency_levels_disallowed: [] +# +# Guardrail to warn about or reject write consistency levels. By default, all consistency levels are allowed. +# write_consistency_levels_warned: [] +# write_consistency_levels_disallowed: [] +# +# Guardrail to warn or fail when writing partitions larger than threshold, expressed as 100MiB, 1GiB, etc. +# The guardrail is only checked when writing sstables (flush and compaction), and exceeding the fail threshold on that +# moment will only log an error message, without interrupting the operation. +# This operates on a per-sstable basis, so it won't detect a large partition if it is spread across multiple sstables. +# The warning threshold replaces the deprecated config property compaction_large_partition_warning_threshold. +# The two thresholds default to null to disable. +# partition_size_warn_threshold: +# partition_size_fail_threshold: +# +# Guardrail to warn or fail when writing partitions with more tombstones than threshold. +# The guardrail is only checked when writing sstables (flush and compaction), and exceeding the fail threshold on that +# moment will only log an error message, without interrupting the operation. +# This operates on a per-sstable basis, so it won't detect a large partition if it is spread across multiple sstables. +# The warning threshold replaces the deprecated config property compaction_tombstone_warning_threshold. +# The two thresholds default to -1 to disable. +# partition_tombstones_warn_threshold: -1 +# partition_tombstones_fail_threshold: -1 +# +# Guardrail to warn or fail when writing column values larger than threshold. +# This guardrail is only applied to the values of regular columns because both the serialized partitions keys and the +# values of the components of the clustering key already have a fixed, relatively small size limit of 65535 bytes, which +# is probably lesser than the thresholds defined here. +# Deleting individual elements of non-frozen sets and maps involves creating tombstones that contain the value of the +# deleted element, independently on whether the element existed or not. That tombstone value is also guarded by this +# guardrail, to prevent the insertion of tombstones over the threshold. The downside is that enabling or raising this +# threshold can prevent users from deleting set/map elements that were written when the guardrail was disabled or with a +# lower value. Deleting the entire column, row or partition is always allowed, since the tombstones created for those +# operations don't contain the CQL column values. +# This guardrail is different to max_value_size. max_value_size is checked when deserializing any value to detect +# sstable corruption, whereas this guardrail is checked on the CQL layer at write time to reject regular user queries +# inserting too large columns. +# The two thresholds default to null to disable. +# Min unit: B +# column_value_size_warn_threshold: +# column_value_size_fail_threshold: +# +# Guardrail to warn or fail when encountering larger size of collection data than threshold. +# At query time this guardrail is applied only to the collection fragment that is being writen, even though in the case +# of non-frozen collections there could be unaccounted parts of the collection on the sstables. This is done this way to +# prevent read-before-write. The guardrail is also checked at sstable write time to detect large non-frozen collections, +# although in that case exceeding the fail threshold will only log an error message, without interrupting the operation. +# The two thresholds default to null to disable. +# Min unit: B +# collection_size_warn_threshold: +# Min unit: B +# collection_size_fail_threshold: +# +# Guardrail to warn or fail when encountering more elements in collection than threshold. +# At query time this guardrail is applied only to the collection fragment that is being writen, even though in the case +# of non-frozen collections there could be unaccounted parts of the collection on the sstables. This is done this way to +# prevent read-before-write. The guardrail is also checked at sstable write time to detect large non-frozen collections, +# although in that case exceeding the fail threshold will only log an error message, without interrupting the operation. +# The two thresholds default to -1 to disable. +# items_per_collection_warn_threshold: -1 +# items_per_collection_fail_threshold: -1 +# +# Guardrail to allow/disallow querying with ALLOW FILTERING. Defaults to true. +# ALLOW FILTERING can potentially visit all the data in the table and have unpredictable performance. +# allow_filtering_enabled: true +# +# Guardrail to allow/disallow setting SimpleStrategy via keyspace creation or alteration. Defaults to true. +# simplestrategy_enabled: true +# +# Guardrail to warn or fail when creating a user-defined-type with more fields in than threshold. +# Default -1 to disable. +# fields_per_udt_warn_threshold: -1 +# fields_per_udt_fail_threshold: -1 +# +# Guardrail to warn or fail when creating a vector column with more dimensions than threshold. +# Default -1 to disable. +# vector_dimensions_warn_threshold: -1 +# vector_dimensions_fail_threshold: -1 +# +# Guardrail to indicate whether or not users are allowed to use ALTER TABLE commands to make column changes to tables +# alter_table_enabled: true +# +# Guardrail to warn or fail when local data disk usage percentage exceeds threshold. Valid values are in [1, 100]. +# This is only used for the disks storing data directories, so it won't count any separate disks used for storing +# the commitlog, hints nor saved caches. The disk usage is the ratio between the amount of space used by the data +# directories and the addition of that same space and the remaining free space on disk. The main purpose of this +# guardrail is rejecting user writes when the disks are over the defined usage percentage, so the writes done by +# background processes such as compaction and streaming don't fail due to a full disk. The limits should be defined +# accordingly to the expected data growth due to those background processes, so for example a compaction strategy +# doubling the size of the data would require to keep the disk usage under 50%. +# The two thresholds default to -1 to disable. +# data_disk_usage_percentage_warn_threshold: -1 +# data_disk_usage_percentage_fail_threshold: -1 +# +# Guardrail that allows users to define the max disk size of the data directories when calculating thresholds for +# disk_usage_percentage_warn_threshold and disk_usage_percentage_fail_threshold, so if this is greater than zero they +# become percentages of a fixed size on disk instead of percentages of the physically available disk size. This should +# be useful when we have a large disk and we only want to use a part of it for Cassandra's data directories. +# Valid values are in [1, max available disk size of all data directories]. +# Defaults to null to disable and use the physically available disk size of data directories during calculations. +# Min unit: B +# data_disk_usage_max_disk_size: +# +# Guardrail to warn or fail when the minimum replication factor is lesser than threshold. +# This would also apply to system keyspaces. +# Suggested value for use in production: 2 or higher +# minimum_replication_factor_warn_threshold: -1 +# minimum_replication_factor_fail_threshold: -1 +# +# Guardrail to warn or fail when the maximum replication factor is greater than threshold. +# This would also apply to system keyspaces. +# maximum_replication_factor_warn_threshold: -1 +# maximum_replication_factor_fail_threshold: -1 + +# Guardrail to enable a CREATE or ALTER TABLE statement when default_time_to_live is set to 0 +# and the table is using TimeWindowCompactionStrategy compaction or a subclass of it. +# It is suspicious to use default_time_to_live set to 0 with such compaction strategy. +# Please keep in mind that data will not start to automatically expire after they are older than +# a respective compaction window unit of a certain size. Please set TTL for your INSERT or UPDATE +# statements if you expect data to be expired as table settings will not do it. +# Defaults to true. If set to false, such statements fail and zero_ttl_on_twcs_warned flag is irrelevant. +#zero_ttl_on_twcs_enabled: true +# Guardrail to warn a user upon executing CREATE or ALTER TABLE statement when default_time_to_live is set to 0 +# and the table is using TimeWindowCompactionStrategy compaction or a subclass of it. Defaults to true. +# if zero_ttl_on_twcs_enabled is set to false, this property is irrelevant as such statements will fail. +#zero_ttl_on_twcs_warned: true + +# The default secondary index implementation when CREATE INDEX does not specify one via USING. +# ex. "legacy_local_table" - (default) legacy secondary index, implemented as a hidden table +# ex. "sai" - "storage-attched" index, implemented via optimized SSTable/Memtable-attached indexes +#default_secondary_index: legacy_local_table + +# Whether a default secondary index implementation is allowed. If this is "false", CREATE INDEX must +# specify an index implementation via USING. +#default_secondary_index_enabled: true + +# Startup Checks are executed as part of Cassandra startup process, not all of them +# are configurable (so you can disable them) but these which are enumerated bellow. +# Uncomment the startup checks and configure them appropriately to cover your needs. +# +#startup_checks: +# Verifies correct ownership of attached locations on disk at startup. See CASSANDRA-16879 for more details. +# check_filesystem_ownership: +# enabled: false +# ownership_token: "sometoken" # (overriden by "CassandraOwnershipToken" system property) +# ownership_filename: ".cassandra_fs_ownership" # (overriden by "cassandra.fs_ownership_filename") +# Prevents a node from starting if snitch's data center differs from previous data center. +# check_dc: +# enabled: true # (overriden by cassandra.ignore_dc system property) +# Prevents a node from starting if snitch's rack differs from previous rack. +# check_rack: +# enabled: true # (overriden by cassandra.ignore_rack system property) +# Enable this property to fail startup if the node is down for longer than gc_grace_seconds, to potentially +# prevent data resurrection on tables with deletes. By default, this will run against all keyspaces and tables +# except the ones specified on excluded_keyspaces and excluded_tables. +# check_data_resurrection: +# enabled: false +# file where Cassandra periodically writes the last time it was known to run +# heartbeat_file: /var/lib/cassandra/data/cassandra-heartbeat +# excluded_keyspaces: # comma separated list of keyspaces to exclude from the check +# excluded_tables: # comma separated list of keyspace.table pairs to exclude from the check + +# This property indicates with what Cassandra major version the storage format will be compatible with. +# +# The chosen storage compatiblity mode will determine the versions of the written sstables, commitlogs, hints, +# etc. Those storage elements will use the higher minor versions of the major version that corresponds to the +# Cassandra version we want to stay compatible with. For example, if we want to stay compatible with Cassandra 4.0 +# or 4.1, the value of this property should be 4, and that will make us use 'oa' sstables. +# +# This will also determine if certain features depending on newer formats are available. For example, extended TTLs +# up to 2106 depend on the sstable, commitlog, hints and messaging versions that were introduced by Cassandra 5.0, +# so that feature won't be available if this property is set to CASSANDRA_4. See upgrade guides for details. Currently +# the only supported major is CASSANDRA_4. +# +# Possible values are in the StorageCompatibilityMode.java file accessible online. At the time of writing these are: +# - CASSANDRA_4: Stays compatible with the 4.x line in features, formats and component versions. +# - UPGRADING: The cluster monitors nodes versions during this interim stage. _This has a cost_ but ensures any new features, +# formats, versions, etc are enabled safely. +# - NONE: Start with all the new features and formats enabled. +# +# A typical upgrade would be: +# - Do a rolling upgrade starting all nodes in CASSANDRA_Y compatibility mode. +# - Once the new binary is rendered stable do a rolling restart with UPGRADING. The cluster will enable new features in a safe way +# until all nodes are started in UPGRADING, then all new features are enabled. +# - Do a rolling restart with all nodes starting with NONE. This sheds the extra cost of checking nodes versions and ensures +# a stable cluster. If a node from a previous version was started by accident we won't any longer toggle behaviors as when UPGRADING. +# +storage_compatibility_mode: CASSANDRA_4 diff --git a/cassandra/5-ssl/certs/keystore.node0 b/cassandra/5-ssl/certs/keystore.node0 new file mode 100644 index 0000000..06cbddb Binary files /dev/null and b/cassandra/5-ssl/certs/keystore.node0 differ diff --git a/cassandra/5-ssl/certs/node0.cer b/cassandra/5-ssl/certs/node0.cer new file mode 100644 index 0000000..6aff48b Binary files /dev/null and b/cassandra/5-ssl/certs/node0.cer differ diff --git a/cassandra/5-ssl/certs/node0.cer.pem b/cassandra/5-ssl/certs/node0.cer.pem new file mode 100644 index 0000000..ee0109b --- /dev/null +++ b/cassandra/5-ssl/certs/node0.cer.pem @@ -0,0 +1,25 @@ +Bag Attributes + friendlyName: node0 + localKeyID: 54 69 6D 65 20 31 36 39 30 35 37 37 34 36 30 39 37 36 +subject=/C=None/L=None/O=None/OU=None/CN=localhost +issuer=/C=None/L=None/O=None/OU=None/CN=localhost +-----BEGIN CERTIFICATE----- +MIIDRjCCAi6gAwIBAgIJAK5AeI3MGS5OMA0GCSqGSIb3DQEBCwUAMFAxDTALBgNV +BAYTBE5vbmUxDTALBgNVBAcTBE5vbmUxDTALBgNVBAoTBE5vbmUxDTALBgNVBAsT +BE5vbmUxEjAQBgNVBAMTCWxvY2FsaG9zdDAgFw0yMzA3MjgyMDUwMjNaGA8yMTIz +MDcwNDIwNTAyM1owUDENMAsGA1UEBhMETm9uZTENMAsGA1UEBxMETm9uZTENMAsG +A1UEChMETm9uZTENMAsGA1UECxMETm9uZTESMBAGA1UEAxMJbG9jYWxob3N0MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuEGNDIPp+JyPFcvjshcErUwX +fzc6snHYRpcaZ48GiIYLOWr1V4lwYhflpBEYhTKwwzU2lW1HZsjSZM04z3GVg8+/ +Ryi2lBZ46HvdtwDAHEfzminhTdoI5sBD+WLG8qWb9O5PV1KYIkcPp4uiAlZh+zjk +bkiwHRy77spwgikScRVLB9CJoqvbNeO6E5Za8lkg8sUIPC1cIhIli6td3NExz3Nr +YOeufJrz9MhWd2p2otJRGuBKAjJrpIG5p+Ijmk0ice0kfRxwtC7kmej5Lz0xiRGa +3Ktb0WSHw5EV9vlgf57+18lQ1LpfUKzHq04Cr9j11AWciEkLs0VQakPwECrJHwID +AQABoyEwHzAdBgNVHQ4EFgQUSxehWmp09EiQWCOrm9lox4CVAm8wDQYJKoZIhvcN +AQELBQADggEBAH5zqYX7yyerfxSaXubuIhRnilV0Zffm9SE8ne5pKkUhOsLI1CN4 +3gk6uzw5c1SlY1VOJT6P1fO/lswMx20GoyEt/87LDybOVLaOFNqATkr3GkFEZAVw +K7dlsijzOMM0RaX5PFjFabuunDymIig6itk5KSRvsZYGDq8UwpIQTeALpmGTtelV +YfiYZYbL3Z2rLTAeMzp+jsSSGC50pnsAi1GVeCNxz7S+nD7zScTH5V/y0WazMxlm +iQcOSByUAUEUwdMo2hJaIr/zdjaxUpcw2wiVJl/FS/APyYf3V5cOr5WGGt8ewHnG +RXly4JVJp203nPfAAUf+V0y5fcw6xUBcBcQ= +-----END CERTIFICATE----- diff --git a/cassandra/5-ssl/certs/node0.key.pem b/cassandra/5-ssl/certs/node0.key.pem new file mode 100644 index 0000000..25b24ad --- /dev/null +++ b/cassandra/5-ssl/certs/node0.key.pem @@ -0,0 +1,32 @@ +Bag Attributes + friendlyName: node0 + localKeyID: 54 69 6D 65 20 31 36 39 30 35 37 37 34 36 30 39 37 36 +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC4QY0Mg+n4nI8V +y+OyFwStTBd/NzqycdhGlxpnjwaIhgs5avVXiXBiF+WkERiFMrDDNTaVbUdmyNJk +zTjPcZWDz79HKLaUFnjoe923AMAcR/OaKeFN2gjmwEP5YsbypZv07k9XUpgiRw+n +i6ICVmH7OORuSLAdHLvuynCCKRJxFUsH0Imiq9s147oTllryWSDyxQg8LVwiEiWL +q13c0THPc2tg5658mvP0yFZ3anai0lEa4EoCMmukgbmn4iOaTSJx7SR9HHC0LuSZ +6PkvPTGJEZrcq1vRZIfDkRX2+WB/nv7XyVDUul9QrMerTgKv2PXUBZyISQuzRVBq +Q/AQKskfAgMBAAECggEARs3pxcVrQ33l/ho7hVQTGAUFgn1WsPvOgFHQc7siZ5Qa +/BV98gV+ijNkq4dmRMkV4+2u6/zyUy0YrGOwUQb0zZInjtC2WHHKRIxUxt4i9Lsx +gSxWx/PhN8rqVAsBKH07UQPCuWujyohEG74so3lObZuPLFICWy2PilOAqIPf8lP0 +PLUWLAE2OjTSXeANjZljg9neeznSythp5MuaHqST1HwY4kJR3Ev7T6Cgz1qPXd8G +Dvq8x2vPPW+ViIe48cyXLlZUV8eZHAulXrNCHtKuKyoP4Y7YAprvbbwlwVWcDzdf +ydslxFPtPHCfTmKyyZrtMErhwocawdeMXF0vtRqJAQKBgQDAbtuUAmg7KcwOX63k +ANKjA9m4Ep8TfT+dw7i+C5rsHcq/0VthT42gykVL8n8WOhb8A/atxnLCNL4N0Luy +Qwh2M0/oW9lcRuc6TBz12CVR/q0noa34rikcce4mqJaVVGQH8Bii5OTtDLkDXxOX +83xuRrrRAZj9+lkBLUjGbiKCHQKBgQD1HzSGCrhhUEpJmgXzEFthVg+4sKCuvHRP +3DjlpkmaA3gREQ+DMABmE8h8NPI4edNdFE1agPKAW0iFNila9kbbybMAdY1mCV5r +vmu4VzUEUd8iHboeUy6MvDZqnXo9ntWl5Xbx7Uur//0+SkGPsXzTjgX559urZSN2 +uH4hUJtTawKBgQCwqZWAbi1Ok3K4h3JW7cJy0eghK0dLVyL+LV7/ahwSRM+MBiHE +VoqJYOj5bmjp+O588w6WPqfATzdj64tFfnDYQwdLJHeKVbWWOaYktQieHBbPWYkj +0o//g0DF0ORdt5oWB4A2m7jnP1TjGXgdefV0MA72LmdMU3c+s1oqgZXAqQKBgQCc +4B7GVqAQL8mLd1ata99/2QtwwSHlEtlBrwh++UCLoAK8sXWDGTp4GdsqmtwWhuld +3btv26zXtxQfpT0saQeKbHjyJ0mabw6N2C2qqa1VmWw7sljGRag6C86rxyNPwpKr +fML2LE9MwiV6Mx3ob8gawP9UJC5zb+QVfBfFDIiMBwKBgClI5ZicTmH9n/nC7trB +W0cInwT/z7jJUDiRYOU19m2jmqj4/yIAPKeZPkewqh6JseudL8SRrpd+2E7U1m/x +ybWXAjZ7ylr/jg3c8eNWvD5vol7JNunwftH5MQcEASCnQDf7iD5f9k5bJU5WIVO5 +dcx45TL0B6jXjiljcKfiGz0t +-----END PRIVATE KEY----- diff --git a/cassandra/5-ssl/certs/node0.p12 b/cassandra/5-ssl/certs/node0.p12 new file mode 100644 index 0000000..9fd3258 Binary files /dev/null and b/cassandra/5-ssl/certs/node0.p12 differ diff --git a/cassandra/5-ssl/certs/readme b/cassandra/5-ssl/certs/readme new file mode 100644 index 0000000..b81b34f --- /dev/null +++ b/cassandra/5-ssl/certs/readme @@ -0,0 +1,24 @@ +Source: +https://docs.datastax.com/en/cassandra-oss/3.x/cassandra/configuration/secureSSLCertificates.html + +Desired file list: + keystore.node0 + node0.cer + node0.cer.pem + node0.key.pem + node0.p12 + truststore.node0 + +Password: +cassandra + +Commands: +1. keytool -genkey -keyalg RSA -alias node0 -validity 36500 -keystore keystore.node0 -storepass cassandra -keypass cassandra -dname "CN=localhost, OU=None, O=None, L=None, C=None" +2. keytool -export -alias node0 -file node0.cer -keystore keystore.node0 +3. keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore truststore.node0 +4. keytool -importkeystore -srckeystore keystore.node0 -destkeystore node0.p12 -deststoretype PKCS12 -srcstorepass cassandra -deststorepass cassandra +5. openssl pkcs12 -in node0.p12 -nokeys -out node0.cer.pem -passin pass:cassandra +6. openssl pkcs12 -in node0.p12 -nodes -nocerts -out node0.key.pem -passin pass:cassandra + +Validation: +openssl pkcs12 -in node0.p12 -nokeys | openssl x509 -noout -enddate \ No newline at end of file diff --git a/cassandra/5-ssl/certs/truststore.node0 b/cassandra/5-ssl/certs/truststore.node0 new file mode 100644 index 0000000..adb26c5 Binary files /dev/null and b/cassandra/5-ssl/certs/truststore.node0 differ diff --git a/generatessl.sh b/generatessl.sh new file mode 100644 index 0000000..b82ac95 --- /dev/null +++ b/generatessl.sh @@ -0,0 +1,180 @@ +#!/bin/bash + +set -euo pipefail + +# defaults +: "${CERT_DIR:=./certs}" +: "${DOMAIN:=localhost}" +: "${DAYS:=3650}" +: "${KEY_SIZE:=2048}" +: "${CERT_CN:=Universal}" +: "${USE_ECDSA:=false}" + +: "${EXTRA_DOMAINS:=}" + +mkdir -p "$CERT_DIR" + +cleanup() { + rm -f "$CERT_DIR"/*.cnf "$CERT_DIR"/*.csr "$CERT_DIR"/*.srl 2>/dev/null || true +} +trap cleanup EXIT + +# Generate private key (RSA or ECDSA) +generate_key() { + local keyfile="$1" + if [[ "$USE_ECDSA" == "true" ]]; then + openssl ecparam -genkey -name prime256v1 -out "$keyfile" + else + openssl genrsa -out "$keyfile" "$KEY_SIZE" + fi +} + +# Build SAN entries for server certificate +build_san() { + local san="DNS:$DOMAIN" + local idx=2 + + if [[ "$DOMAIN" == "localhost" ]]; then + san+=",IP:127.0.0.1,IP:::1" + idx=4 + fi + + # Add extra domains + if [[ -n "$EXTRA_DOMAINS" ]]; then + IFS=',' read -ra DOMAINS <<< "$EXTRA_DOMAINS" + for d in "${DOMAINS[@]}"; do + d=$(echo "$d" | xargs) # trim whitespace + if [[ "$d" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + san+=",IP:$d" + else + san+=",DNS:$d" + fi + done + fi + + echo "$san" +} + +# CA configuration +cat > "$CERT_DIR/ca.cnf" << EOF +[req] +distinguished_name = req_dn +prompt = no +x509_extensions = v3_ca + +[req_dn] +CN = $CERT_CN CA + +[v3_ca] +basicConstraints = critical, CA:TRUE, pathlen:0 +keyUsage = critical, keyCertSign, cRLSign +subjectKeyIdentifier = hash +EOF + +# Server configuration with SAN +SAN_ENTRIES=$(build_san) +cat > "$CERT_DIR/server.cnf" << EOF +[req] +distinguished_name = req_dn +prompt = no +req_extensions = v3_req + +[req_dn] +CN = $DOMAIN + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = $SAN_ENTRIES + +[v3_ext] +basicConstraints = CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = $SAN_ENTRIES +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +EOF + +# Client configuration +cat > "$CERT_DIR/client.cnf" << EOF +[req] +distinguished_name = req_dn +prompt = no +req_extensions = v3_req + +[req_dn] +CN = $CERT_CN-client + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = critical, digitalSignature +extendedKeyUsage = clientAuth + +[v3_ext] +basicConstraints = CA:FALSE +keyUsage = critical, digitalSignature +extendedKeyUsage = clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +EOF + +# Generate CA +echo "==> Generating CA..." +generate_key "$CERT_DIR/ca.key" +openssl req -new -x509 -sha256 -days "$DAYS" \ + -key "$CERT_DIR/ca.key" \ + -out "$CERT_DIR/ca.pem" \ + -config "$CERT_DIR/ca.cnf" + +# Generate server certificate +echo "==> Generating server certificate..." +generate_key "$CERT_DIR/server.key" +openssl req -new -sha256 \ + -key "$CERT_DIR/server.key" \ + -out "$CERT_DIR/server.csr" \ + -config "$CERT_DIR/server.cnf" + +openssl x509 -req -sha256 -days "$DAYS" \ + -in "$CERT_DIR/server.csr" \ + -CA "$CERT_DIR/ca.pem" \ + -CAkey "$CERT_DIR/ca.key" \ + -CAcreateserial \ + -out "$CERT_DIR/server.crt" \ + -extfile "$CERT_DIR/server.cnf" \ + -extensions v3_ext + +# Create full chain for server +cat "$CERT_DIR/server.crt" "$CERT_DIR/ca.pem" > "$CERT_DIR/server.pem" + +# Generate client certificate +echo "==> Generating client certificate..." +generate_key "$CERT_DIR/client.key" +openssl req -new -sha256 \ + -key "$CERT_DIR/client.key" \ + -out "$CERT_DIR/client.csr" \ + -config "$CERT_DIR/client.cnf" + +openssl x509 -req -sha256 -days "$DAYS" \ + -in "$CERT_DIR/client.csr" \ + -CA "$CERT_DIR/ca.pem" \ + -CAkey "$CERT_DIR/ca.key" \ + -CAserial "$CERT_DIR/ca.srl" \ + -out "$CERT_DIR/client.crt" \ + -extfile "$CERT_DIR/client.cnf" \ + -extensions v3_ext + +cat "$CERT_DIR/client.crt" "$CERT_DIR/ca.pem" > "$CERT_DIR/client.pem" + +# Set permissions (skip silently on Windows) +chmod 600 "$CERT_DIR"/*.key 2>/dev/null || true +chmod 644 "$CERT_DIR"/*.pem "$CERT_DIR"/*.crt 2>/dev/null || true + +# Chain verification +echo "==> Verifying certificate chain..." +openssl verify -CAfile "$CERT_DIR/ca.pem" "$CERT_DIR/server.crt" +openssl verify -CAfile "$CERT_DIR/ca.pem" "$CERT_DIR/client.crt" + +echo "Done!" +echo "Certificates are in $CERT_DIR/" diff --git a/mariadb/10.3/Dockerfile b/mariadb/ssl/10.3/Dockerfile similarity index 100% rename from mariadb/10.3/Dockerfile rename to mariadb/ssl/10.3/Dockerfile diff --git a/mariadb/10.3/cert/ca-cert.pem b/mariadb/ssl/10.3/cert/ca-cert.pem similarity index 100% rename from mariadb/10.3/cert/ca-cert.pem rename to mariadb/ssl/10.3/cert/ca-cert.pem diff --git a/mariadb/10.3/cert/ca-key.pem b/mariadb/ssl/10.3/cert/ca-key.pem similarity index 100% rename from mariadb/10.3/cert/ca-key.pem rename to mariadb/ssl/10.3/cert/ca-key.pem diff --git a/mariadb/10.3/cert/client-cert.pem b/mariadb/ssl/10.3/cert/client-cert.pem similarity index 100% rename from mariadb/10.3/cert/client-cert.pem rename to mariadb/ssl/10.3/cert/client-cert.pem diff --git a/mariadb/10.3/cert/client-key.pem b/mariadb/ssl/10.3/cert/client-key.pem similarity index 100% rename from mariadb/10.3/cert/client-key.pem rename to mariadb/ssl/10.3/cert/client-key.pem diff --git a/mariadb/10.3/cert/client-req.pem b/mariadb/ssl/10.3/cert/client-req.pem similarity index 100% rename from mariadb/10.3/cert/client-req.pem rename to mariadb/ssl/10.3/cert/client-req.pem diff --git a/mariadb/10.3/cert/server-cert.pem b/mariadb/ssl/10.3/cert/server-cert.pem similarity index 100% rename from mariadb/10.3/cert/server-cert.pem rename to mariadb/ssl/10.3/cert/server-cert.pem diff --git a/mariadb/10.3/cert/server-key.pem b/mariadb/ssl/10.3/cert/server-key.pem similarity index 100% rename from mariadb/10.3/cert/server-key.pem rename to mariadb/ssl/10.3/cert/server-key.pem diff --git a/mariadb/10.3/cert/server-req.pem b/mariadb/ssl/10.3/cert/server-req.pem similarity index 100% rename from mariadb/10.3/cert/server-req.pem rename to mariadb/ssl/10.3/cert/server-req.pem diff --git a/mariadb/10.3/cert3/ca.key b/mariadb/ssl/10.3/cert3/ca.key similarity index 100% rename from mariadb/10.3/cert3/ca.key rename to mariadb/ssl/10.3/cert3/ca.key diff --git a/mariadb/10.3/cert3/ca.pem b/mariadb/ssl/10.3/cert3/ca.pem similarity index 100% rename from mariadb/10.3/cert3/ca.pem rename to mariadb/ssl/10.3/cert3/ca.pem diff --git a/mariadb/10.3/cert3/ca.srl b/mariadb/ssl/10.3/cert3/ca.srl similarity index 100% rename from mariadb/10.3/cert3/ca.srl rename to mariadb/ssl/10.3/cert3/ca.srl diff --git a/mariadb/10.3/cert3/client.crt b/mariadb/ssl/10.3/cert3/client.crt similarity index 100% rename from mariadb/10.3/cert3/client.crt rename to mariadb/ssl/10.3/cert3/client.crt diff --git a/mariadb/10.3/cert3/client.csr b/mariadb/ssl/10.3/cert3/client.csr similarity index 100% rename from mariadb/10.3/cert3/client.csr rename to mariadb/ssl/10.3/cert3/client.csr diff --git a/mariadb/10.3/cert3/client.key b/mariadb/ssl/10.3/cert3/client.key similarity index 100% rename from mariadb/10.3/cert3/client.key rename to mariadb/ssl/10.3/cert3/client.key diff --git a/mariadb/10.3/cert3/client.pem b/mariadb/ssl/10.3/cert3/client.pem similarity index 100% rename from mariadb/10.3/cert3/client.pem rename to mariadb/ssl/10.3/cert3/client.pem diff --git a/mariadb/10.3/cert3/server.crt b/mariadb/ssl/10.3/cert3/server.crt similarity index 100% rename from mariadb/10.3/cert3/server.crt rename to mariadb/ssl/10.3/cert3/server.crt diff --git a/mariadb/10.3/cert3/server.csr b/mariadb/ssl/10.3/cert3/server.csr similarity index 100% rename from mariadb/10.3/cert3/server.csr rename to mariadb/ssl/10.3/cert3/server.csr diff --git a/mariadb/10.3/cert3/server.key b/mariadb/ssl/10.3/cert3/server.key similarity index 100% rename from mariadb/10.3/cert3/server.key rename to mariadb/ssl/10.3/cert3/server.key diff --git a/mariadb/10.3/cert3/server.pem b/mariadb/ssl/10.3/cert3/server.pem similarity index 100% rename from mariadb/10.3/cert3/server.pem rename to mariadb/ssl/10.3/cert3/server.pem diff --git a/mariadb/10.3/conf/50-server.cnf b/mariadb/ssl/10.3/conf/50-server.cnf similarity index 100% rename from mariadb/10.3/conf/50-server.cnf rename to mariadb/ssl/10.3/conf/50-server.cnf diff --git a/mariadb/10.3/conf/init.sql b/mariadb/ssl/10.3/conf/init.sql similarity index 100% rename from mariadb/10.3/conf/init.sql rename to mariadb/ssl/10.3/conf/init.sql diff --git a/mariadb/10.3/conf/ssl.sh b/mariadb/ssl/10.3/conf/ssl.sh similarity index 100% rename from mariadb/10.3/conf/ssl.sh rename to mariadb/ssl/10.3/conf/ssl.sh diff --git a/mariadb/ssl/12.1/Dockerfile b/mariadb/ssl/12.1/Dockerfile new file mode 100644 index 0000000..a6185a4 --- /dev/null +++ b/mariadb/ssl/12.1/Dockerfile @@ -0,0 +1,9 @@ +FROM mariadb:12.1 + +COPY ./conf/init.sql /docker-entrypoint-initdb.d/init.sql + +COPY ./certs/ca.pem /etc/mysql/cacert.pem +COPY ./certs/server.key /etc/mysql/server-key.pem +COPY ./certs/server.pem /etc/mysql/server-cert.pem + +COPY ./conf/50-server.cnf /etc/mysql/mariadb.conf.d/ diff --git a/mariadb/ssl/12.1/certs/ca.key b/mariadb/ssl/12.1/certs/ca.key new file mode 100644 index 0000000..62bb655 --- /dev/null +++ b/mariadb/ssl/12.1/certs/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDP5qLVF2U1dqMZ +0QKGi256Iy0JCasVIaKKSudzsZviyviH0oxlPWokFZYYYLff2zoPgeiux1NPlHxO +Iz0UH5/hRQpPiqFgcL1FldQComskQa1ucIdI/lzzFGC2pe71V2mmWqQ7U+25T9ux +fYkY5ZXfoAF4XKQSjQhz7SsqJjUOGSOZWn164T8ZbA8r/wjL1QCR32Xf/stir2Fp +jcgsRzgDgMQWhTFuYdrV5ZPjsKvilr3zN5XYUXpHfRLTfS7jc82CJREjndMgchYM +zXAU33wHQzzQi0Mjzdv92YYw0lGjNrskJD2w0Bzo88pDb+IBQUm7PNaYdf/Sv0BQ +I/hQId2fAgMBAAECggEASHwXoqcFBPZnmE0sjb9YVeIkxgVmbjgrZP8Homk2ugRd +UXGhvHyEoK8cBUTXZweWvyhieWmKjPDuxAl6NqVuB0scdK4XZLn566R45jA9ncb+ +UkaOjG8O9jtRGu1Qmp6O+c6Zewvgkt8acFAd+B23ut+dE5ttIwCkBVMX3Rq0HcUa +JhU+OsIg5er9a6otxegiv2FvDyzSjI4yYWHwaWVQ9y/YmN/jQvPFaFK1OPDq8X0v +Muta1GSXYNWmGHH3wLmOJUT/2b/3RZ8v27a4DH4YCj8T5R3G6l9zGU4lOJMyYTCE +FdVxkkBTPL22BvnlqIOZtra3oCNiK8rWoVyDyhf4XQKBgQDqVVkpIdNW9c8LQ/LT +KvzqtyEbOBTfhRiYIvMpaWkgt+aSnQ+VR0J9OoysP7R2kQlWuneFINnZUxJh4Khj +eotzw8alLpdWNQX5BfwwVRUlyQ19Tbd7TO0vdN7UZjWqUGt5n5Ri9dLMOYlRaTyb +i6AC1dPY4YY7ps9xQDKYXfYuwwKBgQDjH6IpTwRxh7bnQEmLixODj7W10YrnzMwl +ETQOyhA6tGjtXUmq17zuXSBAqfMZ1jnGvmBxsvm5PV0yc5yqzJQLN/HVakqZ1HSB +Vbrn4xSg6YOP53aGoFP+k8bmN4eyj+IxSQfO8o+uWQkdNv2V2xgEbSfNysz8hNaf +qZ9/AdSf9QKBgQCPc+A5RfPS8HfnNZmZnF9ocONbfmGI1DnSKNMjLtykovAMIQpB +IHaboxQq/nTDgNZuuYghf5Ldb/V45ccv3v0vyVH6HSOYKq2VXQydqfhgQUx4wPLq +EJXCz5D6BfgkY0boFcEJM+PwEej2Za4sqrUyByTBSI6cReoIMnzGuf7TcQKBgF5j +cxz/vbUA1b5dNTNM5Rszyix5nOSgc+ajs6LBzuTWvRSIRGk/p0DYauL0vhbqtLAn +xiT6YFXfbq/c5CsHQi83XMV4mvA7Hv/xBPABqz0ETqyrYNKqJr4R5AMg6MAIk9Qv +qZMTsyqdze/aPqDcoKqWQoh/05jOC/PmpmY9+INRAoGBAJSJXftFfBTv0dh+q3D5 +cOfqcd3bt6G+JEGavHQP04jFk8FXY70WKsOxsweE6q5A1icANBKw4nUPOC3KZ1G3 +kpaO2CFNtL07plr/ztNd+CpsznXZ8zrSpsQoW5yXaYQRAyXX1O3vSHPpNta6gNYd +XCPl8F5ClDVVd/p5wC7BZ1SH +-----END PRIVATE KEY----- diff --git a/mariadb/ssl/12.1/certs/ca.pem b/mariadb/ssl/12.1/certs/ca.pem new file mode 100644 index 0000000..ebc1f1d --- /dev/null +++ b/mariadb/ssl/12.1/certs/ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2TCCAcGgAwIBAgIUSrM1O7YhJIZDtu7xQP4yDL3lxi0wDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKTWFyaWFEQiBDQTAeFw0yNTExMTIxMDQ2MjhaFw0zNTEx +MTAxMDQ2MjhaMBUxEzARBgNVBAMMCk1hcmlhREIgQ0EwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDP5qLVF2U1dqMZ0QKGi256Iy0JCasVIaKKSudzsZvi +yviH0oxlPWokFZYYYLff2zoPgeiux1NPlHxOIz0UH5/hRQpPiqFgcL1FldQComsk +Qa1ucIdI/lzzFGC2pe71V2mmWqQ7U+25T9uxfYkY5ZXfoAF4XKQSjQhz7SsqJjUO +GSOZWn164T8ZbA8r/wjL1QCR32Xf/stir2FpjcgsRzgDgMQWhTFuYdrV5ZPjsKvi +lr3zN5XYUXpHfRLTfS7jc82CJREjndMgchYMzXAU33wHQzzQi0Mjzdv92YYw0lGj +NrskJD2w0Bzo88pDb+IBQUm7PNaYdf/Sv0BQI/hQId2fAgMBAAGjITAfMB0GA1Ud +DgQWBBTeL/QJBFn/UVb14r/FdvyUVNLkCzANBgkqhkiG9w0BAQsFAAOCAQEALVC8 +oMW3Ygx+jfuZueukt1SBWsDs17jpGaITm4AgRqmNk3OhDH61Qw7YCQuIGBw6ykM/ +10rmqim+slLxWLKmpZqmIU7Oi0rCIB0Y/skwnAgyEjjtFU2B7FCCJQfTuncu5Jer +VNGF3K+p33/czQLugS17ZBhVTaFLPP47IY0J9zTBOpCdpXR8+J2si/bD2wYBa3qL +q3iKFgaZzbmPBLl70Rx++LhP3X8cJ+M4adm/xm2AiQD7Ejp9+T9GUT1C6pMdiNT5 +d3Ca5Y1s4kAQRmNHaB8KDQsAIb9RsqeCuPxsZqhfBVUYPUk9AmjTzrHb4ACp2gmZ +1MXdTFVQRiysv6c+hQ== +-----END CERTIFICATE----- diff --git a/mariadb/ssl/12.1/certs/ca.srl b/mariadb/ssl/12.1/certs/ca.srl new file mode 100644 index 0000000..6610d91 --- /dev/null +++ b/mariadb/ssl/12.1/certs/ca.srl @@ -0,0 +1 @@ +6264BB963BE04F79936127782ABC6DB4887B35B9 diff --git a/mariadb/ssl/12.1/certs/client.crt b/mariadb/ssl/12.1/certs/client.crt new file mode 100644 index 0000000..e08ff12 --- /dev/null +++ b/mariadb/ssl/12.1/certs/client.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/jCCAeagAwIBAgIUYmS7ljvgT3mTYSd4KrxttIh7NbkwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKTWFyaWFEQiBDQTAeFw0yNTExMTIxMDQ2MjhaFw0zNTEx +MTAxMDQ2MjhaMBkxFzAVBgNVBAMMDk1hcmlhREItY2xpZW50MIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0B54DX61rQAUiRlU6hstTkfyPzqmMHGyATq +nYu5l+JmIxevvCgDIm2buoQjdkIFRM9UVOvFxYgQH5zwBOs6OI+GaUEN74pm+R5S +s5R+l86KaFEUw5OOQe+5gaFA3saOnQSRx65IbksM/B+SE/leFVappD8yE7dckzxn +nmhWvjZzTJDepJPFcgcOKC/ZgSLtCykyCopKDxBdb7FxDS8TonsWuCP2p0TJ5hKf +wipZMNprIrmOFfhdbmlj/BPOmUJPYnpvJ03qX/dnT0uO86h27VoWysIyp8vO8ur1 +xU7SUqhmwpEQ/50ddTFN6BGE6Wy43/8/nlTlXH3S+fV7t/kVmQIDAQABo0IwQDAd +BgNVHQ4EFgQUy2tgfges3dLtt7Ga59hUDbabk84wHwYDVR0jBBgwFoAU3i/0CQRZ +/1FW9eK/xXb8lFTS5AswDQYJKoZIhvcNAQELBQADggEBAMtxrWFKm3gX+xKv+HBO +yf81FK6VvCTCtDCv/mdEVqig0aHpS9aqQKvgCpZuptvNIp0bd42RUZvPFdkSpTkg +dxQxN4fvhS8MkBlInCZSOORJGiyaMpXSRgmDwqQzejHysN9N8TpG1omJ3/uTuK+D +endhJGb3j7lDNXVIVNM1y9qSXoIAiZ1wGASKjPvuWxmlhL7pQ06OsDmE0r456NaK +v2Dhf+04570jb7dixyIWrLJP7HJLACEGZ6BHl2bluNT1/EhR2eP4eLi98q/8dHMq +E2P2ChvRNgy1U/SzYYm6duzVFLCDCn6GMSmrtcxac+1Wa2IrSuEp5Y9kEdHSd6vB +bnE= +-----END CERTIFICATE----- diff --git a/mariadb/ssl/12.1/certs/client.csr b/mariadb/ssl/12.1/certs/client.csr new file mode 100644 index 0000000..5a9dc00 --- /dev/null +++ b/mariadb/ssl/12.1/certs/client.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICXjCCAUYCAQAwGTEXMBUGA1UEAwwOTWFyaWFEQi1jbGllbnQwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/QHngNfrWtABSJGVTqGy1OR/I/OqYwcbI +BOqdi7mX4mYjF6+8KAMibZu6hCN2QgVEz1RU68XFiBAfnPAE6zo4j4ZpQQ3vimb5 +HlKzlH6XzopoURTDk45B77mBoUDexo6dBJHHrkhuSwz8H5IT+V4VVqmkPzITt1yT +PGeeaFa+NnNMkN6kk8VyBw4oL9mBIu0LKTIKikoPEF1vsXENLxOiexa4I/anRMnm +Ep/CKlkw2msiuY4V+F1uaWP8E86ZQk9iem8nTepf92dPS47zqHbtWhbKwjKny87y +6vXFTtJSqGbCkRD/nR11MU3oEYTpbLjf/z+eVOVcfdL59Xu3+RWZAgMBAAGgADAN +BgkqhkiG9w0BAQsFAAOCAQEAT2M5M9bkA2s5Esm4XLkP+j8OeiGVWGbLA5YT1LJa +oTnRJMLkLkaYLL49KhX+ItJkAcqNL9hRxx3Q0EujWpHJgEa1dNwPowvgIByF69c1 +wBYGtgzj0IUuHr5r18kWO7wWGhJWCjgdZqk/mFrRA9Bnk8HsNzXOnaWjZyrQ4iVN +TE5jBwGmQX3z2qXooO8r2oaVC7+eX8dE3J4AAWbGT5UKsrWtIhwpGYPkAgztD0de +e12xLUkI3zMUXG16QP3M/zeaX6XlUeWb4y/TQSLMISMG/St3NBZVlfY83PEND+zA +61nphJCgvFF7fY06f4c7V9SuxqNn9RBp1sFOZKb5O7S5qg== +-----END CERTIFICATE REQUEST----- diff --git a/mariadb/ssl/12.1/certs/client.key b/mariadb/ssl/12.1/certs/client.key new file mode 100644 index 0000000..9dcc317 --- /dev/null +++ b/mariadb/ssl/12.1/certs/client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/QHngNfrWtABS +JGVTqGy1OR/I/OqYwcbIBOqdi7mX4mYjF6+8KAMibZu6hCN2QgVEz1RU68XFiBAf +nPAE6zo4j4ZpQQ3vimb5HlKzlH6XzopoURTDk45B77mBoUDexo6dBJHHrkhuSwz8 +H5IT+V4VVqmkPzITt1yTPGeeaFa+NnNMkN6kk8VyBw4oL9mBIu0LKTIKikoPEF1v +sXENLxOiexa4I/anRMnmEp/CKlkw2msiuY4V+F1uaWP8E86ZQk9iem8nTepf92dP +S47zqHbtWhbKwjKny87y6vXFTtJSqGbCkRD/nR11MU3oEYTpbLjf/z+eVOVcfdL5 +9Xu3+RWZAgMBAAECggEAVTcUVtuWba38ap0+7Lyh20mdqP9QREorGRpfs1z7j/pX +ihFWwx6M7v0pozyXVGzsThGXQNNg5rfOf1d89qQc5/DDcgiDfhUL9roVHWDv2xIz +R3HBL7eCbkyzOlgwQFL2Xm4XyoIUUdhs67Xhb7bvvdBEfCOQW4qa3BvRC5rv84Ym +KlL5ztiWtMF8H6G5qkA7DeG4ywcpibdvm1r0faGZ94lIL4BF5SiXydsLbbEOkPi2 +BEgi76Nhpq2BDKYneJU4oizyVb8YGDU+JOjSV4hbLO67qdvk0QHmr2H6PZX0igpI +YkeOGu36gV5ibkOm6VLx+Y//4I1sOnY/OgqLngacpQKBgQD/5Cmh3R4QegtJWkbZ +Zwpgj5BtY8RlNTQtrD4KKS6IXf3Y3bINFNCfNWHGYrxsU4ysvf/lIiJoX6Hn/MGD +ej+lnNJy8DE2K8KFObwzCI035hEHM9ub7rTTOb+hK9ruH5XM+PJjJAaLjb2M3hZC +P/681MzcaqP1aFFMH+xvrs4lMwKBgQC/VUgWdf63/72NOv0A8ZpUg7DEDHoyPKCa +urSRKvo+g0ZoVteYZXMLiamR9eYduwFkwLSVAosw9f57JUevPZVAVru3AP/hR8Du +F+snfVtyvc18v63aTG1vhZRXwCOT00d2AVehIgLl02vCrnSDRgYc08OxmUmI2SRD +K1dCQyrCAwKBgG6mh8YhamWvkH/YlLhfkSIuEkLrGDq3Zee2CmG0axW2pxUG0H5N +mOSvXac+fMHO4w6zXhsDxqMhb050gm1LCIihpnLjIDSPeZ7IV3Qt53rbdlOJ/hWQ +hAqudwnHf/TmHY2zvIRYSKhB00w9oJxnNc0Lq8ZIKrvsrvLe/wtQKH33AoGBAJou +0ySmeVk1ET7aJj+4cjFg3fVeSKprCNEnW5MQGxB9ISO7t4jrV8YYbTld+s5CgGD8 +mYjqv9f4o9YAuL+S1M9AFYznlUupUuOLCsiL0EGqigjZPfQIWrff4SbFguYBADkr +473JdqRVtyTvCJ0wtIROcgiQCh3pPbuTFYIkNjSZAoGALD6L56wCrOTr2Dy8n/J1 +U1Lfd974SoN2BlJFVnnM1t7toJ8NqPkQJlUuWtKCWUcVv0R3RAJKH1jI8KwmsRqV +cQ9Fsc24Nc8o827AZcH0BaJ0lLS6v1WAVpqCiuhSFpmmy0+C7wNwnv6a4Y/p9csg +27hjhbQI3ppUmahXUT5occ0= +-----END PRIVATE KEY----- diff --git a/mariadb/ssl/12.1/certs/client.pem b/mariadb/ssl/12.1/certs/client.pem new file mode 100644 index 0000000..e08ff12 --- /dev/null +++ b/mariadb/ssl/12.1/certs/client.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/jCCAeagAwIBAgIUYmS7ljvgT3mTYSd4KrxttIh7NbkwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKTWFyaWFEQiBDQTAeFw0yNTExMTIxMDQ2MjhaFw0zNTEx +MTAxMDQ2MjhaMBkxFzAVBgNVBAMMDk1hcmlhREItY2xpZW50MIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0B54DX61rQAUiRlU6hstTkfyPzqmMHGyATq +nYu5l+JmIxevvCgDIm2buoQjdkIFRM9UVOvFxYgQH5zwBOs6OI+GaUEN74pm+R5S +s5R+l86KaFEUw5OOQe+5gaFA3saOnQSRx65IbksM/B+SE/leFVappD8yE7dckzxn +nmhWvjZzTJDepJPFcgcOKC/ZgSLtCykyCopKDxBdb7FxDS8TonsWuCP2p0TJ5hKf +wipZMNprIrmOFfhdbmlj/BPOmUJPYnpvJ03qX/dnT0uO86h27VoWysIyp8vO8ur1 +xU7SUqhmwpEQ/50ddTFN6BGE6Wy43/8/nlTlXH3S+fV7t/kVmQIDAQABo0IwQDAd +BgNVHQ4EFgQUy2tgfges3dLtt7Ga59hUDbabk84wHwYDVR0jBBgwFoAU3i/0CQRZ +/1FW9eK/xXb8lFTS5AswDQYJKoZIhvcNAQELBQADggEBAMtxrWFKm3gX+xKv+HBO +yf81FK6VvCTCtDCv/mdEVqig0aHpS9aqQKvgCpZuptvNIp0bd42RUZvPFdkSpTkg +dxQxN4fvhS8MkBlInCZSOORJGiyaMpXSRgmDwqQzejHysN9N8TpG1omJ3/uTuK+D +endhJGb3j7lDNXVIVNM1y9qSXoIAiZ1wGASKjPvuWxmlhL7pQ06OsDmE0r456NaK +v2Dhf+04570jb7dixyIWrLJP7HJLACEGZ6BHl2bluNT1/EhR2eP4eLi98q/8dHMq +E2P2ChvRNgy1U/SzYYm6duzVFLCDCn6GMSmrtcxac+1Wa2IrSuEp5Y9kEdHSd6vB +bnE= +-----END CERTIFICATE----- diff --git a/mariadb/ssl/12.1/certs/server.crt b/mariadb/ssl/12.1/certs/server.crt new file mode 100644 index 0000000..d801afa --- /dev/null +++ b/mariadb/ssl/12.1/certs/server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+TCCAeGgAwIBAgIUYmS7ljvgT3mTYSd4KrxttIh7NbgwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKTWFyaWFEQiBDQTAeFw0yNTExMTIxMDQ2MjhaFw0zNTEx +MTAxMDQ2MjhaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMthNr4ctwEYssu+NiYlBHsMmcY9HUYB9E4ahxMpl+R4 +ugY9Qbb3eG+N9r7DL3bnzf1cRlqtd4SfaUg3+XNOhq57DomIzLNAG4/N/XQT7wqQ +0CGmCegFBfuLGPZpi0c+ljq9tBJQHOEJiAa02519BNFuCVvoR5/XsZ5qydTYmotO +aOJnQh8GN+l4U4okjREydnpRNzDQf3+fivxLd8DJyRc2EGdeSawxtnWpAYk0KGDX +IVJ5if22b/EGxL/2T3vLmoasMu76amMHfEP0CvA5VoLQgTFYMopBi6XoG+eA+Lmg +UMe/Wkmdesws8tjFAG/SnDvi5KwVRfH5nLvcD33LpsECAwEAAaNCMEAwHQYDVR0O +BBYEFAvyyvj0XiONC08VjusteGYPmdxzMB8GA1UdIwQYMBaAFN4v9AkEWf9RVvXi +v8V2/JRU0uQLMA0GCSqGSIb3DQEBCwUAA4IBAQC4smlkUlsDGeNjlaOF4cVZLg5s +XVnLdZQOS35CokHfCNI9Fq26aqf+ncMSz4GefGrhwDmww+DnnC3DflZfOgcCLJX2 +MsizaRk2DSgT0RakSJHXXzhRQ4C/T0Q/YPLT87k2X1bMLuBSrnca8m3hrPYgkWno +kFbQGAtKgZ90dmibVUp4lvWDf3qD0pPOfjbqogFVuS88WSBs1Yf+mR8wm6m2+jme +H7LYk5SoxxP5aQY8Q5BzKLf1697Ju8CQav0Jw6HMnlxTiTM68dKRoIKkENsTAJvs +qKcUfq1mWYylpesAeQt8rV9ocsoDGh/QtKuQ7C5+Hl/djvP2hdSjYrmi/YBL +-----END CERTIFICATE----- diff --git a/mariadb/ssl/12.1/certs/server.csr b/mariadb/ssl/12.1/certs/server.csr new file mode 100644 index 0000000..32fc111 --- /dev/null +++ b/mariadb/ssl/12.1/certs/server.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICWTCCAUECAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAy2E2vhy3ARiyy742JiUEewyZxj0dRgH0ThqHEymX +5Hi6Bj1Btvd4b432vsMvdufN/VxGWq13hJ9pSDf5c06GrnsOiYjMs0Abj839dBPv +CpDQIaYJ6AUF+4sY9mmLRz6WOr20ElAc4QmIBrTbnX0E0W4JW+hHn9exnmrJ1Nia +i05o4mdCHwY36XhTiiSNETJ2elE3MNB/f5+K/Et3wMnJFzYQZ15JrDG2dakBiTQo +YNchUnmJ/bZv8QbEv/ZPe8uahqwy7vpqYwd8Q/QK8DlWgtCBMVgyikGLpegb54D4 +uaBQx79aSZ16zCzy2MUAb9KcO+LkrBVF8fmcu9wPfcumwQIDAQABoAAwDQYJKoZI +hvcNAQELBQADggEBAC1jyJKe7wuoX7UefNbh2667WfuKJjcszTxmPeMjWwWDAHHO +hovru0dpkClD2ofUllZAx9d2kRGLxv8lKwjKfo3nvf4rA+0xbYKJb9iytp99r/QQ +m6dE22lL4qn7v4mkAIdJi94UMnReBZTrJM7smPa07xgKWJnPEk7DKRpZcYrweIPv +Ky+j1z4GId+u3vFmVY0DyaujR5950eDw5X9dekRR3y8GBRbaek25qukRv2NtRrus +pVLjSmjWNsAhyRkzeylT0DQi8IxyEmviqs1aOPRPKlRWiJk44whvV6wCU/6J/Hlt +bjDyFyO40SJ6+CwbQL5kfAwqT6ctJH5CY411zG0= +-----END CERTIFICATE REQUEST----- diff --git a/mariadb/ssl/12.1/certs/server.key b/mariadb/ssl/12.1/certs/server.key new file mode 100644 index 0000000..b875c0f --- /dev/null +++ b/mariadb/ssl/12.1/certs/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDLYTa+HLcBGLLL +vjYmJQR7DJnGPR1GAfROGocTKZfkeLoGPUG293hvjfa+wy925839XEZarXeEn2lI +N/lzToauew6JiMyzQBuPzf10E+8KkNAhpgnoBQX7ixj2aYtHPpY6vbQSUBzhCYgG +tNudfQTRbglb6Eef17GeasnU2JqLTmjiZ0IfBjfpeFOKJI0RMnZ6UTcw0H9/n4r8 +S3fAyckXNhBnXkmsMbZ1qQGJNChg1yFSeYn9tm/xBsS/9k97y5qGrDLu+mpjB3xD +9ArwOVaC0IExWDKKQYul6BvngPi5oFDHv1pJnXrMLPLYxQBv0pw74uSsFUXx+Zy7 +3A99y6bBAgMBAAECggEAB7Hpy/Ni7rMQJ8KOgq61ntC9HDmpewG9rDtXdz+EgFfb +hPsqGnm+SC09Q943dGaknfSQ8mMcEavk5D8+7FCRKrab+BLxmMohCNW8xFixO4t7 +XnyNZSaUgX4Tr5YSd5t7/GS7VJKMpyyQxZ0v7oNhjGl/B+fP1vHGpgVpFcksvr7D +SGtXfkCoBk9KNm0URXhtQay/JuR8+F04pZ17QGI6BgpVujom0f1nUCaFWi6L68zQ +VJn7nvAXiuV4+c6J4edKLcU/oo2Ubb5thRKtr0/BU3i8968z9dju64rXxNllXrKJ +SdRRyFsGkiPeZZo5KZ11iMTjI7BBAmYtMdGUGGyyWQKBgQD35v9sKRVPHqk/414N +Vw4m+O2aE6K5D2nMZNNI/3/qCLmQTBugFPyOmD1i0+n0jVblYgnqIj6rlDRxWYS8 +g/t8SnABFD+cXeRsIN7omamf8ABulRYGQJaN5UiviusiholhoeifWK1ao/HCmC/5 +SSgX74RP5FxmarbDXQnoAyQ8qQKBgQDSBekTx5iVYGzDSBKoZixXCBSCjbx4DftV +o0pOO1XHiqYUPRWeVexM75hZWQPvoA/7/Wl/UZEkAQnUzB8+znJuUY/eZ3oqJHxN +CVeRtfm9pd36VLHQS2Hk/WrufZRoTWZn3SH+nFn39AyFAOiTEp/rS/o9bhtRuS9a +RI52aCgQWQKBgCxzH+Nd7nM0VTaeZxPPQztbsQbKdIfoKpk6juPs5BurmtIzw1RN +zwcmZwNcafuuiCEzFgIER+Zt+YVFftZqd+JOWozm+4znDPkSX8WnH9IMr5ckZkGS +vSwOK51GNGkJZIK8DEDeHp88/DFfJmL1ahn4mWnV0XePtNuMyCTww0OZAoGADzz0 +i0XZEUV8vrJ1ABjhsLLaYhqMiR1ilfUSCBkQATlTEXbZIbLUQUTFBf6KZZF0d3EM +fXtaj4UvxGvG/JSYAt8SFC3n1DTve9toqh7M7vCg6W/JsvY1NRsZ7hHYebTb8D9A +HywS7wWa/u9w8HLSfYz2rAxYGRbZk7ATsg2ekokCgYBPzWNTVnCEoXrOUQCxKq5T +Z4qBgbR6py4TXNLdyzNLDefRE7Rvya4RWbsG0BqaAFbiEsdXT0uvHO72w7Ej36lk +mGP+IpK5RM7sMnbBfVpl5tWTRP3oyDnGfYpZSAXMSynPJ50Gv8XS+2sGyBPqP46K +B+nsNuFJSIlOhIW9gr5Quw== +-----END PRIVATE KEY----- diff --git a/mariadb/ssl/12.1/certs/server.pem b/mariadb/ssl/12.1/certs/server.pem new file mode 100644 index 0000000..d801afa --- /dev/null +++ b/mariadb/ssl/12.1/certs/server.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+TCCAeGgAwIBAgIUYmS7ljvgT3mTYSd4KrxttIh7NbgwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKTWFyaWFEQiBDQTAeFw0yNTExMTIxMDQ2MjhaFw0zNTEx +MTAxMDQ2MjhaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMthNr4ctwEYssu+NiYlBHsMmcY9HUYB9E4ahxMpl+R4 +ugY9Qbb3eG+N9r7DL3bnzf1cRlqtd4SfaUg3+XNOhq57DomIzLNAG4/N/XQT7wqQ +0CGmCegFBfuLGPZpi0c+ljq9tBJQHOEJiAa02519BNFuCVvoR5/XsZ5qydTYmotO +aOJnQh8GN+l4U4okjREydnpRNzDQf3+fivxLd8DJyRc2EGdeSawxtnWpAYk0KGDX +IVJ5if22b/EGxL/2T3vLmoasMu76amMHfEP0CvA5VoLQgTFYMopBi6XoG+eA+Lmg +UMe/Wkmdesws8tjFAG/SnDvi5KwVRfH5nLvcD33LpsECAwEAAaNCMEAwHQYDVR0O +BBYEFAvyyvj0XiONC08VjusteGYPmdxzMB8GA1UdIwQYMBaAFN4v9AkEWf9RVvXi +v8V2/JRU0uQLMA0GCSqGSIb3DQEBCwUAA4IBAQC4smlkUlsDGeNjlaOF4cVZLg5s +XVnLdZQOS35CokHfCNI9Fq26aqf+ncMSz4GefGrhwDmww+DnnC3DflZfOgcCLJX2 +MsizaRk2DSgT0RakSJHXXzhRQ4C/T0Q/YPLT87k2X1bMLuBSrnca8m3hrPYgkWno +kFbQGAtKgZ90dmibVUp4lvWDf3qD0pPOfjbqogFVuS88WSBs1Yf+mR8wm6m2+jme +H7LYk5SoxxP5aQY8Q5BzKLf1697Ju8CQav0Jw6HMnlxTiTM68dKRoIKkENsTAJvs +qKcUfq1mWYylpesAeQt8rV9ocsoDGh/QtKuQ7C5+Hl/djvP2hdSjYrmi/YBL +-----END CERTIFICATE----- diff --git a/mariadb/ssl/12.1/conf/50-server.cnf b/mariadb/ssl/12.1/conf/50-server.cnf new file mode 100644 index 0000000..024d190 --- /dev/null +++ b/mariadb/ssl/12.1/conf/50-server.cnf @@ -0,0 +1,16 @@ +[server] +[mariadbd] + +pid-file = /run/mysqld/mysqld.pid +basedir = /usr + +ssl-ca = /etc/mysql/cacert.pem +ssl-cert = /etc/mysql/server-cert.pem +ssl-key = /etc/mysql/server-key.pem +require-secure-transport = on + +[embedded] +[mariadbd] +[mariadb-12.1] + + diff --git a/mariadb/ssl/12.1/conf/init.sql b/mariadb/ssl/12.1/conf/init.sql new file mode 100644 index 0000000..2f3efb2 --- /dev/null +++ b/mariadb/ssl/12.1/conf/init.sql @@ -0,0 +1,8 @@ +CREATE DATABASE IF NOT EXISTS test_ssl; +CREATE USER 'test_ssl'@'%' IDENTIFIED BY 'test_ssl' REQUIRE SSL; +GRANT ALL ON test_ssl.* TO 'test_ssl'@'%'; +FLUSH PRIVILEGES; + +GRANT CREATE USER ON *.* TO 'guest'; +GRANT SELECT ON mysql.* TO 'guest'; +FLUSH PRIVILEGES; \ No newline at end of file diff --git a/mongo/8.0-ssl/Dockerfile b/mongo/8.0-ssl/Dockerfile new file mode 100644 index 0000000..0967bc8 --- /dev/null +++ b/mongo/8.0-ssl/Dockerfile @@ -0,0 +1,19 @@ +FROM mongo:8.0 + +ENV MONGO_CERT=/opt/certs +ENV AUTH=yes +ENV STORAGE_ENGINE=wiredTiger +ENV JOURNALING=yes + +ADD run.sh /run.sh +ADD set_password.sh /set_password.sh + +RUN mkdir -p "$MONGO_CERT" &&\ + chmod +x /set_password.sh && \ + chmod +x /run.sh + +COPY ./certs/* "$MONGO_CERT" + +EXPOSE 27017 28017 + +CMD ["/run.sh"] diff --git a/mongo/8.0-ssl/certs/ca.key b/mongo/8.0-ssl/certs/ca.key new file mode 100644 index 0000000..b2a50ce --- /dev/null +++ b/mongo/8.0-ssl/certs/ca.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDYtAOZT6jSdZri ++h/tOx8uhvAyFKVynjeaAQ+beX484hysycIvrATJR31PNbx9BpIt0esVXWH8TwD+ +q/EPF4UldUKy+zuP6tfTxy2nFfN8gVJDQJJbAKWbD8/G6YSIgU8KgO7ztwF4+qZW +TOF23NPnsGCcK33lqjZWnzs2pX83mV+XAS2qZBVVRn+lWvHs26kOY1BNjxlgnGO+ +4FtbLNimmBl4XN7hphJ48Enp6k/8Rpzftc1Lzaw4gC6/hFRSs0/H2usRqQjmpMsY ++CZr8612SsobmC2S8YFPf/CdGSNdroCz4VHcqz2XS9jkU2vCpKqVibFn+Yd88aFL +A858m0voZ746OVvhtihrgEMqm1OP5YlaDEnMWScq+A/CeAwxcNUWgdngTKaVpX7s +qifOJAErgtERg1v2ifeUAdcJAM4iqt5ZbAD2awmOGqbPRzqr7MhiYLHJmIUCDMB0 +FQLIRCl5tj4G3gDAjnaj3rh7FHSoYR0oS1wkNyUk1R2p9gOYF1QqTr92k3uBwZjF +cGfH9H45ZLa9Vf9tbiV3C8YvmRRUD3r6fybJupOQ9kKgl+C1bHdWPwcIDynsrKgY +Fp4l9KbWASkNuNiLC0ltXGx2cDkbNP3P8piaPxzXpuXxBh589dYEXfJPNmAI/RZW +VJr0+NIqSZSzBpQf93mVZvUaggDKawIDAQABAoICAAjknk8w2zND20bcT+oa5oUw +yXOssDt7bbm2uG6/diRGfTnED+GH9CxUcDqLcIBLAD28IyMd0XMaxOYupTZi1zZ5 +0PJqZ//YeeH5hxCX0IW4Aum6oSb16FXsOLEnjSZS9CzwrJ240WknFCNvhUMs/c9A +yD4wdLqzmQZGA5aTBR0BgNBAHqEi+VMmEP/2sv3u58ms3rNIH5j84gUHzQf5V6zC +ii0L1qO4/oITDl14na6zMSXnHpUxTBOHgyOd6R35uNjxTXtMjg51Ddao/F6qweAc +Yp3uSVSB77YVAIlZ6j8idaqsIQFmz6DBXpXELKRwwIVhgLPNJDfG7MEY12T6tIsy +OvMNE1ey8GazIF3PHwrQTUt6GFNpAgGBSQ8qeauvB3FNkMk9uv1kUy+KsCcT1bTc +wkMGmD6RtMfcbzaYHYiMe3i5tC9BgXL587BY+lbXNUHL/d2s2lrmdHWLtmSVuIsZ +C5C9frUmnI/FppMR+piZnf+h20VIyMat5iW2WvhThXk4xvtV8fQ7oCJ4euPkC3/t +P3DidYbSkVrrskuXCnB6YhkvYGB6J2tIhYmMIiZdTdDK6kllYPFK2zSUaCP1NH2M +PTefzFgbvmEvqQhG4aRV/dQx7gvRBP7EzG+bEBT5vm5GsF9398nj2fMFRLoGXalq +S0DC/1Fzy3BM9+T8LBoFAoIBAQDzl9hVpcwS9k1OGPlXBkWGN2OpC0UDXJkpR6Pj +Lo7pbEzrEAgcF/yemu8UPaWLo0oy8m8wY3ACV7t+07KqjTsQWGE72Y3ZLL8s8gv6 +1Bs8C/EVPs2DFaSNO8BS9G8LIyVNDYnCg/oQ53WYImeBk/Wnec0y5Hbv6WObLwDH +LZ9YL+bhiF+mLvbhr11nOD+azEx8q9dVhIYX6KgQAq5OGkEuxmgdrvIcwYbZi1II +Ik3yzo0172eBKwSNBD4a1j4nxynVt+GxKxO3ZLh/pDb033K7DteKLLwpu0XQkaT2 +l/Bn/hHYzmaFkjnmIDodfDNzsefkeG1zOPVQ6Dv6ZaQfjm/VAoIBAQDjvY6Tk10M +CFGLrhPO58gsk4SzH4uiYCbKxx/pKujyYp3Nm0UUaGq8r78oAU+TGsGGBKIlu3Lg ++EQlP66KyJNEqh64qGNRBaT2HT9bLyMgwnBRt0OYKzBNp6KPkPYsBQ/eiXWhLf7z +znE32OAS1o2tikxnPgdpx6Hw/U8K4toZEBvOSNSvZrOPBGHWg07FBskX4rfAYacg +J9JDLfEyzAzNhK/wJP9mn4CTVWcOLaDH7ovzz5cRafk6e3/I+o6ID1YNk4v5l942 +3PSh7+YEI4ZW/CK9lsXB6/0hXPfSclGOVBEQJMxXNdwRsaMGK+lAPe4pFI52pnZ0 +amjaVnN5nbE/AoIBAERYkmZVgpC/cqk68JquM8uYtumzM8XhsUeXxi/z3D06GcrK +ULwxLrwBlJsFQPGQ+zyYMQJOpBrEKuNG2pZn0e6gHYgBXn9Uwr8Fmr7hzFJot1fS +qy7gX68Q2MFtu8pQLiMUbVaaWQttJd1tqcT9kqtOzXg+CfD+dugPpBQ+hLrllc4p +yUyDWNmxrm9LpOz17W/9dwmTiVwj9yOm3OklDKznFkdd0qim1AMtx/JoTZ6WvaAo +b84aF8jJK/OzsPTQOLiyQyzGfV2zcOC/XnwORc6eN3OZYaID3W7LrpFRyC4lZzSB +lNpdUMl0uVmUg4sum3XLJEpz7MCqqEl1QztnZ5ECggEABDqj6CenZa7N3NspsQDq +3bELmMvwKt7AOanC9PCADOg55/SHLt7VhJV65kJH+QJZL6TsYej+NCFIGqz5D8iz +u2WxVlqCJaIGMy/N2mKgs14I+et+TNgYeIixYxsdByo85jQFRC33ew2NWq0jVBY5 +4UwdKRmkx5kWb8Q0cI5P4IFFEuqVUICGuxQowPQFRXFf0Jq8MM1fbiBvLiIvRXM2 +laZuIfZ966jwmUvPsxqzzqKmZKupMYCXSTe74r6MYQhv36aqxcLFNJ2byVoMGm2S +dBEQkBa5q2U3eSQh0f2feBYljvgv9zqf0JBM57NvDGtZ/ddM4fUrY/QJ6GwMjuiX +vwKCAQEAmaX19paMFTSTYwVDqkqlD0hKyy6ccdzH860bdZUnZ8+vrsVdww5ISMnK +HcFOJySXKjXo7D1Q4INVbgZeIe1djyU5lCCuX0pwxUeIQMtPNwVs4Ws+OddJISRw +bIWpQ4Xmi3qvfR0szy+qMbADPyJA8ImR5ZCWsL74wrxnyiuHEL66lND8VBZsDjFg +p5D2qmvNVrQDrWZVs7zs3Q4wQo2CHv5/RYULI4irjJ6sgG9YegtqDbgCq26lZyqC +llwrn+P0e5HXIrRDqXOhAKVTadfH38gUqsyaWssH+OAyBs6TbwpPDzLUK6Xh7SaS +2sCxuqjKwllgCZbiCIrkRTdEqLisvQ== +-----END PRIVATE KEY----- diff --git a/mongo/8.0-ssl/certs/ca.pem b/mongo/8.0-ssl/certs/ca.pem new file mode 100644 index 0000000..d340947 --- /dev/null +++ b/mongo/8.0-ssl/certs/ca.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFCzCCAvOgAwIBAgIUR6oK9JYHH0xjsGXXjXyWhSwFvK8wDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKTW9uZ29EQiBDQTAeFw0yNTEyMTIxMzI3NDBaFw0zNTEy +MTAxMzI3NDBaMBUxEzARBgNVBAMMCk1vbmdvREIgQ0EwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQDYtAOZT6jSdZri+h/tOx8uhvAyFKVynjeaAQ+beX48 +4hysycIvrATJR31PNbx9BpIt0esVXWH8TwD+q/EPF4UldUKy+zuP6tfTxy2nFfN8 +gVJDQJJbAKWbD8/G6YSIgU8KgO7ztwF4+qZWTOF23NPnsGCcK33lqjZWnzs2pX83 +mV+XAS2qZBVVRn+lWvHs26kOY1BNjxlgnGO+4FtbLNimmBl4XN7hphJ48Enp6k/8 +Rpzftc1Lzaw4gC6/hFRSs0/H2usRqQjmpMsY+CZr8612SsobmC2S8YFPf/CdGSNd +roCz4VHcqz2XS9jkU2vCpKqVibFn+Yd88aFLA858m0voZ746OVvhtihrgEMqm1OP +5YlaDEnMWScq+A/CeAwxcNUWgdngTKaVpX7sqifOJAErgtERg1v2ifeUAdcJAM4i +qt5ZbAD2awmOGqbPRzqr7MhiYLHJmIUCDMB0FQLIRCl5tj4G3gDAjnaj3rh7FHSo +YR0oS1wkNyUk1R2p9gOYF1QqTr92k3uBwZjFcGfH9H45ZLa9Vf9tbiV3C8YvmRRU +D3r6fybJupOQ9kKgl+C1bHdWPwcIDynsrKgYFp4l9KbWASkNuNiLC0ltXGx2cDkb +NP3P8piaPxzXpuXxBh589dYEXfJPNmAI/RZWVJr0+NIqSZSzBpQf93mVZvUaggDK +awIDAQABo1MwUTAdBgNVHQ4EFgQUy+FsG7hFzZ9wOIo50ugzju2K+HUwHwYDVR0j +BBgwFoAUy+FsG7hFzZ9wOIo50ugzju2K+HUwDwYDVR0TAQH/BAUwAwEB/zANBgkq +hkiG9w0BAQsFAAOCAgEAUkZnkHQknnykCbJOkQ6RwAWMJBsYyNqb0n3fPq2boCpI +SQRw5+gHVEwzhkf0xb0nOLYHm8DD1TkNJpgJPh9XTQ9pqkDDuv8m/DxNVTbVCz84 +pxBPNJYq23XupAy0D4fUzBjK6qT3GNqbKvzZPuYev4JY4fcQ9g7+4Ys/sOktCXC0 +uPsqFlDaHV/Xs5uF43TsV4jIJ9GUxnwuZvIWUiHUrVF3zZeizivbSFQ8KGj7qbcE +KuTWfEb+yPslukIRKCJC6Oq/iJI5pkXnGPZFYKTSfSr/9Vl9v42Zdh3qoltU5lj9 +60hkW1myeZinilDtdc6LHv2rQMXNQKQPnBhvXPpAC2+DFE5OCFUCLDHE9NPvd9Fd +oN6hfT2iiRzYrZmvH/NMv4WWyG9+wBbM08v876psvEZFEbCqawj4nLxYYsLVApg4 +TUjmJc7B5JCeakgjusjzLELDl8ovk4LxggMcOBYQk25CPIJLoRyPk44rFIzcQinz +7e4n1PVbE2MzxaZECtCsqoTUg6UNKRXZQ322alTDZEwFXFQnCTZ/d9D1fYd3En+S +Lk+jsI2sOuSd9PzVlSP0wU36PbIOdJjl+l0mImWfRUinfBtP3WgD/UU6iLN0RYZg +hEAGsx/uaNuAVKnKin49cIikWYEi3MN8wgg018iJU5S8/YQSuS/o8BmbL2fB7bE= +-----END CERTIFICATE----- diff --git a/mongo/8.0-ssl/certs/client.crt b/mongo/8.0-ssl/certs/client.crt new file mode 100644 index 0000000..6c6c7dc --- /dev/null +++ b/mongo/8.0-ssl/certs/client.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFITCCAwmgAwIBAgIUbGB408G9o6K3lY8/9PtfyRI1x6AwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKTW9uZ29EQiBDQTAeFw0yNTEyMTIxMzI3NDNaFw0zNTEy +MTAxMzI3NDNaMBcxFTATBgNVBAMMDG1vbmdvLWNsaWVudDCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAMwDCxQjw0jy02pES+Qd8tJRsSRx6icuwxpPKAFq +ctL1sw2jtmt2AqOvfKQPVZLpb0iNWAD6qyfF3yUXEq4yiGQg9LHWTYNj1aTwerVL +0jq8ksuKY+YmPKcMc6rcgAs/7JDZA7My0uTWsxkvNLf/TXVmB+jZDfYzJKnJU6xn +F6EHr6lGQTyqIyity1V01VHeEfLdHzr8kjvYqhgduJWVS0oSf30F2w3q5AVaY74u +QQbkEU0PPhfp0BS9FA3WZpnO1GL8s9cCQ2mPt8XYWJCgaUm4dee3+jc1BQQoDR7v +5HrptJ+IkUoGqs8lqWcOWmFx8rWXmHGIcwQvPrI2FWuNZ+5waFe7YRXDPDCQN/ac +aWQk04B3a0OYFvcYd/ccFAwv8/GX1f25K1MZpJHN8ggW3lZ+5/9Rm3Fvqv/LgqbF +8vVpKXYTSTcOgRFkeQA5KUtA+F2W2AfXUxJ/jjFk96uB/3tc5tAiUzriC0IyCiX3 +buH/HxrDOf4HVLbq/cGl2y8E3N7t2UEaI2Ht/AoALrGORXHf77JcL4bh7jnpvnCn +QOMDVjyrbGASprIsDyUvDkK62CAI3DuHZBnJ0sQH1Z21KLz+aIxChPeiWUiT1bX9 +lQzQv87XOxMSKdyagEV9MS34Nb/NxctwV3jzb8TRYbA2sRT5b5jB9bMku0kEn0Zq +55G9AgMBAAGjZzBlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD +AjAdBgNVHQ4EFgQUlyg1szAZOaMyIoBdv4DsmJd87P8wHwYDVR0jBBgwFoAUy+Fs +G7hFzZ9wOIo50ugzju2K+HUwDQYJKoZIhvcNAQELBQADggIBAHGvpiFmUbu64yUV +TLEKmDt/xdezyazwesML9Y3xmZ+v2xfg9sPVZ6nkn/9e52axr2r6dWwkopPnpS8B +rCfSrYYrLg3bHtGGdyEKD8ax7HIfqblbhx0z0x9pLLUq33avENSlnQdL3ksDywB2 +Lh3HWsYnE1CEfk7QW9k5Cz8ngkg+uLDHVr+lP3WR3u1tVJj1xmass3y7uhyVqD/3 +fN7Cbm6qFf9z+7qZR2e8z0aIrELTeB17tQrxGQLLxIb9VpnAdNOgKMKvC1T6HWLG +1yuA+CgnItyWA2PIiokB72nGpLyauqgoeUNJWVY+aTTb3Besy9wh5rn0vyG+vy2Y +/e+7eqOu9PuUb5gVauNuk/jdtQkvQmF+SU6xAMaC7zBZEab5eglP5KaVU7K4B9F1 +0aCAWqOtaI3YovQceJ8k7OjtxTB1BbFjMpM/H7M/IKZWZdX1Ly6Z/z6ORFTH/gJP +JYh2QW/0onla2Eefphx56kg0okSgfupU2JwNAXTJnmcOTdatOvH2vOQczxnUNDfm +hzPZJ4vaWPIzcVSyhvWuyJkgyN3utfDWlaHHj2hFRGEjti8C5IPAYEW3rwDItbA0 +rCSDGVcOh1aur09ERKyefpr6iLROibgCQsl/YN8YdbIJMw4MZ1dxZLtVKTRdmHub +oiT1DwcdgN4sJ8dzZa9Fg00mlnBU +-----END CERTIFICATE----- diff --git a/mongo/8.0-ssl/certs/client.key b/mongo/8.0-ssl/certs/client.key new file mode 100644 index 0000000..e383527 --- /dev/null +++ b/mongo/8.0-ssl/certs/client.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDMAwsUI8NI8tNq +REvkHfLSUbEkceonLsMaTygBanLS9bMNo7ZrdgKjr3ykD1WS6W9IjVgA+qsnxd8l +FxKuMohkIPSx1k2DY9Wk8Hq1S9I6vJLLimPmJjynDHOq3IALP+yQ2QOzMtLk1rMZ +LzS3/011Zgfo2Q32MySpyVOsZxehB6+pRkE8qiMorctVdNVR3hHy3R86/JI72KoY +HbiVlUtKEn99BdsN6uQFWmO+LkEG5BFNDz4X6dAUvRQN1maZztRi/LPXAkNpj7fF +2FiQoGlJuHXnt/o3NQUEKA0e7+R66bSfiJFKBqrPJalnDlphcfK1l5hxiHMELz6y +NhVrjWfucGhXu2EVwzwwkDf2nGlkJNOAd2tDmBb3GHf3HBQML/Pxl9X9uStTGaSR +zfIIFt5Wfuf/UZtxb6r/y4KmxfL1aSl2E0k3DoERZHkAOSlLQPhdltgH11MSf44x +ZPergf97XObQIlM64gtCMgol927h/x8awzn+B1S26v3BpdsvBNze7dlBGiNh7fwK +AC6xjkVx3++yXC+G4e456b5wp0DjA1Y8q2xgEqayLA8lLw5CutggCNw7h2QZydLE +B9WdtSi8/miMQoT3ollIk9W1/ZUM0L/O1zsTEincmoBFfTEt+DW/zcXLcFd482/E +0WGwNrEU+W+YwfWzJLtJBJ9GaueRvQIDAQABAoICAAQfWfQ1l1mMRJtXXlmN9wmy +A0qpi9kpA1On6VMtxudFdiM1yBpcTM8v5DOwmjDh/RRwJ2jYi293AdVPEHdD8mwA +qXrwJmo4W5eIgwnSUbZZ28NpVS9la8uBW+/GMNUweUzFAdxwSLn2WXijgPo92l9t +zJQP4FTgXDDidZCx3n9kqR4vk/9JPdiVD5QavkEbqxeuc+uFXFM6UdeW20VQ+kw/ +zLhRSCs09202YFn9RZBInHhVIu9TtwIefv7+sogehCFXYaDU4JI9iGqb2vr2vROz +epwCDzEhAmUiaX92g5Kt7j1q7THGf1NjUOk1ny3Bvq05Ur1qkvkUesP9oi061oXa +f2vzzNEcXAtX3uCX1YN0EWHU3OuuPKOPVSaiU5kdZ5SHK17vgehXzcqJhGC0yeuY +QKbU+RR16OIDdS5olyZrr16roeFZ70K/Ph/qePf3B6T6TyzhGf1SyabHZTUr2Ra2 +h2Nn/PMtcFd3mFi2TboKMwrBr7hln553oaDOHNPFc49c29YBkYbiKjnJzBqUetJi +bQh4/m/tw46A7MjI4YKO7QiG7JyczIxThl5xf+ofaXzw86z/EPVn06/Sb9R5kHW3 +Hmwly5eht6DQLBu4fjtoUlGVOMPlZFARqJYAYEbnWoTwcYFl+ZngKH6g7bnlzSL6 +ovMOH9QlK0g4o2FCfdDJAoIBAQDvykx+71JfsLnXXxO58pORYHOmUbesQNaelE87 +rMgc48ivoYr8uKeWsThBmlEmrJ5DT7JrV8VL9aT+e/2aQhYfd6CVXKRD1aYBDcUI +ilQKf8k+Hra+PiJKmdAHq72zeYYaKpmRvvQ7t6Sip868x1bFT6OGUSM5vVabaaBL +v9uVj9cVg2XHpeZergdkHFV+r9fSPYTiybxeDbdEJd3apqPRg/AAKZOgAgJC0CJn +PmN/io3x7fhEEe/Go1PxegSqGiDFQVBBoqzFzOGhlphxlc0Qt5y5pStGZNBuQyVI +DfHszUw9qUdZSiamecV+wXUB5vTOz7wrd7N031mBi9U8EhMZAoIBAQDZzZSm5nE/ +LvgfBwIYag3zsKCtczOEND49jsG0KntKXC5IPWfwkdJUwuyn3jWDPB8t5ySxqI4O +HAx7h7hn2NIRPZurr4Bvr3XATp4hENjwUltGlRPv+E420T/rF1uGjScCdj91mlPs +chnscdZcF7WYolIP9uFc4j/ueeagHjc9BP6dOZnG2xBt+bWwk/Q3ZIyN9i1ykDXh +fVhJ9zNXr1sqv3zhgsxY0PZ/aM3OnFN/W8kmuMpnTRx+1NgGqN++r5O9c7CyzMNq +aIxWHzJ61ByuWU6rTLGcvpsq9+rKtzIr2xdmP83QdlKLvHhZVBiF/97ReX2Kcu2W +DkKTNrrf5UxFAoIBAQDooT4tN0iXBQCGbPraPvfi5cvM4yJpvk14czGbFzjcri+Y +FASewRX1H+EP5AIunvC7JKpXcUM7Ogjjyq5x5QNJa+kifknudWsjQpSQgIKf3PED +jxCC6AykiyxDBN55K8BpykJKHxMajELwehQbGNiZe3WNbVHbRlCrXYHhezQwmOd1 +O5CWa+Beoj8RZFudGEMs9/nfew9/v5a4SnQ9F8V+EZ3Yyn0pkklXQEzgFKq6pVSo +DNH6V9xivTlG37V+wPJh68dMpeEv1GBhP5SNPWNAgKFPiWm+VTfQgNu+V6kIrvL0 +LzHE8iclAqYTHuPBAKsnqGlJUkuLatOO1nX8XRyhAoIBAQCcdeFOkAZUVEJrz5YC +wdTp9T1HvJUKaJk5kV63NTlCLrwUqwAKwkYtG6Xz5V3du4fOathiQ2pg2mdhKhsf +hpNJTU+R4s5J7OqSzicsK7Ub1p25M4iR/3b4TBM1p57ZJncafqWRrt6Q4VqcDx7l +IycR0bFPxJMaLXGtt6Yj6fDWhcr+WQ2N23qO9i49/dsXG8UYifsV7GC4blnJMKqS +V+cO62YjfdmcB+i7mCcYQBZ/TAlRJrhHww4wUmgpSJEKo4hnNT9/AjdzLk155IlX +0R4VZRRtW/fPWOGQ2W2yWC3TcVz61+Ta1tTviuGNkirXv/pp0nOLzIm+HNpYdJ2E +D21dAoIBAFO1t6yVjP+slj7sWOmMtJjkR7wDEBuDpfJpNb8y30gDb3E52qR16UFp +MfPVG7xbr18sAvYxn5zg60cmibB42vDXjjrLBHUpXrsSyNho0ikCAWdmVy1QN923 +4Cb2FCO1BPkfRYSj81CO37uqLBRK8ZgF3UD5O2IEwhajOgLnwTtW6wJ0QtFqf33h +1wHG5Kzq0CKtnJtBryWUG/IqyY+NG8o5Im+yI7dsOaVe1ILfiTmMKXsk+fnlzfUk +qvTASr/OhC4JWBVcG9d7ulIRAo7FUSGi+Hq5J0YhnAFsOpl3bvJj729EPHRqXpWu +dJndrMd3bFbGt4Fs/F6VN/Sco33bPiI= +-----END PRIVATE KEY----- diff --git a/mongo/8.0-ssl/certs/client.pem b/mongo/8.0-ssl/certs/client.pem new file mode 100644 index 0000000..6a62abf --- /dev/null +++ b/mongo/8.0-ssl/certs/client.pem @@ -0,0 +1,82 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDMAwsUI8NI8tNq +REvkHfLSUbEkceonLsMaTygBanLS9bMNo7ZrdgKjr3ykD1WS6W9IjVgA+qsnxd8l +FxKuMohkIPSx1k2DY9Wk8Hq1S9I6vJLLimPmJjynDHOq3IALP+yQ2QOzMtLk1rMZ +LzS3/011Zgfo2Q32MySpyVOsZxehB6+pRkE8qiMorctVdNVR3hHy3R86/JI72KoY +HbiVlUtKEn99BdsN6uQFWmO+LkEG5BFNDz4X6dAUvRQN1maZztRi/LPXAkNpj7fF +2FiQoGlJuHXnt/o3NQUEKA0e7+R66bSfiJFKBqrPJalnDlphcfK1l5hxiHMELz6y +NhVrjWfucGhXu2EVwzwwkDf2nGlkJNOAd2tDmBb3GHf3HBQML/Pxl9X9uStTGaSR +zfIIFt5Wfuf/UZtxb6r/y4KmxfL1aSl2E0k3DoERZHkAOSlLQPhdltgH11MSf44x +ZPergf97XObQIlM64gtCMgol927h/x8awzn+B1S26v3BpdsvBNze7dlBGiNh7fwK +AC6xjkVx3++yXC+G4e456b5wp0DjA1Y8q2xgEqayLA8lLw5CutggCNw7h2QZydLE +B9WdtSi8/miMQoT3ollIk9W1/ZUM0L/O1zsTEincmoBFfTEt+DW/zcXLcFd482/E +0WGwNrEU+W+YwfWzJLtJBJ9GaueRvQIDAQABAoICAAQfWfQ1l1mMRJtXXlmN9wmy +A0qpi9kpA1On6VMtxudFdiM1yBpcTM8v5DOwmjDh/RRwJ2jYi293AdVPEHdD8mwA +qXrwJmo4W5eIgwnSUbZZ28NpVS9la8uBW+/GMNUweUzFAdxwSLn2WXijgPo92l9t +zJQP4FTgXDDidZCx3n9kqR4vk/9JPdiVD5QavkEbqxeuc+uFXFM6UdeW20VQ+kw/ +zLhRSCs09202YFn9RZBInHhVIu9TtwIefv7+sogehCFXYaDU4JI9iGqb2vr2vROz +epwCDzEhAmUiaX92g5Kt7j1q7THGf1NjUOk1ny3Bvq05Ur1qkvkUesP9oi061oXa +f2vzzNEcXAtX3uCX1YN0EWHU3OuuPKOPVSaiU5kdZ5SHK17vgehXzcqJhGC0yeuY +QKbU+RR16OIDdS5olyZrr16roeFZ70K/Ph/qePf3B6T6TyzhGf1SyabHZTUr2Ra2 +h2Nn/PMtcFd3mFi2TboKMwrBr7hln553oaDOHNPFc49c29YBkYbiKjnJzBqUetJi +bQh4/m/tw46A7MjI4YKO7QiG7JyczIxThl5xf+ofaXzw86z/EPVn06/Sb9R5kHW3 +Hmwly5eht6DQLBu4fjtoUlGVOMPlZFARqJYAYEbnWoTwcYFl+ZngKH6g7bnlzSL6 +ovMOH9QlK0g4o2FCfdDJAoIBAQDvykx+71JfsLnXXxO58pORYHOmUbesQNaelE87 +rMgc48ivoYr8uKeWsThBmlEmrJ5DT7JrV8VL9aT+e/2aQhYfd6CVXKRD1aYBDcUI +ilQKf8k+Hra+PiJKmdAHq72zeYYaKpmRvvQ7t6Sip868x1bFT6OGUSM5vVabaaBL +v9uVj9cVg2XHpeZergdkHFV+r9fSPYTiybxeDbdEJd3apqPRg/AAKZOgAgJC0CJn +PmN/io3x7fhEEe/Go1PxegSqGiDFQVBBoqzFzOGhlphxlc0Qt5y5pStGZNBuQyVI +DfHszUw9qUdZSiamecV+wXUB5vTOz7wrd7N031mBi9U8EhMZAoIBAQDZzZSm5nE/ +LvgfBwIYag3zsKCtczOEND49jsG0KntKXC5IPWfwkdJUwuyn3jWDPB8t5ySxqI4O +HAx7h7hn2NIRPZurr4Bvr3XATp4hENjwUltGlRPv+E420T/rF1uGjScCdj91mlPs +chnscdZcF7WYolIP9uFc4j/ueeagHjc9BP6dOZnG2xBt+bWwk/Q3ZIyN9i1ykDXh +fVhJ9zNXr1sqv3zhgsxY0PZ/aM3OnFN/W8kmuMpnTRx+1NgGqN++r5O9c7CyzMNq +aIxWHzJ61ByuWU6rTLGcvpsq9+rKtzIr2xdmP83QdlKLvHhZVBiF/97ReX2Kcu2W +DkKTNrrf5UxFAoIBAQDooT4tN0iXBQCGbPraPvfi5cvM4yJpvk14czGbFzjcri+Y +FASewRX1H+EP5AIunvC7JKpXcUM7Ogjjyq5x5QNJa+kifknudWsjQpSQgIKf3PED +jxCC6AykiyxDBN55K8BpykJKHxMajELwehQbGNiZe3WNbVHbRlCrXYHhezQwmOd1 +O5CWa+Beoj8RZFudGEMs9/nfew9/v5a4SnQ9F8V+EZ3Yyn0pkklXQEzgFKq6pVSo +DNH6V9xivTlG37V+wPJh68dMpeEv1GBhP5SNPWNAgKFPiWm+VTfQgNu+V6kIrvL0 +LzHE8iclAqYTHuPBAKsnqGlJUkuLatOO1nX8XRyhAoIBAQCcdeFOkAZUVEJrz5YC +wdTp9T1HvJUKaJk5kV63NTlCLrwUqwAKwkYtG6Xz5V3du4fOathiQ2pg2mdhKhsf +hpNJTU+R4s5J7OqSzicsK7Ub1p25M4iR/3b4TBM1p57ZJncafqWRrt6Q4VqcDx7l +IycR0bFPxJMaLXGtt6Yj6fDWhcr+WQ2N23qO9i49/dsXG8UYifsV7GC4blnJMKqS +V+cO62YjfdmcB+i7mCcYQBZ/TAlRJrhHww4wUmgpSJEKo4hnNT9/AjdzLk155IlX +0R4VZRRtW/fPWOGQ2W2yWC3TcVz61+Ta1tTviuGNkirXv/pp0nOLzIm+HNpYdJ2E +D21dAoIBAFO1t6yVjP+slj7sWOmMtJjkR7wDEBuDpfJpNb8y30gDb3E52qR16UFp +MfPVG7xbr18sAvYxn5zg60cmibB42vDXjjrLBHUpXrsSyNho0ikCAWdmVy1QN923 +4Cb2FCO1BPkfRYSj81CO37uqLBRK8ZgF3UD5O2IEwhajOgLnwTtW6wJ0QtFqf33h +1wHG5Kzq0CKtnJtBryWUG/IqyY+NG8o5Im+yI7dsOaVe1ILfiTmMKXsk+fnlzfUk +qvTASr/OhC4JWBVcG9d7ulIRAo7FUSGi+Hq5J0YhnAFsOpl3bvJj729EPHRqXpWu +dJndrMd3bFbGt4Fs/F6VN/Sco33bPiI= +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIFITCCAwmgAwIBAgIUbGB408G9o6K3lY8/9PtfyRI1x6AwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKTW9uZ29EQiBDQTAeFw0yNTEyMTIxMzI3NDNaFw0zNTEy +MTAxMzI3NDNaMBcxFTATBgNVBAMMDG1vbmdvLWNsaWVudDCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAMwDCxQjw0jy02pES+Qd8tJRsSRx6icuwxpPKAFq +ctL1sw2jtmt2AqOvfKQPVZLpb0iNWAD6qyfF3yUXEq4yiGQg9LHWTYNj1aTwerVL +0jq8ksuKY+YmPKcMc6rcgAs/7JDZA7My0uTWsxkvNLf/TXVmB+jZDfYzJKnJU6xn +F6EHr6lGQTyqIyity1V01VHeEfLdHzr8kjvYqhgduJWVS0oSf30F2w3q5AVaY74u +QQbkEU0PPhfp0BS9FA3WZpnO1GL8s9cCQ2mPt8XYWJCgaUm4dee3+jc1BQQoDR7v +5HrptJ+IkUoGqs8lqWcOWmFx8rWXmHGIcwQvPrI2FWuNZ+5waFe7YRXDPDCQN/ac +aWQk04B3a0OYFvcYd/ccFAwv8/GX1f25K1MZpJHN8ggW3lZ+5/9Rm3Fvqv/LgqbF +8vVpKXYTSTcOgRFkeQA5KUtA+F2W2AfXUxJ/jjFk96uB/3tc5tAiUzriC0IyCiX3 +buH/HxrDOf4HVLbq/cGl2y8E3N7t2UEaI2Ht/AoALrGORXHf77JcL4bh7jnpvnCn +QOMDVjyrbGASprIsDyUvDkK62CAI3DuHZBnJ0sQH1Z21KLz+aIxChPeiWUiT1bX9 +lQzQv87XOxMSKdyagEV9MS34Nb/NxctwV3jzb8TRYbA2sRT5b5jB9bMku0kEn0Zq +55G9AgMBAAGjZzBlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD +AjAdBgNVHQ4EFgQUlyg1szAZOaMyIoBdv4DsmJd87P8wHwYDVR0jBBgwFoAUy+Fs +G7hFzZ9wOIo50ugzju2K+HUwDQYJKoZIhvcNAQELBQADggIBAHGvpiFmUbu64yUV +TLEKmDt/xdezyazwesML9Y3xmZ+v2xfg9sPVZ6nkn/9e52axr2r6dWwkopPnpS8B +rCfSrYYrLg3bHtGGdyEKD8ax7HIfqblbhx0z0x9pLLUq33avENSlnQdL3ksDywB2 +Lh3HWsYnE1CEfk7QW9k5Cz8ngkg+uLDHVr+lP3WR3u1tVJj1xmass3y7uhyVqD/3 +fN7Cbm6qFf9z+7qZR2e8z0aIrELTeB17tQrxGQLLxIb9VpnAdNOgKMKvC1T6HWLG +1yuA+CgnItyWA2PIiokB72nGpLyauqgoeUNJWVY+aTTb3Besy9wh5rn0vyG+vy2Y +/e+7eqOu9PuUb5gVauNuk/jdtQkvQmF+SU6xAMaC7zBZEab5eglP5KaVU7K4B9F1 +0aCAWqOtaI3YovQceJ8k7OjtxTB1BbFjMpM/H7M/IKZWZdX1Ly6Z/z6ORFTH/gJP +JYh2QW/0onla2Eefphx56kg0okSgfupU2JwNAXTJnmcOTdatOvH2vOQczxnUNDfm +hzPZJ4vaWPIzcVSyhvWuyJkgyN3utfDWlaHHj2hFRGEjti8C5IPAYEW3rwDItbA0 +rCSDGVcOh1aur09ERKyefpr6iLROibgCQsl/YN8YdbIJMw4MZ1dxZLtVKTRdmHub +oiT1DwcdgN4sJ8dzZa9Fg00mlnBU +-----END CERTIFICATE----- diff --git a/mongo/8.0-ssl/certs/server.crt b/mongo/8.0-ssl/certs/server.crt new file mode 100644 index 0000000..58b077b --- /dev/null +++ b/mongo/8.0-ssl/certs/server.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFXDCCA0SgAwIBAgIUbGB408G9o6K3lY8/9PtfyRI1x58wDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKTW9uZ29EQiBDQTAeFw0yNTEyMTIxMzI3NDFaFw0zNTEy +MTAxMzI3NDFaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBAJU3zsjmgyKljcF7tubY5JToxzJber2J61YC+dIKPS5w +90pavD78YqBbKJImlRiQGEe+oJMZfrOmsiFW92H3K7x+wGCQKQXdv5GzR67q/1l3 +18YtoBaMF5t6e5CafmvKZ03cet7lGillu9uGzAo0aHuagZt6yzGCdu/NVoeYC4Bs +1108kUmTCgMMxiBKTEsyma0RRzoAgpDZnEL/bXZLQqw3jcxl19jGB0YRQBoACqgV +pZOD5T0flhe7gHHqNKJps317MA623bvvJwngFHfGl0Q4xkajo1EnRwYMJEOB2BiQ +jh+L+o3vFTzZ5+2irGOec9ciDwJwbk9xKLCHZSUPxwRR1cIJVU1F9jv1Qm3PYAUy +zH1DLUYeATUixVrAZvQFtKyOFaAf0IgxeLz76yFo+1W724W3eqdZzosUeVqJgZDM +RKax+dPoLMoQStICGUZWq6QXqeujgF++t8k7iJ0t3cD+AIOvfQrjMofmk6sTuM0v +jm3Rmb0M5svtH9PipMNlUH8cUx9aO4oqjywqD/umqUkNfHQNg5B354NalODPD8Eh +vfmlM9uF31xALCp6kJwZ6UR+t+GGMv5FWHWYtQMZUpJYNIb/lqkwM9EfCNdsVL8G +eXvw8mG7OvB2UWMkXBLIRzqI1q3RmbSFQs3toC87WKZXtxsbswZdLTYeDuq3akQB +AgMBAAGjgaQwgaEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB +BggrBgEFBQcDAjAwBgNVHREEKTAngglsb2NhbGhvc3SCBW1vbmdvggdtb25nb2Ri +hwR/AAABhwQAAAAAMB0GA1UdDgQWBBReyfW1FuFKZZwEbCNewQX9wczBgjAfBgNV +HSMEGDAWgBTL4WwbuEXNn3A4ijnS6DOO7Yr4dTANBgkqhkiG9w0BAQsFAAOCAgEA +hPaqbYc+VXin/xe9nx21mFaMxKIuYrfKeedBhlvpLOywvNBCJEEYWD5jiiFjwO2c +2lkSPMqKDoStTATozKx+DbjNHN3PqlwWAdNtXpm/p3p6COAh27pNb/wHj9u8blRL +GoDIpNmtrksAq0zNdf9iiXbEfsE5X/g5qsk/lAyGoxutQrEenPYVXWJbfdGaAMWi +U+f+iqA6glYzy+4p3YDyI+okhCreyVQQwjzx0MBG1zk8pcJLMvG9JBaXmtMp1AAV +CJ3MfVUsPTUg3V0GlM4wsQQbyw95mi+4jIoQOkphVYmmPJXS1qhq8+Y1ZcuaNEZg +mmangdeO1ItBsjp0rXM6V/Q/T3LE7WhK7F5keJKeX2VOqxBfbx4YaL09oMCYHgTP +1oiB9vE1MqNJFpvtv/GYwe5uol1vVLlMUFJFrYh7RkzFYgkv8x63EiBBQ0ivMcqH +++ad554vLjH+Cc9YmVS6ieza3ghEPhYdV7gvKeEHfDTUedruo2yuQI4EGuqv3mX4 +jQiA4P71KYVNBpMUp6NUTKakKw0MUiJyPvWEHemJpo9NNFeXAf5bh9qxQEuCqRM9 +8sAiSXvH1BKVNhH2IAuquqhS46nGjDkxPUzMaF04BdppuZTCK2JkHoRZ5f3Z5YJI +TgKNoRrHNxHgsIq72aLdUMylfR0RJgfod15aQ2CM5VU= +-----END CERTIFICATE----- diff --git a/mongo/8.0-ssl/certs/server.key b/mongo/8.0-ssl/certs/server.key new file mode 100644 index 0000000..f120a2e --- /dev/null +++ b/mongo/8.0-ssl/certs/server.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCVN87I5oMipY3B +e7bm2OSU6McyW3q9ietWAvnSCj0ucPdKWrw+/GKgWyiSJpUYkBhHvqCTGX6zprIh +Vvdh9yu8fsBgkCkF3b+Rs0eu6v9Zd9fGLaAWjBebenuQmn5rymdN3Hre5RopZbvb +hswKNGh7moGbessxgnbvzVaHmAuAbNddPJFJkwoDDMYgSkxLMpmtEUc6AIKQ2ZxC +/212S0KsN43MZdfYxgdGEUAaAAqoFaWTg+U9H5YXu4Bx6jSiabN9ezAOtt277ycJ +4BR3xpdEOMZGo6NRJ0cGDCRDgdgYkI4fi/qN7xU82eftoqxjnnPXIg8CcG5PcSiw +h2UlD8cEUdXCCVVNRfY79UJtz2AFMsx9Qy1GHgE1IsVawGb0BbSsjhWgH9CIMXi8 +++shaPtVu9uFt3qnWc6LFHlaiYGQzESmsfnT6CzKEErSAhlGVqukF6nro4BfvrfJ +O4idLd3A/gCDr30K4zKH5pOrE7jNL45t0Zm9DObL7R/T4qTDZVB/HFMfWjuKKo8s +Kg/7pqlJDXx0DYOQd+eDWpTgzw/BIb35pTPbhd9cQCwqepCcGelEfrfhhjL+RVh1 +mLUDGVKSWDSG/5apMDPRHwjXbFS/Bnl78PJhuzrwdlFjJFwSyEc6iNat0Zm0hULN +7aAvO1imV7cbG7MGXS02Hg7qt2pEAQIDAQABAoIB/1qx92Qkt4/xEDgjYDtV/5lP +fJBSPRT3Jay7VYMhgtsdzmPJj25SxZ9+lZCl4sY+aIOZWgAOsidMXcV/fN1BxO0z +UIdgsY540yqImjyDzEoujV5NkDNXWWhaPSbaWfzD1gZJ/GSxQgJN03pnpzaMpCgW +J32MWFryivGcqcgnCHA5t3nA8Cdhnk3V3DAqkjS8JkVxbj/S3FX7IWWXdIpyAOES +fLbyyXIrt9mrb0rEu7VuP5vQKLiXrW+MIVK1bhVJXQKBdxqtpOT8EL5WQU2/AJh2 +tnNsNdfqbg2lU5iBUz2bBZQnGiMqx73OTfaIgwwJqZJMVGzAtkuS4lucvKowhl8s +IpZ1RBdTtJnDhX9BdGis23k9ErOgGUS84jOKlDLJrEFefwpgk1dWjGFGmzVvivUC +QfhcqImLY91+WW+mXj9a1bN1djtb9jgvYECLih6O5lvP43lT39Q3vX28DV0ZmQhe +/MFTc1Rh1LWA6bSbjBnXayO70QMkYinIP9J8IsBDFWNcHx7YztIlslNe6cRyp4Tm +d/vqqwOKFEhoOvZrKk9yHxjVAZYPiUF6o4oqX4gXJQ9up3/m4r1cR3ApT17Kdxop +Q6sYDqmjXVHtKuiBmJ5JIO+zaYd1xNUTNOGA7TLc5Izai1srmwS5WuS+1nFfqi85 +gfCHdbX2S9leBzcAXgkCggEBAMcsE0LEuCknqgMQwwcOZtiMP7ihdrL0R6QcU83l +9se7gvwDvIzV5g1pJmogb2reBONob+YL4Rd9XrGif8An+rUAxsFQkQJ1gm/TZxc+ +GEMiFkcq0XaEeZlvdaXp5i0Sx11emlfR940M7J/WwUtCVuvOr2ChXXyFjywTNIhl +dMFIRHI1YHWOyBtZOKDpUKXu6T+oZga+oZ6Hly7xCO9lWFc04ZDgbXv/sgNtxfu4 +VBkBlOm5SEdcMryaGZHaXzorheWYb7EQm/4UyNoGWcDAAyh1dhJ4MmYqaBisB/hU +n7ZCVH5Wj8/NBTp+/nW24nNLOT5JKZJcNGC7b8MYZtyioS8CggEBAL/K+3SLEn3h +xiakE3UmE/AwM4MQ2CP5sDtIt0bF3BAeRiD06rE5na0ggSQ9uSmg8nzzHquLkUcL +Eeyv0EIak+oM1O1uiphmXmsrBGJQi12KrYxOQvN8TKhLcBazSIV2hTIKAyahcQ/L +oFHjud9oytlFCjOCqasKMfOzxaFkGf8fLhbZ1FVTzaZhRAq7f/YppaMSb3Lwz5PK +063B1iXfLI6Yp0rHOZwZYs8Dyn5UgH7OGecRd2zuFs91UB1QjVSQhSpGKSTbWLhU +E/c1w/cXKU5PAoexanEzlsWPtiMh7yOjJksq4J2AsWHXhkESx398Di+nQcOU8d4p +CWBt/TmTQc8CggEBAKbFxSr3Ra1QRQ9kDanu6TcR2JlkuduGqCZGgfW6RTVhUYBs +MIlM4eEA1uWuWx0E4tr4LBpYgBYHKC9dfdMMpuTAzaw5JfMFKj8wqPXRTMeJ11Wo +CNRQgPF1XvGaNN4xBzarbFl0uvAkjk4YqKm31siEvF0RQRJvUz74pdg/+8+MD6QC +Bc7py6z6vGwgcSNANZbUDvo+zV3M806fDXhHR/1djjKdeY+GvywX0tu/sMtvg51h +Q6BdFy7NafOzAmHW57skNQHygmvyQ2wsPSMkpIBQOpmkg68Ae0GNau8JDOK0D8Pp +/2lkpqgghjlS9bLMnhYFdQXUpxcIW8DkwdylYIkCggEAWTd9HUuMQI6D9Hmiq34Z +DEP/0lpFkQaXWhyLVRq5Ma5DhRUpD2Pz2xMhv9AOkDTUWBdoDviPjfKyVd27DOT8 +JYXujrw7MIV+KnAKTAmXqt3VuUy2jDkoF6lv7L9dXugxMYPCz3eN9oEMhMtgLXK7 +2bHp+ugvMOc/MVRQ/LBp/2lrsSmHQmIHafwZAL0T21ioOmFbAqbOiLtzGILwsRFN +0s9kEr72J40Pj6j9yyJX26TYG8reOQfQCJVTvS85bzsDFxUoEoMOlEBYQUj7bbeS +eWD7lk+LajlLS398hH9GlNdR+ulpLxssaI0vYJnxv3Xfy38McoSYtnV0bSz8/Ilp +tQKCAQAiOosFkgfWd6YXEjiCl5iWTMH4OSG9Efpgdlfbjs8v3WFBcqPXNphbcUqB +r0tgUSXgF5CXZuc/E1b3ZFOTITGLYa2fQJbFhIch9udhh8OYgqmpAlifz/CkHdKm +RMXWLO64Y1r+SOFW9WgASECji9vhC+BoINABntvfeGZFGs48ChO6LnhRpCTA15+R +Z1C+tkpoLyKVuBMoMALQ7sC5n4wXBBD1RSOQrdNyIdwmrTDkGqHy0Q9CKtBoP5eg +YNyndxSbItLVJ/XIbo+iaTpBIBpyZCKXDaQEP/b0jMqT/rC+AA0YiPbvF3w0MHZ4 +OxeuzXSMxtewKm6f3kRpUmTCr6uS +-----END PRIVATE KEY----- diff --git a/mongo/8.0-ssl/certs/server.pem b/mongo/8.0-ssl/certs/server.pem new file mode 100644 index 0000000..bf6c789 --- /dev/null +++ b/mongo/8.0-ssl/certs/server.pem @@ -0,0 +1,83 @@ +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCVN87I5oMipY3B +e7bm2OSU6McyW3q9ietWAvnSCj0ucPdKWrw+/GKgWyiSJpUYkBhHvqCTGX6zprIh +Vvdh9yu8fsBgkCkF3b+Rs0eu6v9Zd9fGLaAWjBebenuQmn5rymdN3Hre5RopZbvb +hswKNGh7moGbessxgnbvzVaHmAuAbNddPJFJkwoDDMYgSkxLMpmtEUc6AIKQ2ZxC +/212S0KsN43MZdfYxgdGEUAaAAqoFaWTg+U9H5YXu4Bx6jSiabN9ezAOtt277ycJ +4BR3xpdEOMZGo6NRJ0cGDCRDgdgYkI4fi/qN7xU82eftoqxjnnPXIg8CcG5PcSiw +h2UlD8cEUdXCCVVNRfY79UJtz2AFMsx9Qy1GHgE1IsVawGb0BbSsjhWgH9CIMXi8 +++shaPtVu9uFt3qnWc6LFHlaiYGQzESmsfnT6CzKEErSAhlGVqukF6nro4BfvrfJ +O4idLd3A/gCDr30K4zKH5pOrE7jNL45t0Zm9DObL7R/T4qTDZVB/HFMfWjuKKo8s +Kg/7pqlJDXx0DYOQd+eDWpTgzw/BIb35pTPbhd9cQCwqepCcGelEfrfhhjL+RVh1 +mLUDGVKSWDSG/5apMDPRHwjXbFS/Bnl78PJhuzrwdlFjJFwSyEc6iNat0Zm0hULN +7aAvO1imV7cbG7MGXS02Hg7qt2pEAQIDAQABAoIB/1qx92Qkt4/xEDgjYDtV/5lP +fJBSPRT3Jay7VYMhgtsdzmPJj25SxZ9+lZCl4sY+aIOZWgAOsidMXcV/fN1BxO0z +UIdgsY540yqImjyDzEoujV5NkDNXWWhaPSbaWfzD1gZJ/GSxQgJN03pnpzaMpCgW +J32MWFryivGcqcgnCHA5t3nA8Cdhnk3V3DAqkjS8JkVxbj/S3FX7IWWXdIpyAOES +fLbyyXIrt9mrb0rEu7VuP5vQKLiXrW+MIVK1bhVJXQKBdxqtpOT8EL5WQU2/AJh2 +tnNsNdfqbg2lU5iBUz2bBZQnGiMqx73OTfaIgwwJqZJMVGzAtkuS4lucvKowhl8s +IpZ1RBdTtJnDhX9BdGis23k9ErOgGUS84jOKlDLJrEFefwpgk1dWjGFGmzVvivUC +QfhcqImLY91+WW+mXj9a1bN1djtb9jgvYECLih6O5lvP43lT39Q3vX28DV0ZmQhe +/MFTc1Rh1LWA6bSbjBnXayO70QMkYinIP9J8IsBDFWNcHx7YztIlslNe6cRyp4Tm +d/vqqwOKFEhoOvZrKk9yHxjVAZYPiUF6o4oqX4gXJQ9up3/m4r1cR3ApT17Kdxop +Q6sYDqmjXVHtKuiBmJ5JIO+zaYd1xNUTNOGA7TLc5Izai1srmwS5WuS+1nFfqi85 +gfCHdbX2S9leBzcAXgkCggEBAMcsE0LEuCknqgMQwwcOZtiMP7ihdrL0R6QcU83l +9se7gvwDvIzV5g1pJmogb2reBONob+YL4Rd9XrGif8An+rUAxsFQkQJ1gm/TZxc+ +GEMiFkcq0XaEeZlvdaXp5i0Sx11emlfR940M7J/WwUtCVuvOr2ChXXyFjywTNIhl +dMFIRHI1YHWOyBtZOKDpUKXu6T+oZga+oZ6Hly7xCO9lWFc04ZDgbXv/sgNtxfu4 +VBkBlOm5SEdcMryaGZHaXzorheWYb7EQm/4UyNoGWcDAAyh1dhJ4MmYqaBisB/hU +n7ZCVH5Wj8/NBTp+/nW24nNLOT5JKZJcNGC7b8MYZtyioS8CggEBAL/K+3SLEn3h +xiakE3UmE/AwM4MQ2CP5sDtIt0bF3BAeRiD06rE5na0ggSQ9uSmg8nzzHquLkUcL +Eeyv0EIak+oM1O1uiphmXmsrBGJQi12KrYxOQvN8TKhLcBazSIV2hTIKAyahcQ/L +oFHjud9oytlFCjOCqasKMfOzxaFkGf8fLhbZ1FVTzaZhRAq7f/YppaMSb3Lwz5PK +063B1iXfLI6Yp0rHOZwZYs8Dyn5UgH7OGecRd2zuFs91UB1QjVSQhSpGKSTbWLhU +E/c1w/cXKU5PAoexanEzlsWPtiMh7yOjJksq4J2AsWHXhkESx398Di+nQcOU8d4p +CWBt/TmTQc8CggEBAKbFxSr3Ra1QRQ9kDanu6TcR2JlkuduGqCZGgfW6RTVhUYBs +MIlM4eEA1uWuWx0E4tr4LBpYgBYHKC9dfdMMpuTAzaw5JfMFKj8wqPXRTMeJ11Wo +CNRQgPF1XvGaNN4xBzarbFl0uvAkjk4YqKm31siEvF0RQRJvUz74pdg/+8+MD6QC +Bc7py6z6vGwgcSNANZbUDvo+zV3M806fDXhHR/1djjKdeY+GvywX0tu/sMtvg51h +Q6BdFy7NafOzAmHW57skNQHygmvyQ2wsPSMkpIBQOpmkg68Ae0GNau8JDOK0D8Pp +/2lkpqgghjlS9bLMnhYFdQXUpxcIW8DkwdylYIkCggEAWTd9HUuMQI6D9Hmiq34Z +DEP/0lpFkQaXWhyLVRq5Ma5DhRUpD2Pz2xMhv9AOkDTUWBdoDviPjfKyVd27DOT8 +JYXujrw7MIV+KnAKTAmXqt3VuUy2jDkoF6lv7L9dXugxMYPCz3eN9oEMhMtgLXK7 +2bHp+ugvMOc/MVRQ/LBp/2lrsSmHQmIHafwZAL0T21ioOmFbAqbOiLtzGILwsRFN +0s9kEr72J40Pj6j9yyJX26TYG8reOQfQCJVTvS85bzsDFxUoEoMOlEBYQUj7bbeS +eWD7lk+LajlLS398hH9GlNdR+ulpLxssaI0vYJnxv3Xfy38McoSYtnV0bSz8/Ilp +tQKCAQAiOosFkgfWd6YXEjiCl5iWTMH4OSG9Efpgdlfbjs8v3WFBcqPXNphbcUqB +r0tgUSXgF5CXZuc/E1b3ZFOTITGLYa2fQJbFhIch9udhh8OYgqmpAlifz/CkHdKm +RMXWLO64Y1r+SOFW9WgASECji9vhC+BoINABntvfeGZFGs48ChO6LnhRpCTA15+R +Z1C+tkpoLyKVuBMoMALQ7sC5n4wXBBD1RSOQrdNyIdwmrTDkGqHy0Q9CKtBoP5eg +YNyndxSbItLVJ/XIbo+iaTpBIBpyZCKXDaQEP/b0jMqT/rC+AA0YiPbvF3w0MHZ4 +OxeuzXSMxtewKm6f3kRpUmTCr6uS +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIFXDCCA0SgAwIBAgIUbGB408G9o6K3lY8/9PtfyRI1x58wDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKTW9uZ29EQiBDQTAeFw0yNTEyMTIxMzI3NDFaFw0zNTEy +MTAxMzI3NDFaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBAJU3zsjmgyKljcF7tubY5JToxzJber2J61YC+dIKPS5w +90pavD78YqBbKJImlRiQGEe+oJMZfrOmsiFW92H3K7x+wGCQKQXdv5GzR67q/1l3 +18YtoBaMF5t6e5CafmvKZ03cet7lGillu9uGzAo0aHuagZt6yzGCdu/NVoeYC4Bs +1108kUmTCgMMxiBKTEsyma0RRzoAgpDZnEL/bXZLQqw3jcxl19jGB0YRQBoACqgV +pZOD5T0flhe7gHHqNKJps317MA623bvvJwngFHfGl0Q4xkajo1EnRwYMJEOB2BiQ +jh+L+o3vFTzZ5+2irGOec9ciDwJwbk9xKLCHZSUPxwRR1cIJVU1F9jv1Qm3PYAUy +zH1DLUYeATUixVrAZvQFtKyOFaAf0IgxeLz76yFo+1W724W3eqdZzosUeVqJgZDM +RKax+dPoLMoQStICGUZWq6QXqeujgF++t8k7iJ0t3cD+AIOvfQrjMofmk6sTuM0v +jm3Rmb0M5svtH9PipMNlUH8cUx9aO4oqjywqD/umqUkNfHQNg5B354NalODPD8Eh +vfmlM9uF31xALCp6kJwZ6UR+t+GGMv5FWHWYtQMZUpJYNIb/lqkwM9EfCNdsVL8G +eXvw8mG7OvB2UWMkXBLIRzqI1q3RmbSFQs3toC87WKZXtxsbswZdLTYeDuq3akQB +AgMBAAGjgaQwgaEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB +BggrBgEFBQcDAjAwBgNVHREEKTAngglsb2NhbGhvc3SCBW1vbmdvggdtb25nb2Ri +hwR/AAABhwQAAAAAMB0GA1UdDgQWBBReyfW1FuFKZZwEbCNewQX9wczBgjAfBgNV +HSMEGDAWgBTL4WwbuEXNn3A4ijnS6DOO7Yr4dTANBgkqhkiG9w0BAQsFAAOCAgEA +hPaqbYc+VXin/xe9nx21mFaMxKIuYrfKeedBhlvpLOywvNBCJEEYWD5jiiFjwO2c +2lkSPMqKDoStTATozKx+DbjNHN3PqlwWAdNtXpm/p3p6COAh27pNb/wHj9u8blRL +GoDIpNmtrksAq0zNdf9iiXbEfsE5X/g5qsk/lAyGoxutQrEenPYVXWJbfdGaAMWi +U+f+iqA6glYzy+4p3YDyI+okhCreyVQQwjzx0MBG1zk8pcJLMvG9JBaXmtMp1AAV +CJ3MfVUsPTUg3V0GlM4wsQQbyw95mi+4jIoQOkphVYmmPJXS1qhq8+Y1ZcuaNEZg +mmangdeO1ItBsjp0rXM6V/Q/T3LE7WhK7F5keJKeX2VOqxBfbx4YaL09oMCYHgTP +1oiB9vE1MqNJFpvtv/GYwe5uol1vVLlMUFJFrYh7RkzFYgkv8x63EiBBQ0ivMcqH +++ad554vLjH+Cc9YmVS6ieza3ghEPhYdV7gvKeEHfDTUedruo2yuQI4EGuqv3mX4 +jQiA4P71KYVNBpMUp6NUTKakKw0MUiJyPvWEHemJpo9NNFeXAf5bh9qxQEuCqRM9 +8sAiSXvH1BKVNhH2IAuquqhS46nGjDkxPUzMaF04BdppuZTCK2JkHoRZ5f3Z5YJI +TgKNoRrHNxHgsIq72aLdUMylfR0RJgfod15aQ2CM5VU= +-----END CERTIFICATE----- diff --git a/mongo/8.0-ssl/gen.sh b/mongo/8.0-ssl/gen.sh new file mode 100644 index 0000000..63aefde --- /dev/null +++ b/mongo/8.0-ssl/gen.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +CERT_DIR="./certs" +mkdir -p "$CERT_DIR" +cd "$CERT_DIR" + +openssl genrsa -out ca.key 4096 + +openssl req -new -x509 -days 3650 -key ca.key -out ca.pem \ + -subj "/CN=MongoDB CA" + +cat > server.cnf << EOF +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +CN = localhost + +[v3_req] +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = localhost +DNS.2 = mongo +DNS.3 = mongodb +IP.1 = 127.0.0.1 +IP.2 = 0.0.0.0 +EOF + +openssl genrsa -out server.key 4096 + +openssl req -new -key server.key -out server.csr -config server.cnf + +openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca.key \ + -CAcreateserial -out server.crt \ + -extensions v3_req -extfile server.cnf + +cat server.key server.crt > server.pem + +cat > client.cnf << EOF +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +CN = mongo-client + +[v3_req] +keyUsage = critical, digitalSignature +extendedKeyUsage = clientAuth +EOF + +openssl genrsa -out client.key 4096 + +openssl req -new -key client.key -out client.csr -config client.cnf + +openssl x509 -req -days 3650 -in client.csr -CA ca.pem -CAkey ca.key \ + -CAcreateserial -out client.crt \ + -extensions v3_req -extfile client.cnf + +cat client.key client.crt > client.pem + + +chmod 600 *.key *.pem + + +echo "=== Server certificate ===" +openssl x509 -in server.crt -text -noout | grep -A2 "Extended Key Usage" + +echo "=== Client certificate ===" +openssl x509 -in client.crt -text -noout | grep -A2 "Extended Key Usage" + + +rm -f *.csr *.cnf *.srl + +echo "Certificates created:" +ls -la diff --git a/mongo/8.0-ssl/run.sh b/mongo/8.0-ssl/run.sh new file mode 100644 index 0000000..b770f52 --- /dev/null +++ b/mongo/8.0-ssl/run.sh @@ -0,0 +1,60 @@ +#!/bin/bash +set -m + +cat <<-MONGOCFG > /etc/mongod.conf +systemLog: + destination: file + path: '/data/mongod.log' + logAppend: true +processManagement: + timeZoneInfo: /usr/share/zoneinfo +net: + bindIp: 0.0.0.0 + port: 27017 + tls: + mode: requireTLS + certificateKeyFile: '/opt/certs/server.pem' + CAFile: '/opt/certs/ca.pem' +storage: + dbPath: '/data/db' +MONGOCFG + +cmd="mongod --config /etc/mongod.conf" + +if [ "$JOURNALING" == "no" ]; then + cmd="$cmd --nojournal" +fi + +if [ "$OPLOG_SIZE" != "" ]; then + cmd="$cmd --oplogSize $OPLOG_SIZE" +fi + +echo "========================================================================" +echo $cmd +echo "========================================================================" + +if [ ! -f /data/db/.mongodb_password_set ]; then + echo "=> Starting MongoDB..." + $cmd & + MONGO_PID=$! + + sleep 3 + + /set_password.sh + + if [ $? -eq 0 ]; then + echo "=> Stopping MongoDB for restart with auth..." + kill $MONGO_PID + wait $MONGO_PID 2>/dev/null + else + echo "=> Password setup failed!" + exit 1 + fi +fi + +if [ "$AUTH" == "yes" ]; then + cmd="$cmd --auth" +fi + +echo "=> Starting MongoDB with auth enabled..." +exec $cmd \ No newline at end of file diff --git a/mongo/8.0-ssl/set_password.sh b/mongo/8.0-ssl/set_password.sh new file mode 100644 index 0000000..2550472 --- /dev/null +++ b/mongo/8.0-ssl/set_password.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +MONGO_ADMIN=${MONGO_ADMIN:-"admin"} +MONGO_A_DB=${MONGO_A_DB:-"admin"} +MONGO_A_PWD=${MONGO_A_PWD:-$(pwgen -s 12 1)} +_word=$( [ ${MONGO_A_PWD} ] && echo "preset" || echo "random" ) + +USER=${MONGODB_USER:-"guest"} +DATABASE=${MONGODB_DATABASE:-"guest"} +PASS=${MONGODB_PASS:-"guest"} + +MONGO_CMD="mongosh --tls --tlsCAFile /opt/certs/ca.pem --tlsAllowInvalidHostnames --tlsCertificateKeyFile /opt/certs/client.pem --quiet" + +sleep 2 + +i=0 +while [[ $i -lt 90 ]]; do + echo "=> Waiting for confirmation of MongoDB service startup ($i)" + + if $MONGO_CMD --host 127.0.0.1 --port 27017 --eval "db.adminCommand('ping')" >/dev/null 2>&1; then + echo "=> MongoDB is ready!" + break + fi + sleep 2 + i=$((i+1)) +done + +if [[ $i -eq 90 ]]; then + echo "=> ERROR: MongoDB did not start in time" + echo "=> Check /data/mongod.log for details:" + tail -50 /data/mongod.log + exit 1 +fi + +echo "=> Creating an ${MONGO_ADMIN}" +$MONGO_CMD --host 127.0.0.1 --port 27017 admin --eval "db.createUser({user: '$MONGO_ADMIN', pwd: '$MONGO_A_PWD', roles:[{role:'root',db:'$MONGO_A_DB'}]})" + +echo "=> Creating an ${USER}" +$MONGO_CMD --host 127.0.0.1 --port 27017 admin -u "$MONGO_ADMIN" -p "$MONGO_A_PWD" --eval "db.createUser({user: '$USER', pwd: '$PASS', roles: [{ role: 'userAdminAnyDatabase', db: '$MONGO_A_DB' }, 'readWriteAnyDatabase']})" + +echo "=> Done!" +touch /data/db/.mongodb_password_set + +echo "========================================================================" +echo "MongoDB admin user: $MONGO_ADMIN" +echo "MongoDB admin password: $MONGO_A_PWD" +echo "" +echo "MongoDB app user: $USER" +echo "MongoDB app password: $PASS" +echo "" +echo "Connect with:" +echo " mongosh --tls --tlsCAFile ca.pem --tlsAllowInvalidHostnames --tlsCertificateKeyFile client.pem -u $USER -p $PASS --host " +echo "========================================================================" \ No newline at end of file diff --git a/mssql/2025-ssl/Dockerfile b/mssql/2025-ssl/Dockerfile new file mode 100644 index 0000000..0b1ed8b --- /dev/null +++ b/mssql/2025-ssl/Dockerfile @@ -0,0 +1,11 @@ +FROM registry.jetbrains.team/p/datagrip/containers/mssql-server-linux:2025 + +COPY ./certs/server.pem /etc/ssl/certs/mssql.pem +COPY ./certs/server.key /etc/ssl/private/mssql.key +COPY ./certs/ca.pem /usr/local/share/ca-certificates/mssql-ca.crt +RUN update-ca-certificates + +ADD ./entrypoint.sh / +RUN chmod +x /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/mssql/2025-ssl/certs/ca.key b/mssql/2025-ssl/certs/ca.key new file mode 100644 index 0000000..fd75cea --- /dev/null +++ b/mssql/2025-ssl/certs/ca.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCtCit2UIvwvok3 +qZ/24TQAKJ4WKpGoCSBuJOpFmpfHzwhKKocVx/4AqWF3ZtKZb6mVqZNZ2BVd2aX/ +DdeuG8+fyEg7HbjsmbWtotSNdjVi6gTOe1cMskdWTuQ0YI3euM2lHd1Nf0QMKlge +YJH7P42x6lxy178V/yADuGw+O4jqFnT11MrfdkYSJhTw2jYVq4A4zL2tpD78H5/G +SP2xT6c3w6Bwf1751ot2QaIV8GulH+wPjBr4WtACVz1rvA4Exzj+ppNI+JNuap/W +jL9LbhQlYdpnCMUuvI4qN8HgC+vIfkXNogTjAu6PbNxx3U7tp995UQ/jJrdd8gt0 +KzzmFfYKCSCqptQpaaNEGWYNsRUHhtfa+iwS2tBpatoPhMOPqSkRZWOUSDk8SmwM +iXWyaY1aXwyiTwgcFUcTRdU3Pi413rVUTH6u2NAvV/gAkxctQNnMQewB4cxGnllh +kGBOm+8AsQU2osqeGF/XLEIDS3SuoW6gbp4kw3CorUlPInFqkmDTLtSZbdUXryyx +r8aPKgx7IdAg31w6JMfCsJy/AJe8QQYYtNRx+AEjlqQXqC2BORGxPiGQStGhi+Pu +ZJP55NgGphQAV9WzmG/N424j6zLvoix++Xy1lUO/UPZ0IMD9Ir0MbNgcxE+1vJ95 +GSYLFGsp4m95iVqTnKl3/byevKF/KQIDAQABAoICABNeAKaPxhPqTXsdiP4Fr29n +nGcEeXQ+XkL5rn9fGccXLtk3OJKZZV5fVt15dI+QEgHiXo/HGcAc8sFw5A+UhQjg +DqaQMXEI1K7kG0hgf0HsiaBvKVtuTkH0l0Hd/y77DehBxxHMEVqPuDhhLGGbt8Ee +px2C9HwSp5uG/hV6jhzOKeXUXOcFKrtQCBa7g6NqBDJHRyEK0bJgGz7DD2LztHZv +NrM0rFWH++i+2JR+SdwLzjzgvGmI54BlkYYwAH0sK57D19cKXFz2weBOdUAs6EQV +V0+iKYitObezsSdBilCwwmENNeEPJFKI94TmhVWf7Qkb56xvukUBaOMGDl09vsFq +aZcXGIcAPpSd2fDYMVPZ5hZ9UlCJrOPAwWFHLnBDxVhpiuuP0AzjKfJuot/Yk1BI +CFTlA2pcK1nGLNdJW1p+d28HQxMcNilMlF0+XviCQWXHiTmqSG+vAXPeGYUgHxSy +JuiM6fFe5tzXyG/4RYcY1EgJ61NwS3SdbIXmmY5Mryo1+rHOIVDlJ6S/Du7/+SNh +mwlxwkG7135t6PoMJdwU7TlX7zJ3koZ8ij5hyyn88T85fyrBWFvF0KJfQaFqBmYK +zPJ4vXt7VMjHm2rMlSHgkUZYerjZb31m4Fu0w7o5AusG3SOHahQiE3Qnt6KLbTka +lC1TvWtgKn6Z/d43xIlxAoIBAQDYWcfF43DRtFZCn5fecS783O1m9KzWVzysYQdN +lp2Mr3yRCPe9rEcrIieyO5llwDBlmZToSfHngoT4CGmBfgT1HI4yvthyGNIgHu4X +bv4q57SbIERHIVIB9D3LG/6FASkt6X8EGV/JY4Ij8O2zt17Wod0r0nAgX/lkF2it +IT5pf2RIcRdA2DdVeuYCEtDMT7twdqa/dIh7w0mqLsZft779hoM5GxGY2XmWhcx4 +GCSokhTmTaX6UHE3NHazclaKb3z0V90se7YTXATwjGS1vpGuQ7EZPPWXKSRtXT2u +bLc8esZwqVjQYRsgh39CNeU11OROyxeY4YbTdVlFsPMsYYPZAoIBAQDMwG32yc/y +EMda0K3lBtBIDh5Ws4gZJU6OwBamLZAQWhPESt4g8kIVZVBND/bx5ozmrF/svc+7 +I2VREEWrmXr5MO1ow9eqRRlsk7WJ+wQRNy5jILvjr1mLncHZ0Ye2NmA+krDKOgfU +btP4L+/8BINv2m0ypnRHzcvr8upJ5fyXL2DolP8NPLVn/38XRj/yTMDsWPBPNufK +u3FNZzTSu9DKVJTT50G1+8LvRDPqpI63mubIJnsx7GUU0Pcu4eUeKvQXJcj0HUBQ +HFqBXp2c11VUaJQE+IUAMv9a4SljtmjV1m3myGkCRJ+aleXYJkPj+oAy+sTk4bH8 +GzIuS0uZgdPRAoIBAQCHV7LXoq6jITONPhVdfGSunu6Mp6ev9qboF1LgQMaSif1d +JcUFjM6Atz8qCoqt0or0JB25Kvj/oPDZ0TlfXpxvUcvLBwSUa96XZYIAetjZslWT +bZ4I+Vk6C7bUZtDUF6PRKu7ge5cmfu+c2E17Tc0wa9XWYjDur9ttuA8tr0xB5wWv +I8AuOpRzDwzwYyDnj0Fs22z4/EedVM+yfMxweJwsMYfJo5tgiTu85DrDLidQpQIa +CJ06eDQ7GsDfBToKJDCBEq4z87g1aC1W5hzibTLpV0NkzHO+emhlWh0KDsyaMxwM +woPi57x2nw0HOHwJLwMcH4TFiOA1TIXqSQX2z5IRAoIBAQCzfHRpBFx/jGnVmFz4 +CdMHdyjtRBAoSuXkiUrRfdtuGih9yEuUggmgC+Iqy7XkNACMLcshEvtIxyyHtUX9 +uVttmpBjaFpj7pLs9UcMn7jfBoppZ0aNvyc2FqLaOK1I873G3HyRqfE3LbgvNoaf +W62EnetfnT8Nur/qJFVxVmToeyXufL5gcjlr4zMbyf9AfjwYc5alOjJTK6GVAsXx +fab31tFoOK8Hwp0NdbI1HO/mz6lDB0izaNDrQIuO04MvwOOcbwkLxaCdGV3VToXH ++ZPZnJs1CE4+8HWcywinWj3oRkKtLj2vOUzYDFMh+dlFvlAnYGC9a4PExmpk3qh0 +9rQhAoIBAA7CWSBEXnEUNl4r53caz9BhWodpi/h6Wn/vAoXX6NRA+Gk6Htf94Kqz +Ra+Pmj2f9T1yTQ8W+2DSmQlA7lvH/abR5xIYYlDXuUCsJbSEX42wPn3qtHdIt/IH +1KsBBTN/hkbA7/nAdH7kdIse9RKxZ8AQlJl3ZN7vickTeLktP/YmJ1JJS7Li2eou +lHcFhNKWdwHntWBw7hFiF7P7ps9Xn4DAx8Ij71wK1RSlRoyWkPeNh486TZ5K2sxZ +JsWUUTsnRjNeM8BM73RU69o47OWHSUMz6he+IBB7DEyDJNNaL11EGHuybVnEo44/ +EypsUCTYpuspuoZePOM2tfpM5sM7IhU= +-----END PRIVATE KEY----- diff --git a/mssql/2025-ssl/certs/ca.pem b/mssql/2025-ssl/certs/ca.pem new file mode 100644 index 0000000..ca79eac --- /dev/null +++ b/mssql/2025-ssl/certs/ca.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFFzCCAv+gAwIBAgIUHZGfi7yp9NoM4kR9dhaoZFHaxB4wDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwITVNTUUwgQ0EwHhcNMjUxMjExMTczMzU2WhcNMzUxMjA5 +MTczMzU2WjATMREwDwYDVQQDDAhNU1NRTCBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAK0KK3ZQi/C+iTepn/bhNAAonhYqkagJIG4k6kWal8fPCEoq +hxXH/gCpYXdm0plvqZWpk1nYFV3Zpf8N164bz5/ISDsduOyZta2i1I12NWLqBM57 +VwyyR1ZO5DRgjd64zaUd3U1/RAwqWB5gkfs/jbHqXHLXvxX/IAO4bD47iOoWdPXU +yt92RhImFPDaNhWrgDjMva2kPvwfn8ZI/bFPpzfDoHB/XvnWi3ZBohXwa6Uf7A+M +Gvha0AJXPWu8DgTHOP6mk0j4k25qn9aMv0tuFCVh2mcIxS68jio3weAL68h+Rc2i +BOMC7o9s3HHdTu2n33lRD+Mmt13yC3QrPOYV9goJIKqm1Clpo0QZZg2xFQeG19r6 +LBLa0Glq2g+Ew4+pKRFlY5RIOTxKbAyJdbJpjVpfDKJPCBwVRxNF1Tc+LjXetVRM +fq7Y0C9X+ACTFy1A2cxB7AHhzEaeWWGQYE6b7wCxBTaiyp4YX9csQgNLdK6hbqBu +niTDcKitSU8icWqSYNMu1Jlt1RevLLGvxo8qDHsh0CDfXDokx8KwnL8Al7xBBhi0 +1HH4ASOWpBeoLYE5EbE+IZBK0aGL4+5kk/nk2AamFABX1bOYb83jbiPrMu+iLH75 +fLWVQ79Q9nQgwP0ivQxs2BzET7W8n3kZJgsUaynib3mJWpOcqXf9vJ68oX8pAgMB +AAGjYzBhMB8GA1UdIwQYMBaAFGb5GaSfaq0VAusbusaiuptSxg2LMA8GA1UdEwEB +/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRm+Rmkn2qtFQLrG7rG +orqbUsYNizANBgkqhkiG9w0BAQsFAAOCAgEAnESkGk51pinhRrqaf3ZArs6bC5mD +vUnxtoKjkiI6iXm6kqRV3Oztk7YGdHsbU+1Wwr9JIQ3n9vzcK/B2SIyrWzHexD0x +YGODuDsuVmzhDzf387hpF9VuO6wAht1DVD6mtwUSLJug5SqsKCqovIBSqY7qTLB8 +lDE8uEpz+HXpOu4OIpxQyDlfcCNCobv3RTXQizkXy47MnYlQ2yB/C/JxyJwe6Gbj +rXs1I/0NEyCgJgZXOmAH0XU6OfdxcDdkNsYQlADg3YWJ2mTx/Xemxt8HUt55KmON +5c+yXvBCtDPYQJUA2iUj/hSbWwrZce6AuDEYkVUIqfLWb5WAHsDrK8CPrA1tnipc +PEUiS/7TDRWpDde9O9hWx5tjQJiFJ5p+3RhEMFxRQBryzoaMUBLKZYHIcSo4UQJh +dupsqascHpPJO+bdGwb74/yDII0G/J+wbpDbjU0dyDkKxBIdjGLMsBQ14GGz1kDG +Ww683345p3++9uii2TuTonS5DpmAvmjKY714/ZiI1HZckbAadLOTWbnFg32hGiDT +8WJsvl1Vk4hKiEfzTTVSMYa+BqKmpGGTGov0BF9ZFWPvAfecgkGmPHLdM6UXj/7c +lDlhDvuH91jTZrHOZ3R6OqtJ/Z4WMHUYmKrsytoNpmspFPWT02fJsdjArbWOrp4Y +0fal3oNDdQ8x7Ds= +-----END CERTIFICATE----- diff --git a/mssql/2025-ssl/certs/generatemssqlssl.sh b/mssql/2025-ssl/certs/generatemssqlssl.sh new file mode 100644 index 0000000..bfdf6df --- /dev/null +++ b/mssql/2025-ssl/certs/generatemssqlssl.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +openssl genrsa -out ca.key 4096 + +cat > ca.ext << EOF +basicConstraints = critical, CA:TRUE +keyUsage = critical, keyCertSign, cRLSign +subjectKeyIdentifier = hash +EOF + +openssl req -new -x509 -days 3650 -key ca.key -out ca.pem \ + -subj "/CN=MSSQL CA" \ + -extensions v3_ca \ + -config <(cat /etc/ssl/openssl.cnf <(printf "\n[v3_ca]\nbasicConstraints=critical,CA:TRUE\nkeyUsage=critical,keyCertSign,cRLSign\nsubjectKeyIdentifier=hash")) + +openssl genrsa -out server.key 2048 +openssl req -new -key server.key -out server.csr -subj "/CN=localhost" + +cat > server.ext << EOF +authorityKeyIdentifier = keyid,issuer +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = localhost +DNS.2 = mssql +IP.1 = 127.0.0.1 +EOF + +openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key \ + -CAcreateserial -out server.pem -days 365 -sha256 -extfile server.ext + +echo "=== CA Extensions ===" +openssl x509 -in ca.pem -noout -text | grep -A1 "Basic Constraints" + +echo "=== Verification ===" +openssl verify -CAfile ca.pem server.pem + +rm -f server.csr server.ext ca.srl diff --git a/mssql/2025-ssl/certs/server.key b/mssql/2025-ssl/certs/server.key new file mode 100644 index 0000000..ad61efa --- /dev/null +++ b/mssql/2025-ssl/certs/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDfYp6oAbRsmrHn +i3FUJfd1h2ev9dBqXzNqzfRpT40xjPnoFwd6wQKTzaZeWpLAVks6aXhUx9vifUWx +13zii7qYwaTOtu6e6IRbHe8CUkSHzhme0mBw3PUxdi/ISq2Q0OvGZATdY3MdUFiH +38esrhB215R46W0Dpv1mpcoidgZKkXjvAfKV2nJu4rDSCzwgXA9HkUYmdKtyU1kp +cRlBButmXsBuNu+9/mZPZDSTqsOCLm5Vu1RXEIEkXN96+26JYauTgRdEXlO55103 +iT+6nZVh/vQmzGQtRBAi7c4TXs9ErwLP1tEjycN2jhkG4NgoRkMMpvfIEI03nKh4 +sNGfrsMxAgMBAAECggEABBbLE1BD14lXIcyPKp3O4gsPCwUMP4HjvWlc11+S5MNe +g3jmR1Z7QT3+ZQZMyYTRh+r3HmZXFEC2vvI0KuAz3lDB9IdRFm3zNskFQhD5aHWS +3tyIXQaGveTv69oF7nNsPnI1doE9Qc4MbyZ0XO5bK9a8mjWWfBQGuftazW8k7zZX +hbmtpdcOSwvTn5ZU3CQmxd7CV4SIdhUMWzGufYZLNIM5iVRAu7TA2Doyae3fyjs7 +1qLQTX5tgKsX5wTW0aciUGisDsRD3IcU/f+wFCIrjdvAI7gF/bwtPu2fwhfNu4Y6 +DvxvWovt1aJ77d6TAMFEjEKGuuHX7AboGhV7MtjOwQKBgQD1NVuClKrchGhs6YEA +qhXXPkudU9DxVxhdoBQQPEsGfvTfjbtBnqQH1aGhv8dunlItPFCisi1TROCSunrb +XS7bDFLYW0wPZlMjSYL/V35f6IlL+e58A+s9/fsiEhh37P8zZ0uw4Hmpbj0jsxRh +z8lphZ/vmkBJnaO90gE/Osk0QQKBgQDpN2QgAPbvn3O+Itnrnz5z46d3H1Z3+lIl +DqAzzzIBI+ibiu8WbJr36WXAaOf3Wd9TIwgXWuxPwFqJd0cqdqTR1/59+2vW3ylB +1JeDb6wro4gNzYqtcdElGPe8YHjOf7PrDRY0qNjUYo8xtI4up35GQF03EM6crXfN +V547HJgS8QKBgE98KFm/z1MEKMWFO6f3enT3YJNzI/vXe7J9vYM1yCwm40HEM7sl +rY5MlcRU4lTdRU4cixbyIvcnEJT/leud3R5sdD5l+dXUGYcKwUf8GJ8GRds2/TN+ +IbdKqSl2LDBTxrXm+gYv/cAKWA9GcYjzThrCkgGdQtGaJAXYGUdhyu8BAoGBALgi +I8ug91b6bkgQ/D4s3QJjHDXRaFQSMAlSIurFDJYZ4+3rJBpwZWqXvN7N9Vg2fT0G +y7yk7S+Kj/E5W9cLFdcY0rZlbB+a0thHIdmEsktCMomzX2rSEm9X50G0aa2g5k0P +aBjrt0b5ClYUWK49UFXnO7Hec0MBMzXNmADT8r4BAoGAR63Qin3dp4f1GwfRXe7S +FiDePAx10KJg/9dJbX2nC4c3fsZxL4LjyVwl3ZJvP0o1top/LRBlb4yxBWlifIet +3iZWOvhAOdrqkIrvv4tZqSl1zDRiNAORZBuORJnVYMth/uiH1KhVlqHy/DmUMfdw +SojsxNX6pSKQ3dzBlYZ/rjY= +-----END PRIVATE KEY----- diff --git a/mssql/2025-ssl/certs/server.pem b/mssql/2025-ssl/certs/server.pem new file mode 100644 index 0000000..132ddf2 --- /dev/null +++ b/mssql/2025-ssl/certs/server.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIESTCCAjGgAwIBAgIUONFRDB577D3EdKUdwGcnQki19rAwDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwITVNTUUwgQ0EwHhcNMjUxMjExMTczMzU2WhcNMjYxMjEx +MTczMzU2WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDfYp6oAbRsmrHni3FUJfd1h2ev9dBqXzNqzfRpT40xjPno +Fwd6wQKTzaZeWpLAVks6aXhUx9vifUWx13zii7qYwaTOtu6e6IRbHe8CUkSHzhme +0mBw3PUxdi/ISq2Q0OvGZATdY3MdUFiH38esrhB215R46W0Dpv1mpcoidgZKkXjv +AfKV2nJu4rDSCzwgXA9HkUYmdKtyU1kpcRlBButmXsBuNu+9/mZPZDSTqsOCLm5V +u1RXEIEkXN96+26JYauTgRdEXlO55103iT+6nZVh/vQmzGQtRBAi7c4TXs9ErwLP +1tEjycN2jhkG4NgoRkMMpvfIEI03nKh4sNGfrsMxAgMBAAGjgZMwgZAwHwYDVR0j +BBgwFoAUZvkZpJ9qrRUC6xu6xqK6m1LGDYswCQYDVR0TBAIwADALBgNVHQ8EBAMC +BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwIQYDVR0RBBowGIIJbG9jYWxob3N0ggVt +c3NxbIcEfwAAATAdBgNVHQ4EFgQUka+4xORnikJTy0KrP9gsk66108MwDQYJKoZI +hvcNAQELBQADggIBABCW9/E0guFUCN6lAgingmkvSLN8a8vYwejycbMdkNbuf2+U +gbSMWstxyrARRYfHSBp+4w5y3nOHqGj0HAqamdqb1gR4mY/qQ67rQ2uegVKeDduV +uNk06pcTVKXLMClPAQqdVDB2Yd8ljhkRRlvpaYCN/bA5Npc+RoftCDbjijPxMct/ +D+OFhzkz5fq2YO9WudCN7Bt6OvkrqLHws9oCHjBcxaV5b+sOUMJN47Y3H/JsfDdV +53sXHNoe0gHLwF6GkoNZItLhGxraEprNwIeZAIkhfRXH87fJ/0mckRR+9A/AzfgQ +MnB4er31QfYVcpeZ+1hcixOpmM/nYWEn30oIpzkEBfO5seEMJNjVnrX/PMhfzUWx +4V26G5LQRdODV8j9yvWgyBnGMcVUqrEEYMUhykcdXvoRUOQvd+xc9A3XEBavWvUg +aQuVEZJsCFga2CHOCMQ9SdY8bPLu5UmrkD/qr2Fu1ZTubFL/rdBNacpbcVxj4TL6 +sjHScEkKuJL7SPkySSn7jZquo6qEVlSPEYYFlyL/w30mgOuBmQDZk9/WIZayMxoQ +GZMcNZdFR4Q7H+J6Uz398YeVLbUrUAhDIREGnRLdhPWhDdL19uBul4OO0rTFBVeH +fY6XXBIntjdRQ0NRxmnlt58MhZMek5wPOUK+sqT1TTm7kMenR2R3lukdEmGk +-----END CERTIFICATE----- diff --git a/mssql/2025-ssl/entrypoint.sh b/mssql/2025-ssl/entrypoint.sh new file mode 100644 index 0000000..5828cce --- /dev/null +++ b/mssql/2025-ssl/entrypoint.sh @@ -0,0 +1,96 @@ +#!/bin/bash +set -e + +chown mssql:mssql /etc/ssl/certs/mssql.pem /etc/ssl/private/mssql.key +chmod 644 /etc/ssl/certs/mssql.pem +chmod 600 /etc/ssl/private/mssql.key + + +/opt/mssql/bin/mssql-conf set network.tlscert /etc/ssl/certs/mssql.pem +/opt/mssql/bin/mssql-conf set network.tlskey /etc/ssl/private/mssql.key +/opt/mssql/bin/mssql-conf set network.tlsprotocols 1.2 +/opt/mssql/bin/mssql-conf set network.forceencryption 1 + +echo "Starting MS SQL Server" + +# Start server +/opt/mssql/bin/sqlservr & + +export MSSQL_PID=$! +export SSL_CERT_FILE=/usr/local/share/ca-certificates/mssql-ca.crt + +cd /opt/mssql-tools18/bin +# Wait until server starts +echo "Waiting for SQL Server to start..." +until ./sqlcmd -S localhost -U sa -P "$MSSQL_SA_PASSWORD" -N -Q "SELECT 1;" &> /dev/null + +do + echo "SQL Server is starting up... " + sleep 5 +done +echo "SQL Server started successfully" + +echo =============== CREATING INIT DATA ========================== + +cd /opt/mssql/ + +cat <<-EOSQL > init.sql +CREATE DATABASE $MSSQL_DB; +GO + +USE $MSSQL_DB; +GO + +CREATE LOGIN $MSSQL_USER WITH PASSWORD = '$MSSQL_PASSWORD'; +GO + +CREATE USER $MSSQL_USER FOR LOGIN $MSSQL_USER; +GO + +ALTER SERVER ROLE sysadmin ADD MEMBER [$MSSQL_USER]; +GO + +EOSQL + +cat <<-EOSQL > init_memory.sql +sp_configure 'show advanced options', 1; +GO +RECONFIGURE; +GO +sp_configure 'min server memory', 2048; +GO +RECONFIGURE; +GO +sp_configure 'max server memory', 4096; +GO +RECONFIGURE; +GO +EOSQL + +cd /opt/mssql-tools18/bin/ +./sqlcmd -S localhost -U sa -P $MSSQL_SA_PASSWORD -i "/opt/mssql/init.sql" -No -o "/opt/mssql/initout.log" +./sqlcmd -S localhost -U sa -P $MSSQL_SA_PASSWORD -i "/opt/mssql/init_memory.sql" -No -o "/opt/mssql/initout2.log" + +echo =============== INIT DATA CREATED ========================== + +echo =============== CHECKING TEST ENVIRONMENT ===================== + +echo "Checking test user..." + if ./sqlcmd -S localhost -U sa -P $MSSQL_SA_PASSWORD -No -Q "SELECT name FROM sys.server_principals;" | grep -i $MSSQL_USER > /dev/null; then + echo "✓ User $MSSQL_USER exists" + else + echo "✗ User $MSSQL_USER does not exist" + fi + +echo "Checking test database..." + if ./sqlcmd -S localhost -U sa -P $MSSQL_SA_PASSWORD -No -Q "SELECT name FROM sys.databases;" | grep -i $MSSQL_DB > /dev/null; then + echo "✓ User $MSSQL_DB exists" + else + echo "✗ User $MSSQL_DB does not exist" + fi + +echo =============== TEST ENVIRONMENT IS CHECKED ========================== + + +# Waiting for the main process +wait $MSSQL_PID diff --git a/mysql/ssl/9.5/Dockerfile b/mysql/ssl/9.5/Dockerfile new file mode 100644 index 0000000..b7949da --- /dev/null +++ b/mysql/ssl/9.5/Dockerfile @@ -0,0 +1,9 @@ +FROM mysql:9.5 + +COPY ./conf/init.sql /docker-entrypoint-initdb.d/init.sql +COPY ./conf/ssl.sh /docker-entrypoint-initdb.d/ +COPY ./certs/ /var/lib/mysql2/ + +RUN chown root.root /docker-entrypoint-initdb.d/ssl.sh && \ + chmod +x /docker-entrypoint-initdb.d/ssl.sh && \ + chgrp root /docker-entrypoint-initdb.d/ssl.sh \ No newline at end of file diff --git a/mysql/ssl/9.5/certs/ca.key b/mysql/ssl/9.5/certs/ca.key new file mode 100644 index 0000000..d1c9b19 --- /dev/null +++ b/mysql/ssl/9.5/certs/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDZbn/Gf2vIiHqA +KC3PnPFOlYx4myG0W43REgjPHTHXtLWmts9LqwsauXN/UHFvfrJwEd9XqylCGs9U +wK3mf7CeRWX7S0Wc0QlorC2K4PlQNobSWPw3W+LwwT/L36aFqwTxEKHPBDlf5poB +QZITWBOR85Vdgz03YVcX709WiMxZoPfy6J3HhEmAxL0yS9wjKWUo1ZFuuTFPTNlV +ftLSPMfxOEAQWPUvT2ToLh2nJ+wh5SQ5nZvA3XQq+5UXdHIKltD6gNvUCiw7xWXw +ov7P0o5TqXZ7NdEWOLSkQFCka+4lMCAk1YgMxIYBbKYTHAMsizr6hpZ3V2f6brSo +Z8yb38EJAgMBAAECggEALzqg16Ga7HK0xTy1ArlQ8yRp4FK2JgKTEfxMXIy3ZGb0 +5DMmYQXUwifRTjDPiwvmv5AqRtU/f4PqUDsQKxbGawKhDc5CXzdKx2lK9TU8Am/t +pig9FNtJNsmLTYIVnkhRKPnXY+vDeLDS9/3huIDzs0rJQYg91lc2/1R0k9PgK4F0 +XuIJEEBrcEjp0KWNk2x4rhO0C8JxjQeHqfs7Sm5PTBuvMRcABA7ish0xwq+4Cbx8 +DVBYjFd2KqugwtW8uzX+kgngRHHSVu8s5DHcGzRCACkwZ/TmWQ5rRuWMQTWACBtJ +spVDmkulFBOYHdH0vBzULemu09mn/sepbDkWOf7E7wKBgQD6Gag5lgPQNyR/bpKk +Ttltik2hqGLk1gT+yRDy6kN1eANb6z9RvLvHek+GPoBE74DUjTuqvWcSdjJc8r0R +g22BX7uwyI/ArKF/jex4H31SqtN+fTekJNHM1/sDs1aX8VR7Hjq2cZyfp/oVAip7 +YEduJL63H1b0ZBVCtuCx+LcrcwKBgQDej47aZFBPsp+jFLRLsTVSwd6/lJY0mf2d +k4aEBumHX1/B/WhiknQhetr4VyhYjpv9taMEJPAguwC+Y4XQa6JOUXQfDaJ0ZK59 +niSa3WRvJZvhufBb5d60IGGfE09PbhKopthINEvi8Abe6HZDeC7l/T9UoTGX6h8R +ZMgvqs96kwKBgD6dndiNDnda1vBwppYsh5M9RSJsHhZc3vNLM8sdi7YlTfH9e+Ti +88CFhtN9Ym/f5slQctfUg7HDlehffaac2RXC+iLQk+0RS3278rBAcgf4bOsGPqAB +9+TpThcnF08DRLtuXhS/bQ8r5xjLagdpm3igCn+egQ6+3/PMBYWJV5KxAoGAXgRc +/2ri9lfp0fV8GIGamgQl+d5l+YCXv4pDh+B3pGUoyYUoJIPjpQUGHWSMOaS8xteF +Lsn/2oPE06itLZdacCU+naOf3fVuNMiqg/VEaSOFDz0CCYA4rPUE6DM7DL3eCfq5 +YP8ek5Z8AIxI8UWC4ksyBqk1jwwq5akiW+iXTxsCgYEA5LZX6Zv4I28HB8m7rmdh +X0MWnJnZEYZHvvMwdciYwTd3FTt6ZRrBmW24YAuTfVx2tuqcEwI77mxcB2I13keF +6zG889oToTHSJ2qjsk7vywLuCxTB8oACGUm8bFNWpLJCHp61jZaVR4NjXPklCVsi +enQGPzzHbmDEOCZTgSnQw4c= +-----END PRIVATE KEY----- diff --git a/mysql/ssl/9.5/certs/ca.pem b/mysql/ssl/9.5/certs/ca.pem new file mode 100644 index 0000000..8a18d5e --- /dev/null +++ b/mysql/ssl/9.5/certs/ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1TCCAb2gAwIBAgIUP/cvnsGGOzmEYk9jtx2Pf0vr3OkwDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwITXlTUUwgQ0EwHhcNMjUxMTEyMDk0ODEwWhcNMzUxMTEw +MDk0ODEwWjATMREwDwYDVQQDDAhNeVNRTCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANluf8Z/a8iIeoAoLc+c8U6VjHibIbRbjdESCM8dMde0taa2 +z0urCxq5c39QcW9+snAR31erKUIaz1TAreZ/sJ5FZftLRZzRCWisLYrg+VA2htJY +/Ddb4vDBP8vfpoWrBPEQoc8EOV/mmgFBkhNYE5HzlV2DPTdhVxfvT1aIzFmg9/Lo +nceESYDEvTJL3CMpZSjVkW65MU9M2VV+0tI8x/E4QBBY9S9PZOguHacn7CHlJDmd +m8DddCr7lRd0cgqW0PqA29QKLDvFZfCi/s/SjlOpdns10RY4tKRAUKRr7iUwICTV +iAzEhgFsphMcAyyLOvqGlndXZ/putKhnzJvfwQkCAwEAAaMhMB8wHQYDVR0OBBYE +FD4J61ye9HC0mvEwxRYf0f+IaHDdMA0GCSqGSIb3DQEBCwUAA4IBAQBr5ct8YDUW +8dip0jIq6nQPFsM+/KhpTwiaKhGZ48wRtDze6VkEyX+CXbx+m11U/ilPeqpCoHYv +F1oWs5vCTchCHIx4AOgMlJFttiNxuF5NexZblvK93cmG9R0mFjThh03BtZZaSlWp +74Xk64RFVtUEtQUEpGOEqsX7mN5SpxX9kEy5Bh8Jd0+tTgGrIxSQSriofaKgG1oz +LUWz0n2sY8OH9E/ouwZm3FToOm76qEGJy2eOBfw1Cc4kEUYxxWy0f+LCNNGU4wQs +RAN/nsXT9vPQxW7oCgnMol7as9Fg+Qgb6Rfc6sQYNaMAIqUZ9jFdTTTuy7VTJfAB +TfqDLz1FKjFy +-----END CERTIFICATE----- diff --git a/mysql/ssl/9.5/certs/ca.srl b/mysql/ssl/9.5/certs/ca.srl new file mode 100644 index 0000000..e74d5a7 --- /dev/null +++ b/mysql/ssl/9.5/certs/ca.srl @@ -0,0 +1 @@ +02A2286F9B46C96CC42CC65A8A2FDFC359C2BC1C diff --git a/mysql/ssl/9.5/certs/client.crt b/mysql/ssl/9.5/certs/client.crt new file mode 100644 index 0000000..6903067 --- /dev/null +++ b/mysql/ssl/9.5/certs/client.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIUAqIob5tGyWzELMZaii/fw1nCvBwwDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwITXlTUUwgQ0EwHhcNMjUxMTEyMDk0ODEwWhcNMzUxMTEw +MDk0ODEwWjAXMRUwEwYDVQQDDAxNeVNRTC1jbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDPbCqQsVPkrSvAM0gh0mCv0104Hv3/dUxIQI0eO5Al +wC5o48qNVbfNFlpOFM6/CQ1CVTy3y1ES5Fh7lRRUcmUnQO1DNCRYJsIJkygIKkCp +pGDmXT7K4m1V/XCXqGSobJUHe81cUA3VtnFIcgs33ehQLOYY1cWRf6eZDtnd0oF0 +bYlpQP9DbhNXKxJ0uqFdSRnO9MCagDrdy5Y2HKb/cTOD3f+JqlobCYCB9hWu3z+U +yGVf1jrzbeJ1Q5gPwYNnS4uTMDZmQIt1p7jF1WMi/qVfBT2p0lzhK+goDCoZjeYQ +oId7tbZAqiKbRvHOHhiK7HMZVnlacBFW873zwt5C9dIJAgMBAAGjQjBAMB0GA1Ud +DgQWBBRTkrHl9RddJ1phkKPMvTIAZeWvfjAfBgNVHSMEGDAWgBQ+CetcnvRwtJrx +MMUWH9H/iGhw3TANBgkqhkiG9w0BAQsFAAOCAQEAQpE/2vtiImQL0eB19f+zCVOH +rA01NP/KTBFNt2Q8HF+un20bWXUWy+RGyMW8F00iHp6MrEcYc4Hu7MS+YLyuq7eX +6wB3QPyYmMS7Gb8QGEaEFLuUcNjCoYd51suauQn6ImdcLq/RunxZsQRCKwuw8spT +S9EfvJhrQA9YJ/DM/zMPpex8CCzzUvdxBps5ktB+hOZOei74/Dl+RQnKs/GTqIJ3 +26drMo7dsZBfuZRDj24j7UEWiy0xMV25lWMfKNELpEKpQJ87PlZUsih4P5EN6thS +Zt6WScuN+nQ/0rnVOETVGdLjldWTBb3uXWpv9Tg7kMvKxMOaagdlrdEeAuSklg== +-----END CERTIFICATE----- diff --git a/mysql/ssl/9.5/certs/client.csr b/mysql/ssl/9.5/certs/client.csr new file mode 100644 index 0000000..8450a11 --- /dev/null +++ b/mysql/ssl/9.5/certs/client.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICXDCCAUQCAQAwFzEVMBMGA1UEAwwMTXlTUUwtY2xpZW50MIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2wqkLFT5K0rwDNIIdJgr9NdOB79/3VMSECN +HjuQJcAuaOPKjVW3zRZaThTOvwkNQlU8t8tREuRYe5UUVHJlJ0DtQzQkWCbCCZMo +CCpAqaRg5l0+yuJtVf1wl6hkqGyVB3vNXFAN1bZxSHILN93oUCzmGNXFkX+nmQ7Z +3dKBdG2JaUD/Q24TVysSdLqhXUkZzvTAmoA63cuWNhym/3Ezg93/iapaGwmAgfYV +rt8/lMhlX9Y6823idUOYD8GDZ0uLkzA2ZkCLdae4xdVjIv6lXwU9qdJc4SvoKAwq +GY3mEKCHe7W2QKoim0bxzh4YiuxzGVZ5WnARVvO988LeQvXSCQIDAQABoAAwDQYJ +KoZIhvcNAQELBQADggEBAJ5VmGF5A7zfVl1LItDP/n9zbgt5k/dz9dK86dd7hBmX +XuSmBev30a5r+C3FFV1PcJVZHtgWwjAr6itFU6zMLNjUYoFLzzZRDtVIvi9RXZol +Rlk6F+P0w7wJfzc/dfcShMIhvFlwi5BSDX3JM2FsBmFgonu1CDMYjO6dWB9H3qlD +n32Xf3D14Uc9/GX6t6KNrTmcZcrZhqs4qyfl2AIpJPDlBwLOju4Vih8s1R+GXjLq +D9k2nL780yhVuBvDlugmWUi3lPEWXtGiiC54198JyQM5tkwCKqSQloapr3OFOymR +FzKKCuPeS1g9RyKpJeDOrsSpEqg7Xkx8ZLFNkLg/uPE= +-----END CERTIFICATE REQUEST----- diff --git a/mysql/ssl/9.5/certs/client.key b/mysql/ssl/9.5/certs/client.key new file mode 100644 index 0000000..90c3cb8 --- /dev/null +++ b/mysql/ssl/9.5/certs/client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPbCqQsVPkrSvA +M0gh0mCv0104Hv3/dUxIQI0eO5AlwC5o48qNVbfNFlpOFM6/CQ1CVTy3y1ES5Fh7 +lRRUcmUnQO1DNCRYJsIJkygIKkCppGDmXT7K4m1V/XCXqGSobJUHe81cUA3VtnFI +cgs33ehQLOYY1cWRf6eZDtnd0oF0bYlpQP9DbhNXKxJ0uqFdSRnO9MCagDrdy5Y2 +HKb/cTOD3f+JqlobCYCB9hWu3z+UyGVf1jrzbeJ1Q5gPwYNnS4uTMDZmQIt1p7jF +1WMi/qVfBT2p0lzhK+goDCoZjeYQoId7tbZAqiKbRvHOHhiK7HMZVnlacBFW873z +wt5C9dIJAgMBAAECggEAWucTInVsiFfySBnRX201DWlqvakrdLTB2RpdHiZJbpny +XOqTvuwVkK5epkCNOQCtDGiRoxTaM5baRlLX5Yh610Cnmp+z2+QkfpC85xMpYo9V +HjA4UC76bsiS+wwEDSIFEBIMNowo/AOoUvEUBIhegyCiOLkbDEBvQW9WQNY8ALsk +IUU4iPQTIQ1BfkaLeiHjTOKLqDfI1KT95IcbpLjf4fxnGEV9Oi6gGrcp7/UwtZ4C +ndAyAB7i7SKDsp06NzdiciDpr4LF4Hn9dWE3rNN53vS+BsLM5qX2h5QMxwrQNqxW +yWdBh6zpiA+02BuI4h6oLp4lpbh9pLQKolmx1fHbXwKBgQD2e1p85JC3HMhZSudd +aBL25dIYb7THLeITzJlDlhdUWgHB1DmUZi/aWbvZJKzvL3ppA9/6wFOGHtFGb6RG +ZuG+lAr/77A5UADGr/wgC252hZ8Fi6cp6rvFF8BfOy3h0pnU8aOwsrtM+5I+5aBY +jcGAhZTxFYjx2nAefD1Sm5FjnwKBgQDXbq8TULEWdqTs8bmv0/0g1Nv4dGwv9yXc +OcYzNMI3qewh7eQz1hIpGQF+aWCHBHX/2tIK6e5jF/vGZn7f8/OmjvX5etVivJtj +6Y2UamDzRiuaEJYrUMrM33APvXCml3J8IrQuCelQu6RhMZpJHMhPxDo25b1v719L +Uqvv+ZepVwKBgQCINt9pCf+X0oY+IpD+I9fnLlcPPhyPvqGkA3vnx/iYmy1BawFv +K5Hif5i6hfQ0Mu7ZPlT3hHYkNr+8x1Hnvk+fPL1fd5zR746ePv98zhR715hsPiNh +nOGsKFYdytyuYe61qdymd//eqWDG9avJhH2dgzUujpIh5m/zyQEyt9p/TQKBgClx +Ck695AL9Oca2zVCMiBILwHDv/GvRsD/IAV+SU5YfouP3/kEWehHb1JS7sqzmZ8ib +EHK3A3uefnlw+BEevY0ZzSl7vpaqz32NzQVy3UmPAw41CJ42gXydstHkUEpLseM9 +TcnZcD9uiTWFNDfCSKpHhidPVHy24G797UNRkSIrAoGAZZwq2LHFsyMTzaOS92/I +w27/hf3WUxy55sVsciXTDBSw29ylwVBZtpy/mp8cJkrRxLaFQHSHriA3fHS34xW2 +HYoimn+CWv3/9h8gewXarjYk0alo+JwFeGrqHcOgYcteeYB3IG7YJA62eRLL5zvN +3UHbEjZInJ0fE7FXmtLHrEo= +-----END PRIVATE KEY----- diff --git a/mysql/ssl/9.5/certs/client.pem b/mysql/ssl/9.5/certs/client.pem new file mode 100644 index 0000000..6903067 --- /dev/null +++ b/mysql/ssl/9.5/certs/client.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIUAqIob5tGyWzELMZaii/fw1nCvBwwDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwITXlTUUwgQ0EwHhcNMjUxMTEyMDk0ODEwWhcNMzUxMTEw +MDk0ODEwWjAXMRUwEwYDVQQDDAxNeVNRTC1jbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDPbCqQsVPkrSvAM0gh0mCv0104Hv3/dUxIQI0eO5Al +wC5o48qNVbfNFlpOFM6/CQ1CVTy3y1ES5Fh7lRRUcmUnQO1DNCRYJsIJkygIKkCp +pGDmXT7K4m1V/XCXqGSobJUHe81cUA3VtnFIcgs33ehQLOYY1cWRf6eZDtnd0oF0 +bYlpQP9DbhNXKxJ0uqFdSRnO9MCagDrdy5Y2HKb/cTOD3f+JqlobCYCB9hWu3z+U +yGVf1jrzbeJ1Q5gPwYNnS4uTMDZmQIt1p7jF1WMi/qVfBT2p0lzhK+goDCoZjeYQ +oId7tbZAqiKbRvHOHhiK7HMZVnlacBFW873zwt5C9dIJAgMBAAGjQjBAMB0GA1Ud +DgQWBBRTkrHl9RddJ1phkKPMvTIAZeWvfjAfBgNVHSMEGDAWgBQ+CetcnvRwtJrx +MMUWH9H/iGhw3TANBgkqhkiG9w0BAQsFAAOCAQEAQpE/2vtiImQL0eB19f+zCVOH +rA01NP/KTBFNt2Q8HF+un20bWXUWy+RGyMW8F00iHp6MrEcYc4Hu7MS+YLyuq7eX +6wB3QPyYmMS7Gb8QGEaEFLuUcNjCoYd51suauQn6ImdcLq/RunxZsQRCKwuw8spT +S9EfvJhrQA9YJ/DM/zMPpex8CCzzUvdxBps5ktB+hOZOei74/Dl+RQnKs/GTqIJ3 +26drMo7dsZBfuZRDj24j7UEWiy0xMV25lWMfKNELpEKpQJ87PlZUsih4P5EN6thS +Zt6WScuN+nQ/0rnVOETVGdLjldWTBb3uXWpv9Tg7kMvKxMOaagdlrdEeAuSklg== +-----END CERTIFICATE----- diff --git a/mysql/ssl/9.5/certs/server.crt b/mysql/ssl/9.5/certs/server.crt new file mode 100644 index 0000000..63aa91b --- /dev/null +++ b/mysql/ssl/9.5/certs/server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9zCCAd+gAwIBAgIUAqIob5tGyWzELMZaii/fw1nCvBswDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwITXlTUUwgQ0EwHhcNMjUxMTEyMDk0ODEwWhcNMzUxMTEw +MDk0ODEwWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDafSKzk/1hv/RRb+4pm+/587CFq5A4DQHuMeLhcxj1uHcL +1WcvULcD1JJ1zV6egqjosQ3vT43xOV3KPmyDni2+t8Yuj3NKo/oqVM9AsZp3oZ6x +xHi6cOc5ZpYZYH8MaiklBS/E9kz/6QOgOo4I+Z5N9HMYjTdF6DhJwRO6aOZLr0pV +twWuUSdej75akrqGZa7RjuDZLrD6Jxb99y2Orv67cr07f+9NLZndob5eQnmivz8J +27LglZ7iDUp1UpriqmNRl1+fP+UioCronk2lAoC4DGHf50Ty1xTKfhrYeqcMFl2N +72aYu+B9U9HrgmfjfYbrDlaWLIrSPLNuLLiK/wxdAgMBAAGjQjBAMB0GA1UdDgQW +BBS1q4R91/Cm1uq5donYWR+QI/nawzAfBgNVHSMEGDAWgBQ+CetcnvRwtJrxMMUW +H9H/iGhw3TANBgkqhkiG9w0BAQsFAAOCAQEAuzepJxfS8mvLZxoDY7btKOMtGDZB +XB5bZwvp7uvE+A6RG6xsmHD/cArobjfuhdI4rOkNXVW3IFWEq1z5ikJnhhbvHxPk ++T59ve03eQ+xBG8yUryueOUH3rEpiabTrbdKqdMhqgj9lII2t3F9z5uVEcR+6BZw +wf1eVwjTd8nhHr3WtnEHX3kDEgWInL/qwP6k3DpigVvQkT484ERmR6G/Npn4yjSI +CgBFZFXRW5NquTDulmrXKsX2PsMQxPl7coYklIKuomlh1gNi50OOzN7bSQxehHlE +FYoN8uLxDL7gYA5FA2fpQNWlX0Kb2bsfu/ezurXrRiaYsoVW0iz7rUf+SQ== +-----END CERTIFICATE----- diff --git a/mysql/ssl/9.5/certs/server.csr b/mysql/ssl/9.5/certs/server.csr new file mode 100644 index 0000000..a034461 --- /dev/null +++ b/mysql/ssl/9.5/certs/server.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICWTCCAUECAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA2n0is5P9Yb/0UW/uKZvv+fOwhauQOA0B7jHi4XMY +9bh3C9VnL1C3A9SSdc1enoKo6LEN70+N8Tldyj5sg54tvrfGLo9zSqP6KlTPQLGa +d6GescR4unDnOWaWGWB/DGopJQUvxPZM/+kDoDqOCPmeTfRzGI03Reg4ScETumjm +S69KVbcFrlEnXo++WpK6hmWu0Y7g2S6w+icW/fctjq7+u3K9O3/vTS2Z3aG+XkJ5 +or8/Cduy4JWe4g1KdVKa4qpjUZdfnz/lIqAq6J5NpQKAuAxh3+dE8tcUyn4a2Hqn +DBZdje9mmLvgfVPR64Jn432G6w5WliyK0jyzbiy4iv8MXQIDAQABoAAwDQYJKoZI +hvcNAQELBQADggEBAAaAIVtKVbwezUsCKBIf4ZtGoTg19tyAe4XM4c75rgGPhR5H +0YgYuWFAbstlg4Z09y5TdLt62cq0b5RudL+5epPRMxKzafj+ZzWotFuOEn4NaCsO +gtN+oSe1R+YOqicXlLV9w2l4tOQ4D737z2a6j+MjZY0r6uJ1m68Te38FM+oHYMKa +AjArlkIEmqgWDi4bRng++bPJdSIDQ2+cSaW6ENrD3yvOYvj4EHx5lbrxfI4C2g7k +7Y5oFpL8y2dV5PyAnDMBu/BJhrDlR/nfkM5UnnT7wBkZ1mFc0ns5RcfMWnRexIou +3+FfEiAls9ddB53jLeJn5RN1j4WR4eTpmMjC8vg= +-----END CERTIFICATE REQUEST----- diff --git a/mysql/ssl/9.5/certs/server.key b/mysql/ssl/9.5/certs/server.key new file mode 100644 index 0000000..070a73f --- /dev/null +++ b/mysql/ssl/9.5/certs/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDafSKzk/1hv/RR +b+4pm+/587CFq5A4DQHuMeLhcxj1uHcL1WcvULcD1JJ1zV6egqjosQ3vT43xOV3K +PmyDni2+t8Yuj3NKo/oqVM9AsZp3oZ6xxHi6cOc5ZpYZYH8MaiklBS/E9kz/6QOg +Oo4I+Z5N9HMYjTdF6DhJwRO6aOZLr0pVtwWuUSdej75akrqGZa7RjuDZLrD6Jxb9 +9y2Orv67cr07f+9NLZndob5eQnmivz8J27LglZ7iDUp1UpriqmNRl1+fP+UioCro +nk2lAoC4DGHf50Ty1xTKfhrYeqcMFl2N72aYu+B9U9HrgmfjfYbrDlaWLIrSPLNu +LLiK/wxdAgMBAAECggEANBUpXQJ1n8QY0wLqFIwiGATRuwOLNPlQ0P2eVlzQAd8v +raf42WwVvHmDUkaa/BEsf4+ZQUdHEE46/9eCmZtuzyxSt02lz5CoNUgTQZo0trjV +sg2iM9tvGx1LwY/hqU1zMmp6mSqXb1eV8C+VJSmP5YhUmXEsUGNLa7V1ZPXVlAur +uiYtKC+3I4pmF3jvxxijxne1XWC/TIIrszBvBhK6EfQR6tQdPvvROJ5ylsIVYd7W +9MPvtWz9Uk/mimyQsUJ0lPRQaUPhhrM4hxYh26LpRqVp1q84fZP8CFRfjzwwo454 +EJUiQlEJDsCHD4wjlmlX6VZ/+Vgat3rkoEz776VwgQKBgQD4ZUHZHdDGZ1vAv69r +mmLxGxGSNBC8VovOfgZvoaSPVZyRIuGWxjltLv2/nSumf2lSMDTz3GFWiUqGYa3Z +gbKHz/RZwHQbC1UL7YdqLVR69Et+mNFVuj3p+P2hnlnpNlYuYjPtQSQl9GxliH63 +v4z3wyKWwEJ6eR7toJTSb9qSnQKBgQDhLX3Di3sngHLY+Y+onyrASKZ07lBwnbdR +Olo4Fo1ajRJz2tcoMXa5MLkZAqx9WtVf/00nGSrr+oSILaW8lqxEwD5cs6MYvtWb +27TXEQ3cceH/SfwyR0f4QJabAZ1SqZQtDl0+zUCDTqG78U3qz9YjgEVUdOVibWSY +Ck/qrxdUwQKBgQCDXuJNlxRE6oM/VOHNEhEEHWHUpk63nTpB0qtKvP3QhOHSbNVM +rbfPhAvWHKTqYPZt7msDEmo0n1XX7q9Imuy2IYjFMyD08LBhJ5X31NOaV7vZz67f +HSoDpZlWse4xhnhb/boi39HjdPsjU+ZY/ijrHLwdaL+AELEH0mcDSP8bjQKBgCTb +VFV4dB0AGkxHdOstukqk2ZIUG9iDCClkerXpgxOKObX64PK0PfGL9xAP7vnJr1k6 +KX+3z922MJE1n4Yhx2qtaMe1o4F+YupS6OO25+ToQwyNKJl2L2KD9+LBPeX02csS +KdMIt4GGklR358ACatN+wFpVk+Irc6arMW+BXzlBAoGAXVjEFVFSpWs3VErB1ujC +Gi9yWAq8DxS1bUFyXpyarmbBKnjLWzT9jfpD/E2Z7YRoDmRU2D8fuPvjWJMdG1nu +reKL9dISwiTCZGEqts6+oPm3OXhIgQtKaCfA6k8Qvn5HojYasLx3Y/DMGcN/rVqK +qhyQ6uFH7AlGYiOFgZUSgEo= +-----END PRIVATE KEY----- diff --git a/mysql/ssl/9.5/certs/server.pem b/mysql/ssl/9.5/certs/server.pem new file mode 100644 index 0000000..63aa91b --- /dev/null +++ b/mysql/ssl/9.5/certs/server.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9zCCAd+gAwIBAgIUAqIob5tGyWzELMZaii/fw1nCvBswDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwITXlTUUwgQ0EwHhcNMjUxMTEyMDk0ODEwWhcNMzUxMTEw +MDk0ODEwWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDafSKzk/1hv/RRb+4pm+/587CFq5A4DQHuMeLhcxj1uHcL +1WcvULcD1JJ1zV6egqjosQ3vT43xOV3KPmyDni2+t8Yuj3NKo/oqVM9AsZp3oZ6x +xHi6cOc5ZpYZYH8MaiklBS/E9kz/6QOgOo4I+Z5N9HMYjTdF6DhJwRO6aOZLr0pV +twWuUSdej75akrqGZa7RjuDZLrD6Jxb99y2Orv67cr07f+9NLZndob5eQnmivz8J +27LglZ7iDUp1UpriqmNRl1+fP+UioCronk2lAoC4DGHf50Ty1xTKfhrYeqcMFl2N +72aYu+B9U9HrgmfjfYbrDlaWLIrSPLNuLLiK/wxdAgMBAAGjQjBAMB0GA1UdDgQW +BBS1q4R91/Cm1uq5donYWR+QI/nawzAfBgNVHSMEGDAWgBQ+CetcnvRwtJrxMMUW +H9H/iGhw3TANBgkqhkiG9w0BAQsFAAOCAQEAuzepJxfS8mvLZxoDY7btKOMtGDZB +XB5bZwvp7uvE+A6RG6xsmHD/cArobjfuhdI4rOkNXVW3IFWEq1z5ikJnhhbvHxPk ++T59ve03eQ+xBG8yUryueOUH3rEpiabTrbdKqdMhqgj9lII2t3F9z5uVEcR+6BZw +wf1eVwjTd8nhHr3WtnEHX3kDEgWInL/qwP6k3DpigVvQkT484ERmR6G/Npn4yjSI +CgBFZFXRW5NquTDulmrXKsX2PsMQxPl7coYklIKuomlh1gNi50OOzN7bSQxehHlE +FYoN8uLxDL7gYA5FA2fpQNWlX0Kb2bsfu/ezurXrRiaYsoVW0iz7rUf+SQ== +-----END CERTIFICATE----- diff --git a/mysql/ssl/9.5/conf/init.sql b/mysql/ssl/9.5/conf/init.sql new file mode 100644 index 0000000..0075d2b --- /dev/null +++ b/mysql/ssl/9.5/conf/init.sql @@ -0,0 +1,15 @@ +CREATE DATABASE IF NOT EXISTS test_ssl; +CREATE USER 'test_ssl'@'%' IDENTIFIED BY 'test_ssl' REQUIRE SSL; +GRANT ALL ON test_ssl.* TO 'test_ssl'@'%'; +FLUSH PRIVILEGES; + +CREATE DATABASE IF NOT EXISTS test_x509; +CREATE USER 'test_x509'@'%' IDENTIFIED BY 'test_x509' REQUIRE x509; +GRANT ALL ON test_x509.* TO 'test_x509'@'%'; +FLUSH PRIVILEGES; + +GRANT CREATE USER ON *.* TO 'guest'; +GRANT SELECT ON mysql.* TO 'guest'; +FLUSH PRIVILEGES; + +ALTER INSTANCE RELOAD TLS; \ No newline at end of file diff --git a/mysql/ssl/9.5/conf/ssl.sh b/mysql/ssl/9.5/conf/ssl.sh new file mode 100644 index 0000000..c706be5 --- /dev/null +++ b/mysql/ssl/9.5/conf/ssl.sh @@ -0,0 +1,13 @@ +#!/bin/bash +rm -f /var/lib/mysql/ca.pem +rm -f /var/lib/mysql/client-cert.pem +rm -f /var/lib/mysql/client-key.pem +rm -f /var/lib/mysql/server-cert.pem +rm -f /var/lib/mysql/server-key.pem + +cp -fp /var/lib/mysql2/ca.pem /var/lib/mysql/ca.pem +cp -fp /var/lib/mysql2/server.key /var/lib/mysql/server-key.pem +cp -fp /var/lib/mysql2/server.pem /var/lib/mysql/server-cert.pem +cp -fp /var/lib/mysql2/client.key /var/lib/mysql/client-key.pem +cp -fp /var/lib/mysql2/client.pem /var/lib/mysql/client-cert.pem + diff --git a/postgres/ssl/18.X_ssl/Dockerfile b/postgres/ssl/18.X_ssl/Dockerfile new file mode 100644 index 0000000..3ac1010 --- /dev/null +++ b/postgres/ssl/18.X_ssl/Dockerfile @@ -0,0 +1,30 @@ +FROM registry.jetbrains.team/p/datagrip/containers/postgres:18 + +ADD ./conf/ssl.conf /etc/postgresql-common/ssl.conf + +ADD ./certs/server.key /var/ssl/ +ADD ./certs/server.crt /var/ssl/ +ADD ./certs/ca.pem /var/ssl/ + +# Add the ssl config setup script +COPY ./conf/pg_hba.conf /usr/share/postgresql/18/pg_hba.conf.sample +COPY ./conf/postgresql.conf /usr/share/postgresql/18/postgresql.conf.sample +COPY ./cert/server.crt ./cert/server.key /var/ssl/ +RUN chown postgres.postgres /usr/share/postgresql/18/pg_hba.conf.sample \ + /usr/share/postgresql/18/postgresql.conf.sample \ + /var/ssl/server.key \ + /var/ssl/ca.pem \ + /var/ssl/server.crt && \ + chmod 600 /var/ssl/server.key &&\ + chgrp postgres /var/ssl/server.key &&\ + chown postgres /var/ssl/server.key &&\ + apt-get update && \ + apt-get install -y postgresql-18-postgis-3-scripts + +COPY ./conf/init.sh /docker-entrypoint-initdb.d/init.sh +RUN chmod +x /docker-entrypoint-initdb.d/init.sh + +ENV LOCALE_CONFIG=/etc/locale.gen +RUN sed -ri 's/#\ fr_FR.UTF-8\ UTF-8/fr_FR.UTF-8\ UTF-8/' ${LOCALE_CONFIG} +RUN sed -ri 's/#\ en_US.UTF-8\ UTF-8/en_US.UTF-8\ UTF-8/' ${LOCALE_CONFIG} +RUN cd /usr/sbin/ && ./locale-gen diff --git a/postgres/ssl/18.X_ssl/certs/ca.key b/postgres/ssl/18.X_ssl/certs/ca.key new file mode 100644 index 0000000..cef5bdb --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6v4TMSwaCoEFm +jh7JhDTCor5fTrfpmSgoSwGUaewf0mhCZ0nq0a1oRs4pGmv9OPdSaIK9X8eL7afi +0mIrF/8k8QRcQRsHEsBxiG9oRxdQ+j6dXt1qM8BXyVFUa4RKQXvXdtdyr3YK2k/u +/2DaKSHmzq2uiaZaa2HyTpuWe0Uw4c2IA24hlcDsYjyGPeqhs5PlyONunmDRY2rJ +KLEoVCNtkdi3qKdRq6YU1jbdzut/YKF7k+sxBhuKjEKQjQE+6HmCRK4C81BuHV5a +IUAQDLkpXS3Jl7IwYmgPODgkhR82SuzoGRg6t8Y2kpAn7Yi4fDCOHU+1zbpojWGT +7Y4LFExHAgMBAAECggEAAzirh0SiC53NEwJPmKVNra/V/dnjRUXNkghdMhyzpIbi +IocamNDeH2bdRos8oqUZaxP/cVnWHN1QIJMFe33R+man7xl2aGRT6oFyfod/aPew +HdHVmu/imQERhJXINem0Q666n7FUJXLHnzVLi+favFsDVvfr5TJmAaKGf42Hz4SG +FnWufW8GKoRfDePW1DJDAaBeGB8RrGcjZTX0AwA35pac2/tpZJJvdLPuk6tvI5A8 +jFzXqxqQcq45KJpcuxFzfmlL0wonIChbiLlDRw73+qmeNBAgwWkrZSfrewNGsG3v +v7pdPb0tWN5Haz+D/D1rPf99iGyiu/VE1tK7HJRneQKBgQDb1v7bl/rt0ORuqgeN +uubhwYglUCXu2gMPdaFGr+HtWyahSsARa9a97ObTqVZRLlLt8sPSqpNV/+z+XCNW +UwgllbGL6jqVKm0CAJlhqkfpT7dTbbfRAHUm1jcHSBfuTVgoDN52/VHP1Ye/g2jG +LJJkaKY9jLTqznQT5T2959qP7wKBgQDZdxlqxQtY0N5BSi1eXY0hlF+aV7mYeAqx +EjueVm1Aa0v6fUPCZgpXpouS2W+zkPCwy2nY58S7+agFZ5Xc3nmBlaqEaZGht/lY +0kYVzf4YSLLnc7CXzyMUieN+xkoothUJF+Q/Kg4xssL3PvimEcQZC17yeiCWZwi0 +lRUM3mGxKQKBgDwMPK7kk3DUByFHJisLazcs8rAmdUYJnJ5jZfr13cNEi4ew8EeR +6iUUiXQ1I9Om0JYYIm7vkrEB580Og8R3h5kki0uJXhkSbpYGbd7kcSIEWTHbnULk +WhuSlZNSmN7Jl5PQ+A8OYINhcuPX1A2VbSMqBoZ3YY9ldwVcL4Ioy2VXAoGBAIqt +gb7t01ObNvDJ3e68l+CfHuxtHwUVIDRVXUGW+erHwdcGhOx2aAgHRCCsmqgXOPZ1 +cZWKD5KUHcr8iLwl/7RcfjYcoGtRyCgVR+5lw7E2wygIRcg5prRVTocs6mPV4co/ +uyVwq0aUKfLD7Iry72vNLYpRyXBAWnPWUms3cXMpAoGALsK8iAf2b6rlBbmhsqFN +CdvuEuRALHue9PdXBwiSBQEDByH/vOfPghrOhnUWffXPd2zSYy/Yx8XuODIgXG1i +fRrqysbPfN9wVqiZZeGyXrUsAffDl6zfltLZOY0ntsmbT5zEkC1rRx/8RlLjzgEe +oEVoHQSd3aJMc0lmRcCDpAM= +-----END PRIVATE KEY----- diff --git a/postgres/ssl/18.X_ssl/certs/ca.pem b/postgres/ssl/18.X_ssl/certs/ca.pem new file mode 100644 index 0000000..33bced6 --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUWf6TQx4aKJMyiOp0wZz8BiXpgW8wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNUG9zdGdyZVNRTCBDQTAeFw0yNTEyMTAxMDQ0MzZaFw0z +NTEyMDgxMDQ0MzZaMBgxFjAUBgNVBAMMDVBvc3RncmVTUUwgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6v4TMSwaCoEFmjh7JhDTCor5fTrfpmSgo +SwGUaewf0mhCZ0nq0a1oRs4pGmv9OPdSaIK9X8eL7afi0mIrF/8k8QRcQRsHEsBx +iG9oRxdQ+j6dXt1qM8BXyVFUa4RKQXvXdtdyr3YK2k/u/2DaKSHmzq2uiaZaa2Hy +TpuWe0Uw4c2IA24hlcDsYjyGPeqhs5PlyONunmDRY2rJKLEoVCNtkdi3qKdRq6YU +1jbdzut/YKF7k+sxBhuKjEKQjQE+6HmCRK4C81BuHV5aIUAQDLkpXS3Jl7IwYmgP +ODgkhR82SuzoGRg6t8Y2kpAn7Yi4fDCOHU+1zbpojWGT7Y4LFExHAgMBAAGjITAf +MB0GA1UdDgQWBBSvFb8NkTvtEr3zcqr2JLNu8MY8HzANBgkqhkiG9w0BAQsFAAOC +AQEAmC8TgC221vXSBt0Mq0OmlnN0SoXE8UaWimFQjDBb4bXJClCJg68+IIGTmcew +O+DxIS4UNBDhx9OtOVL8fgl+WsqI5QM/6zCCfdgdUU7+3uVYrpo40F/LTWZh7aQG +KmTw5pBdjK8Rqu2r+ZBpT0tcJVLILBHidzFcdEpsPNbVucVtncGSfnbCwi3YauRK +GwiI+GsYkwUaNyYVsY+Ht8f4s91JpSsLPwMAopBfeMC0Ziv0UfQkN6Dezg7meRLN +c4Va3hgpqwfXJPWJS0ghCph8ija41li/ZrPS/DKmXfI/qj9fFBxG1MlUzQq/4/bx +krwjcQso7rNLTRVA89fwtLsLug== +-----END CERTIFICATE----- diff --git a/postgres/ssl/18.X_ssl/certs/ca.srl b/postgres/ssl/18.X_ssl/certs/ca.srl new file mode 100644 index 0000000..33df0df --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/ca.srl @@ -0,0 +1 @@ +367986917F5C9E3D22550C1D90EB2BBB225330F9 diff --git a/postgres/ssl/18.X_ssl/certs/client.crt b/postgres/ssl/18.X_ssl/certs/client.crt new file mode 100644 index 0000000..b5fc960 --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/client.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBDCCAeygAwIBAgIUNnmGkX9cnj0iVQwdkOsruyJTMPkwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNUG9zdGdyZVNRTCBDQTAeFw0yNTEyMTAxMDQ0MzdaFw0z +NTEyMDgxMDQ0MzdaMBwxGjAYBgNVBAMMEVBvc3RncmVTUUwtY2xpZW50MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxVe9IBOntWg8w2Gqixv+v/6IlmMN +MdJxcneipEReFSXWKOjbvBNGAE5T6l4YTpffbhIa13nabGAHcB0EWAY1hGTp4VDB +5XIp+IIVqEbCyp+XN46+pb9MaqT4Nbd2C/+rjZq5IYoJBPxwRKl5JJevNIENFWzD +rvmxqvnk6HwVCbpJHUUNl3VjXBhz0ETVEIJJ+KYKq/VR89sEQbuz08EhsnV+WQxK +3/6X0I2jlejCpRVDKphqqPq3/icS9/zJegyw9BwNqtlvzBk5j0EA6O+lTUmezSNi +hcFPe7qwVLUBhh2vWOTDPVxBoapBOCDgGCEwAnT7/WkCSUe/r5GXO8fsYwIDAQAB +o0IwQDAdBgNVHQ4EFgQU/PzhDZBSKj/bVtCM6RUURq9Rdr0wHwYDVR0jBBgwFoAU +rxW/DZE77RK983Kq9iSzbvDGPB8wDQYJKoZIhvcNAQELBQADggEBALNy54zr2daZ +U0ta52pdKsZQv+pPc781cXMK+S5ekxHNda/uD4hEcZbYaQ5AlitzWG13kHH6Btq+ +3aFIx95WySAQUTDvcspsGlwyeRa3gCtQgIXaqTSDMYa6y41lBLx2tZIuQH2pFHA8 +dDnr+8VyikWa1yW0QaUu/BacRBV41NGJyfrRL9BPy3jl6qkL9dut8FNIQEzYY32a +brmpJZYoBPFfZOivc93EozcfxtWkkvC+bkUG0pvj+0qsubjYFVOAIvENLYVa4h7z +HZ0Kl1l3Fm7gvip9P4jqzK02to3VfHBOuYq3S6ZKQy9ZSao/QDbb3ADVmhdeRSk2 +0F2oYw2r3UI= +-----END CERTIFICATE----- diff --git a/postgres/ssl/18.X_ssl/certs/client.csr b/postgres/ssl/18.X_ssl/certs/client.csr new file mode 100644 index 0000000..84861e7 --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/client.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICYTCCAUkCAQAwHDEaMBgGA1UEAwwRUG9zdGdyZVNRTC1jbGllbnQwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFV70gE6e1aDzDYaqLG/6//oiWYw0x +0nFyd6KkRF4VJdYo6Nu8E0YATlPqXhhOl99uEhrXedpsYAdwHQRYBjWEZOnhUMHl +cin4ghWoRsLKn5c3jr6lv0xqpPg1t3YL/6uNmrkhigkE/HBEqXkkl680gQ0VbMOu ++bGq+eTofBUJukkdRQ2XdWNcGHPQRNUQgkn4pgqr9VHz2wRBu7PTwSGydX5ZDErf +/pfQjaOV6MKlFUMqmGqo+rf+JxL3/Ml6DLD0HA2q2W/MGTmPQQDo76VNSZ7NI2KF +wU97urBUtQGGHa9Y5MM9XEGhqkE4IOAYITACdPv9aQJJR7+vkZc7x+xjAgMBAAGg +ADANBgkqhkiG9w0BAQsFAAOCAQEARo3rjnUFq1+HkUy4UtsJrpZ+gKUGq3+ijVWQ +a1Y7vrXAeoA1k1Y5CIJjFdqwWdFw2JP8F7nKRNEgiN7SXet+pDfZzRZBXxJdl177 +S08WGwhKw4X4DXP10YPwsxbvy9q81Hs3v7r9FakUw/BQNXiw34STVHOYSZbDKyP1 +6COeZZB6LSn56y3gRazTjxZxig1IcakpC/FN26l1QxXdaxaWIyPpKLoUiVqYzG+W +aAXvQQaqhSSXFhZo27jJPeAnt5enq0pzRqGsv5jud6oNGlsjQVA261rI0bR/YTKi +dTDjl9AMYUAxeVlghr3lHM9GGlPtiGcIaVU2f3pCYfelyz/UcA== +-----END CERTIFICATE REQUEST----- diff --git a/postgres/ssl/18.X_ssl/certs/client.key b/postgres/ssl/18.X_ssl/certs/client.key new file mode 100644 index 0000000..af4e0f0 --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFV70gE6e1aDzD +YaqLG/6//oiWYw0x0nFyd6KkRF4VJdYo6Nu8E0YATlPqXhhOl99uEhrXedpsYAdw +HQRYBjWEZOnhUMHlcin4ghWoRsLKn5c3jr6lv0xqpPg1t3YL/6uNmrkhigkE/HBE +qXkkl680gQ0VbMOu+bGq+eTofBUJukkdRQ2XdWNcGHPQRNUQgkn4pgqr9VHz2wRB +u7PTwSGydX5ZDErf/pfQjaOV6MKlFUMqmGqo+rf+JxL3/Ml6DLD0HA2q2W/MGTmP +QQDo76VNSZ7NI2KFwU97urBUtQGGHa9Y5MM9XEGhqkE4IOAYITACdPv9aQJJR7+v +kZc7x+xjAgMBAAECggEAGr4e7du2r0bew8wWnD8Ly5aMNEkHBDiUUXf0l+srOWrF +C1/cSy/syA9/9V47+rE/wNRTmTNfo1keGOuDEloBDZ3Onfnff3RJoMN2zjTh99XJ +sb3hMxKUofe/f9QKphScecDnvquh45rsAeSvey3SZec+en1LRV58B637/yS1hc7h +EeNDBohar5e0BSkuXcBVBguAtQ2hCsxbFJDnGnCbn60fS+1IJRkgMZQXeab1wEpK +7NkLL8jG5uID3TBK+6UeWQlK7Rti+ohLQLUnkhz8XScyM7EZUoMwo0hefRFbRMXn +4trJbJTve+IoemUHMRm5tq9LvBKDwfzTZ6aAAW2tTQKBgQDh54LLZHkJ2CdZaNjp +iDsG8XhX6l86r9/rhqomkUQUOyvnW6wFyLNY53iLOL2FgHl/RnIhBASlydigWId5 +mFbbj83KVZw1/9OnIlcEZxbtVNsf928u2/mYJS0TB7vYuOrMGWfj8bawOC5UiUXZ +eAc7bWU3Tb2H+Y5R24PFSfRpNwKBgQDfoiGkpbylE7SBPcI+1rIruMOXQC0aPwkV +xgvtEHTfwq6PVdVCUVDUUvGZsx4QU8eFLGj39sb/zzDKDY+CUVPZDFKlP+2uO/YA +eETZaiQhYmjzaA8nbbaUhKsSFRTIha3HVn1vl7ccaCT5FfyQ7dXWa2FcIwQCWeRx +okkVrkT8NQKBgQCRfkrF9lriVT3anuV9WwkxSpoIfWGB6b4c8ilqF4syQH3hTzB2 +tTGVY9dGS2/8qKcXquZcjzrzEBIeC4aNcOkYFgEjfInUWYUWks5afo7MoidS6kjI +dFLHg8IJDKUWStqmQwKfU5Em47grKBI9osl9o9JZkQ8toTPhUrEGgsAQdwKBgQDB +Tfr4wA5dPrgzUvf5q0ldQ5tFvUJ/QmeO+57JbwUnebe7zDzH01QkBAI0kkB1aoW3 +VpjxZc3DxwtsS+Z1hekNX3p8vtKrXccZxtv0dqv+c3s2kwcuVMaSgE8DFVfesLZy +7Q8GC8VK97al3FxxxjOl4THKG7ZWde9iTh4QcI/O1QKBgHzQ7dmiKSemDsWKhLo8 +qmDV4N6Hr+XYlrljFbQ4rXGfk5DlfIZ+ib0XWOQMPhR2UjzTUZjlc6ic96m3CPOI +1Homm8hqj0sWwCt/5K7lTV4qxGw4FUWt+FhbVEku3aY0jUW3z4zv+tYnJp09DmxG +o8WOdBGYOTP/UPDvgIkgS2f6 +-----END PRIVATE KEY----- diff --git a/postgres/ssl/18.X_ssl/certs/client.pem b/postgres/ssl/18.X_ssl/certs/client.pem new file mode 100644 index 0000000..b5fc960 --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/client.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBDCCAeygAwIBAgIUNnmGkX9cnj0iVQwdkOsruyJTMPkwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNUG9zdGdyZVNRTCBDQTAeFw0yNTEyMTAxMDQ0MzdaFw0z +NTEyMDgxMDQ0MzdaMBwxGjAYBgNVBAMMEVBvc3RncmVTUUwtY2xpZW50MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxVe9IBOntWg8w2Gqixv+v/6IlmMN +MdJxcneipEReFSXWKOjbvBNGAE5T6l4YTpffbhIa13nabGAHcB0EWAY1hGTp4VDB +5XIp+IIVqEbCyp+XN46+pb9MaqT4Nbd2C/+rjZq5IYoJBPxwRKl5JJevNIENFWzD +rvmxqvnk6HwVCbpJHUUNl3VjXBhz0ETVEIJJ+KYKq/VR89sEQbuz08EhsnV+WQxK +3/6X0I2jlejCpRVDKphqqPq3/icS9/zJegyw9BwNqtlvzBk5j0EA6O+lTUmezSNi +hcFPe7qwVLUBhh2vWOTDPVxBoapBOCDgGCEwAnT7/WkCSUe/r5GXO8fsYwIDAQAB +o0IwQDAdBgNVHQ4EFgQU/PzhDZBSKj/bVtCM6RUURq9Rdr0wHwYDVR0jBBgwFoAU +rxW/DZE77RK983Kq9iSzbvDGPB8wDQYJKoZIhvcNAQELBQADggEBALNy54zr2daZ +U0ta52pdKsZQv+pPc781cXMK+S5ekxHNda/uD4hEcZbYaQ5AlitzWG13kHH6Btq+ +3aFIx95WySAQUTDvcspsGlwyeRa3gCtQgIXaqTSDMYa6y41lBLx2tZIuQH2pFHA8 +dDnr+8VyikWa1yW0QaUu/BacRBV41NGJyfrRL9BPy3jl6qkL9dut8FNIQEzYY32a +brmpJZYoBPFfZOivc93EozcfxtWkkvC+bkUG0pvj+0qsubjYFVOAIvENLYVa4h7z +HZ0Kl1l3Fm7gvip9P4jqzK02to3VfHBOuYq3S6ZKQy9ZSao/QDbb3ADVmhdeRSk2 +0F2oYw2r3UI= +-----END CERTIFICATE----- diff --git a/postgres/ssl/18.X_ssl/certs/server.crt b/postgres/ssl/18.X_ssl/certs/server.crt new file mode 100644 index 0000000..062a82a --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC/DCCAeSgAwIBAgIUNnmGkX9cnj0iVQwdkOsruyJTMPgwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNUG9zdGdyZVNRTCBDQTAeFw0yNTEyMTAxMDQ0MzZaFw0z +NTEyMDgxMDQ0MzZaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKVGfQD4qO+i6zgwlDa+PJuVHYSDke7wFX9JETlq +eAo8lo189kLPcJ8N5AtdoPIqyU6F19Vc98ieDeZ0TUspK1iFYvPxjf8RuonmNxcD +L95L4+bVALlcuRqXqBGJLNVwGUd2ovZ+J+3iWuQGVF0BFvtMx2aFYBKjyOqIenm+ +KmpSX0dt/0R0bt0prGheXC336UeMVOGMhQzwhR0PYW6eoX5gf3IyfXAvbald5KDk +gF1sUCQUhm8nLT5yfG+qPsMroGtbxGpFe4R5cx22MkT2JQ2vNLwIhjSZBDu6Dwuk +wrWRGIE9E+akkEYgBAlH4uBXs2+naE3eHP4GkQedPVCoqK8CAwEAAaNCMEAwHQYD +VR0OBBYEFAy/LRx5H+mJEMeybGHZqM9XbLhsMB8GA1UdIwQYMBaAFK8Vvw2RO+0S +vfNyqvYks27wxjwfMA0GCSqGSIb3DQEBCwUAA4IBAQBVA1rGZJBzCxAoVBpWJV6y +goupoQfoEZG5bwzVqsf5HFRadH9GPYZ2rSW98gYdxOqkPh64LMEYwFLrjFhfLM7n +qIVaSRrV+EynSnr2h6rdZWBb8OCIzTiuNzgtWD4Huih9NA0pt+xxg4Avl3qrwC4P +FTS2J3BEvZwvp3ShVkrrmSAOFlHbAvHKdiJPXoxpHqdhXbxZSkV/YkHDHpo0G6fU +BTFn2Mn6TMzCSPbMwpr8gbT47qmikXS98n89GnRzTaKq1DxBC4Q/lBLvkSboO3NS +99Z89Li0V2oFMQjrsUH+GWPWb4OLXZkHr5l/Bpyu7URh7yoGASKxEwrvMwQzhSK+ +-----END CERTIFICATE----- diff --git a/postgres/ssl/18.X_ssl/certs/server.csr b/postgres/ssl/18.X_ssl/certs/server.csr new file mode 100644 index 0000000..ed17067 --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/server.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICWTCCAUECAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEApUZ9APio76LrODCUNr48m5UdhIOR7vAVf0kROWp4 +CjyWjXz2Qs9wnw3kC12g8irJToXX1Vz3yJ4N5nRNSykrWIVi8/GN/xG6ieY3FwMv +3kvj5tUAuVy5GpeoEYks1XAZR3ai9n4n7eJa5AZUXQEW+0zHZoVgEqPI6oh6eb4q +alJfR23/RHRu3SmsaF5cLffpR4xU4YyFDPCFHQ9hbp6hfmB/cjJ9cC9tqV3koOSA +XWxQJBSGbyctPnJ8b6o+wyuga1vEakV7hHlzHbYyRPYlDa80vAiGNJkEO7oPC6TC +tZEYgT0T5qSQRiAECUfi4Fezb6doTd4c/gaRB509UKiorwIDAQABoAAwDQYJKoZI +hvcNAQELBQADggEBAAVdPIvDkJs5nTYxmrHAcYDENBnB+uU3lF7CduXVG2/I3TBy +1bMzWIlPjxufEi2Fjxo+HZHR3jGpSgobjtfC1/Ybq/cWM9nasHu/UpyuShz8sgTI +zU3/Fq+5pxAk1pvVMuXCkKpHWy1zGeDG01NV7jvAouDcLtjDb38hkarWjQP5W6eb +wIQR7Zzx0HPyi222G5iQ8TgEQd3xf+au5gUVNrkvUtiu+fm7krtg11If3SNHNhtf +o/jDeJoFGpdm4zgkjxHdaRXL+JzwPuy1vv6rTx/SosXxOqOoYRDiun1V41FuPoO8 +r316F4OBKRQmR3TNJpbWwY9EGyUnanXocugVUI4= +-----END CERTIFICATE REQUEST----- diff --git a/postgres/ssl/18.X_ssl/certs/server.key b/postgres/ssl/18.X_ssl/certs/server.key new file mode 100644 index 0000000..a52d6a0 --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQClRn0A+Kjvous4 +MJQ2vjyblR2Eg5Hu8BV/SRE5angKPJaNfPZCz3CfDeQLXaDyKslOhdfVXPfIng3m +dE1LKStYhWLz8Y3/EbqJ5jcXAy/eS+Pm1QC5XLkal6gRiSzVcBlHdqL2fift4lrk +BlRdARb7TMdmhWASo8jqiHp5vipqUl9Hbf9EdG7dKaxoXlwt9+lHjFThjIUM8IUd +D2FunqF+YH9yMn1wL22pXeSg5IBdbFAkFIZvJy0+cnxvqj7DK6BrW8RqRXuEeXMd +tjJE9iUNrzS8CIY0mQQ7ug8LpMK1kRiBPRPmpJBGIAQJR+LgV7Nvp2hN3hz+BpEH +nT1QqKivAgMBAAECggEAGsgGSi8A/lExuRmIxX95cLiZX4y2YWJ+s/EnclysoPQF +GAjvcA9khNGKahu85cubHTdBAdjzvzV6s8+VasrRXvcWUXM1+ua+NHRH6a8MMFhZ +0LYj95AX3+rtQrzYtVQEifj7xTeCHuEMBgvPMIGUXhpTQWtMEG6BMx1Jw1/WSFit +Xg7AJjIdkVJ0XsUfUiVf4rYHp6JCWNjuvJ/gEKy4mElmCybPHFAYGC+sU+Xhpc9R +TO6N5pH9uqLJm3p+XHQfT8ml5DIe8+gZHTQjulQ5UAC3ZXVN/c7Wef6KniDC5Imh +RrqvYHFx461uVr2RUlGuMN8iZJYyGFkEtIk1ckXMWQKBgQDQ3i4FfM8NP4szEYQi +SvMpPcw9iosyIqNjRIE4yKwbiU0qtTE1zrWyj0MJl9pxU6BaMuzlFqHaMF+wQgA+ +4hfEVfxS36Tlm6iHcCrZZFohKL/6Iwhlz7RcyvBeLY9JEPk8jZ9D0nmB6WrW9Euv +6iAxYPGrUXWh0jW2lxP1Jb55+wKBgQDKkhEh4LnmwoZuciUW/ZdIdg24bwqIbbCE +Hx+hl4l4TATNleiEMt8KG3wMKoSNqupdMOMZrldvX2lTMuzA5iLiLz1hkiXr6WbF +vEh+hy0xBhBTPPAiHneK3ueVe5fCv/kqFliugPa+4YiF4IpR3mI+fZEKzK4Ay34g +o71skIAh3QKBgQCn9ZKyjPv/XlL0vSgxX24Mgwpjjq6CoYIcCHGVlSF5fz7TkiNB +brmEHlo9M6TQrvvqrLr9OebriyzXkyuZZbzRAIhIqFl03mh2iUeby2wC8D74ygUt +wgn6+KK0SRTJH+IcxJIHOxDE3EwzEP5wNuiubJPKPVZHy7+v1euRnkl+0wKBgESl +hTrGzhjeOPI6qkkFPPwoTXP/5UDgcx4C8hQvpz1l/Yax027hUmY5dCsnSW48ylk0 +VPGB/E1Ytvej3Ultc8rUmWd0QHeWy+YcbTC7nFvtoyCiGPpm+rnL2gz1KjOsHMLf +ecQBHh0Hjt1Xf2hJBWAJ61oOjLTmQOLMukeNHG7dAoGBAIgbhCbqoJhUrucaLkgx +9O+y/xjPCRsuJFB+93LyYLxUJqPg0VFi/OlbUjIJv1dttEu8dP9H/mxJQu1uyJyt +ssUwNoSdh/J8hAAvsqjD0bZhU/PFYOAUneh7GOLAilzonxs6dZ0rM9vWr/b4Ioys +IrwZfoDD1WyjFJHgeU+3ronj +-----END PRIVATE KEY----- diff --git a/postgres/ssl/18.X_ssl/certs/server.pem b/postgres/ssl/18.X_ssl/certs/server.pem new file mode 100644 index 0000000..062a82a --- /dev/null +++ b/postgres/ssl/18.X_ssl/certs/server.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC/DCCAeSgAwIBAgIUNnmGkX9cnj0iVQwdkOsruyJTMPgwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNUG9zdGdyZVNRTCBDQTAeFw0yNTEyMTAxMDQ0MzZaFw0z +NTEyMDgxMDQ0MzZaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKVGfQD4qO+i6zgwlDa+PJuVHYSDke7wFX9JETlq +eAo8lo189kLPcJ8N5AtdoPIqyU6F19Vc98ieDeZ0TUspK1iFYvPxjf8RuonmNxcD +L95L4+bVALlcuRqXqBGJLNVwGUd2ovZ+J+3iWuQGVF0BFvtMx2aFYBKjyOqIenm+ +KmpSX0dt/0R0bt0prGheXC336UeMVOGMhQzwhR0PYW6eoX5gf3IyfXAvbald5KDk +gF1sUCQUhm8nLT5yfG+qPsMroGtbxGpFe4R5cx22MkT2JQ2vNLwIhjSZBDu6Dwuk +wrWRGIE9E+akkEYgBAlH4uBXs2+naE3eHP4GkQedPVCoqK8CAwEAAaNCMEAwHQYD +VR0OBBYEFAy/LRx5H+mJEMeybGHZqM9XbLhsMB8GA1UdIwQYMBaAFK8Vvw2RO+0S +vfNyqvYks27wxjwfMA0GCSqGSIb3DQEBCwUAA4IBAQBVA1rGZJBzCxAoVBpWJV6y +goupoQfoEZG5bwzVqsf5HFRadH9GPYZ2rSW98gYdxOqkPh64LMEYwFLrjFhfLM7n +qIVaSRrV+EynSnr2h6rdZWBb8OCIzTiuNzgtWD4Huih9NA0pt+xxg4Avl3qrwC4P +FTS2J3BEvZwvp3ShVkrrmSAOFlHbAvHKdiJPXoxpHqdhXbxZSkV/YkHDHpo0G6fU +BTFn2Mn6TMzCSPbMwpr8gbT47qmikXS98n89GnRzTaKq1DxBC4Q/lBLvkSboO3NS +99Z89Li0V2oFMQjrsUH+GWPWb4OLXZkHr5l/Bpyu7URh7yoGASKxEwrvMwQzhSK+ +-----END CERTIFICATE----- diff --git a/postgres/ssl/18.X_ssl/conf/init.sh b/postgres/ssl/18.X_ssl/conf/init.sh new file mode 100644 index 0000000..14ac485 --- /dev/null +++ b/postgres/ssl/18.X_ssl/conf/init.sh @@ -0,0 +1,19 @@ +#!/bin/bash +set -e +echo "[INFO] ---------------------------< create extention >---------------------------" +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE USER guest WITH PASSWORD 'guest'; + CREATE DATABASE guest; + GRANT ALL PRIVILEGES ON DATABASE guest TO guest; +EOSQL + +psql -v ON_ERROR_STOP=1 --username "guest_no_ssl" --dbname "guest" <<-EOSQL + CREATE EXTENSION IF NOT EXISTS postgis; + CREATE SCHEMA postgis; + UPDATE pg_extension SET extrelocatable = TRUE WHERE extname = 'postgis'; + ALTER EXTENSION postgis SET SCHEMA postgis; + + ALTER EXTENSION postgis UPDATE; +EOSQL + +echo "[INFO] ---------------------------< create extention finished >------------------" \ No newline at end of file diff --git a/postgres/ssl/18.X_ssl/conf/pg_hba.conf b/postgres/ssl/18.X_ssl/conf/pg_hba.conf new file mode 100644 index 0000000..1158361 --- /dev/null +++ b/postgres/ssl/18.X_ssl/conf/pg_hba.conf @@ -0,0 +1,20 @@ +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all trust +# IPv4 local connections: +host all all 127.0.0.1/32 trust +# IPv6 local connections: +host all all ::1/128 trust + +hostnossl guest_no_ssl guest_no_ssl 0.0.0.0/0 md5 +hostnossl guest_no_ssl guest_no_ssl ::/0 md5 + +hostssl guest_no_ssl guest_no_ssl 0.0.0.0/0 reject +hostssl guest_no_ssl guest_no_ssl ::/0 reject + +hostssl guest guest ::/0 cert +hostssl guest guest 0.0.0.0/0 cert + +hostnossl guest guest ::/0 reject +hostnossl guest guest 0.0.0.0/0 reject \ No newline at end of file diff --git a/postgres/ssl/18.X_ssl/conf/postgresql.conf b/postgres/ssl/18.X_ssl/conf/postgresql.conf new file mode 100644 index 0000000..600915b --- /dev/null +++ b/postgres/ssl/18.X_ssl/conf/postgresql.conf @@ -0,0 +1,636 @@ +# ----------------------------- +# PostgreSQL configuration file +# ----------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# (The "=" is optional.) Whitespace may be used. Comments are introduced with +# "#" anywhere on a line. The complete list of parameter names and allowed +# values can be found in the PostgreSQL documentation. +# +# The commented-out settings shown in this file represent the default values. +# Re-commenting a setting is NOT sufficient to revert it to the default value; +# you need to reload the server. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, or use "pg_ctl reload". Some +# parameters, which are marked below, require a server shutdown and restart to +# take effect. +# +# Any parameter can also be given as a command-line option to the server, e.g., +# "postgres -c log_connections=on". Some parameters can be changed at run time +# with the "SET" SQL command. +# +# Memory units: kB = kilobytes Time units: ms = milliseconds +# MB = megabytes s = seconds +# GB = gigabytes min = minutes +# TB = terabytes h = hours +# d = days + + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +# The default values of these variables are driven from the -D command-line +# option or PGDATA environment variable, represented here as ConfigDir. + +#data_directory = 'ConfigDir' # use data in another directory + # (change requires restart) +#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file + # (change requires restart) +#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file + # (change requires restart) + +# If external_pid_file is not explicitly set, no extra PID file is written. +#external_pid_file = '' # write an extra PID file + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONNECTIONS AND AUTHENTICATION +#------------------------------------------------------------------------------ + +# - Connection Settings - + +listen_addresses = '*' # what IP address(es) to listen on; + # comma-separated list of addresses; + # defaults to 'localhost'; use '*' for all + # (change requires restart) +#port = 5432 # (change requires restart) +max_connections = 100 # (change requires restart) +# Note: Increasing max_connections costs ~400 bytes of shared memory per +# connection slot, plus lock space (see max_locks_per_transaction). +#superuser_reserved_connections = 3 # (change requires restart) +#unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories + # (change requires restart) +#unix_socket_group = '' # (change requires restart) +#unix_socket_permissions = 0777 # begin with 0 to use octal notation + # (change requires restart) +#bonjour = off # advertise server via Bonjour + # (change requires restart) +#bonjour_name = '' # defaults to the computer name + # (change requires restart) + +# - Security and Authentication - + +#authentication_timeout = 1min # 1s-600s +#ssl = off # (change requires restart) +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers + # (change requires restart) +#ssl_prefer_server_ciphers = on # (change requires restart) +#ssl_ecdh_curve = 'prime256v1' # (change requires restart) +#ssl_cert_file = 'server.crt' # (change requires restart) +#ssl_key_file = 'server.key' # (change requires restart) +#ssl_ca_file = '' # (change requires restart) +#ssl_crl_file = '' # (change requires restart) +#password_encryption = on +#db_user_namespace = off +#row_security = on + +# GSSAPI using Kerberos +#krb_server_keyfile = '' +#krb_caseins_users = off + +# - TCP Keepalives - +# see "man 7 tcp" for details + +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; + # 0 selects the system default +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; + # 0 selects the system default +#tcp_keepalives_count = 0 # TCP_KEEPCNT; + # 0 selects the system default + + +#------------------------------------------------------------------------------ +# RESOURCE USAGE (except WAL) +#------------------------------------------------------------------------------ + +# - Memory - + +shared_buffers = 128MB # min 128kB + # (change requires restart) +#huge_pages = try # on, off, or try + # (change requires restart) +#temp_buffers = 8MB # min 800kB +#max_prepared_transactions = 0 # zero disables the feature + # (change requires restart) +# Note: Increasing max_prepared_transactions costs ~600 bytes of shared memory +# per transaction slot, plus lock space (see max_locks_per_transaction). +# It is not advisable to set max_prepared_transactions nonzero unless you +# actively intend to use prepared transactions. +#work_mem = 4MB # min 64kB +#maintenance_work_mem = 64MB # min 1MB +#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem +#max_stack_depth = 2MB # min 100kB +dynamic_shared_memory_type = posix # the default is the first option + # supported by the operating system: + # posix + # sysv + # windows + # mmap + # use none to disable dynamic shared memory + +# - Disk - + +#temp_file_limit = -1 # limits per-session temp file space + # in kB, or -1 for no limit + +# - Kernel Resource Usage - + +#max_files_per_process = 1000 # min 25 + # (change requires restart) +#shared_preload_libraries = '' # (change requires restart) + +# - Cost-Based Vacuum Delay - + +#vacuum_cost_delay = 0 # 0-100 milliseconds +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 10 # 0-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_limit = 200 # 1-10000 credits + +# - Background Writer - + +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round + +# - Asynchronous Behavior - + +#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching +#max_worker_processes = 8 + + +#------------------------------------------------------------------------------ +# WRITE AHEAD LOG +#------------------------------------------------------------------------------ + +# - Settings - + +#wal_level = minimal # minimal, archive, hot_standby, or logical + # (change requires restart) +#fsync = on # turns forced synchronization on or off +#synchronous_commit = on # synchronization level; + # off, local, remote_write, or on +#wal_sync_method = fsync # the default is the first option + # supported by the operating system: + # open_datasync + # fdatasync (default on Linux) + # fsync + # fsync_writethrough + # open_sync +#full_page_writes = on # recover from partial page writes +#wal_compression = off # enable compression of full-page writes +#wal_log_hints = off # also do full page writes of non-critical updates + # (change requires restart) +#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers + # (change requires restart) +#wal_writer_delay = 200ms # 1-10000 milliseconds + +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 + +# - Checkpoints - + +#checkpoint_timeout = 5min # range 30s-1h +#max_wal_size = 1GB +#min_wal_size = 80MB +#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_warning = 30s # 0 disables + +# - Archiving - + +#archive_mode = off # enables archiving; off, on, or always + # (change requires restart) +#archive_command = '' # command to use to archive a logfile segment + # placeholders: %p = path of file to archive + # %f = file name only + # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' +#archive_timeout = 0 # force a logfile segment switch after this + # number of seconds; 0 disables + + +#------------------------------------------------------------------------------ +# REPLICATION +#------------------------------------------------------------------------------ + +# - Sending Server(s) - + +# Set these on the master and on any standby that will send replication data. + +#max_wal_senders = 0 # max number of walsender processes + # (change requires restart) +#wal_keep_segments = 0 # in logfile segments, 16MB each; 0 disables +#wal_sender_timeout = 60s # in milliseconds; 0 disables + +#max_replication_slots = 0 # max number of replication slots + # (change requires restart) +#track_commit_timestamp = off # collect timestamp of transaction commit + # (change requires restart) + +# - Master Server - + +# These settings are ignored on a standby server. + +#synchronous_standby_names = '' # standby servers that provide sync rep + # comma-separated list of application_name + # from standby(s); '*' = all +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed + +# - Standby Servers - + +# These settings are ignored on a master server. + +#hot_standby = off # "on" allows queries during recovery + # (change requires restart) +#max_standby_archive_delay = 30s # max delay before canceling queries + # when reading WAL from archive; + # -1 allows indefinite delay +#max_standby_streaming_delay = 30s # max delay before canceling queries + # when reading streaming WAL; + # -1 allows indefinite delay +#wal_receiver_status_interval = 10s # send replies at least this often + # 0 disables +#hot_standby_feedback = off # send info from standby to prevent + # query conflicts +#wal_receiver_timeout = 60s # time that receiver waits for + # communication from master + # in milliseconds; 0 disables +#wal_retrieve_retry_interval = 5s # time to wait before retrying to + # retrieve WAL after a failed attempt + + +#------------------------------------------------------------------------------ +# QUERY TUNING +#------------------------------------------------------------------------------ + +# - Planner Method Configuration - + +#enable_bitmapscan = on +#enable_hashagg = on +#enable_hashjoin = on +#enable_indexscan = on +#enable_indexonlyscan = on +#enable_material = on +#enable_mergejoin = on +#enable_nestloop = on +#enable_seqscan = on +#enable_sort = on +#enable_tidscan = on + +# - Planner Cost Constants - + +#seq_page_cost = 1.0 # measured on an arbitrary scale +#random_page_cost = 4.0 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#effective_cache_size = 4GB + +# - Genetic Query Optimizer - + +#geqo = on +#geqo_threshold = 12 +#geqo_effort = 5 # range 1-10 +#geqo_pool_size = 0 # selects default based on effort +#geqo_generations = 0 # selects default based on effort +#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_seed = 0.0 # range 0.0-1.0 + +# - Other Planner Options - + +#default_statistics_target = 100 # range 1-10000 +#constraint_exclusion = partition # on, off, or partition +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#from_collapse_limit = 8 +#join_collapse_limit = 8 # 1 disables collapsing of explicit + # JOIN clauses + + +#------------------------------------------------------------------------------ +# ERROR REPORTING AND LOGGING +#------------------------------------------------------------------------------ + +# - Where to Log - + +#log_destination = 'stderr' # Valid values are combinations of + # stderr, csvlog, syslog, and eventlog, + # depending on platform. csvlog + # requires logging_collector to be on. + +# This is used when logging to stderr: +#logging_collector = off # Enable capturing of stderr and csvlog + # into log files. Required to be on for + # csvlogs. + # (change requires restart) + +# These are only used if logging_collector is on: +#log_directory = 'pg_log' # directory where log files are written, + # can be absolute or relative to PGDATA +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, + # can include strftime() escapes +#log_file_mode = 0600 # creation mode for log files, + # begin with 0 to use octal notation +#log_truncate_on_rotation = off # If on, an existing log file with the + # same name as the new log file will be + # truncated rather than appended to. + # But such truncation only occurs on + # time-driven rotation, not on restarts + # or size-driven rotation. Default is + # off, meaning append to existing files + # in all cases. +#log_rotation_age = 1d # Automatic rotation of logfiles will + # happen after that time. 0 disables. +#log_rotation_size = 10MB # Automatic rotation of logfiles will + # happen after that much log output. + # 0 disables. + +# These are relevant when logging to syslog: +#syslog_facility = 'LOCAL0' +#syslog_ident = 'postgres' + +# This is only relevant when logging to eventlog (win32): +#event_source = 'PostgreSQL' + +# - When to Log - + +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error + +#log_min_messages = warning # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic + +#log_min_error_statement = error # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic (effectively off) + +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements + # and their durations, > 0 logs only + # statements running at least this number + # of milliseconds + + +# - What to Log - + +#debug_print_parse = off +#debug_print_rewritten = off +#debug_print_plan = off +#debug_pretty_print = on +#log_checkpoints = off +#log_connections = off +#log_disconnections = off +#log_duration = off +#log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off +#log_line_prefix = '' # special values: + # %a = application name + # %u = user name + # %d = database name + # %r = remote host and port + # %h = remote host + # %p = process ID + # %t = timestamp without milliseconds + # %m = timestamp with milliseconds + # %i = command tag + # %e = SQL state + # %c = session ID + # %l = session line number + # %s = session start timestamp + # %v = virtual transaction ID + # %x = transaction ID (0 if none) + # %q = stop here in non-session + # processes + # %% = '%' + # e.g. '<%u%%%d> ' +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_statement = 'none' # none, ddl, mod, all +#log_replication_commands = off +#log_temp_files = -1 # log temporary files equal or larger + # than the specified size in kilobytes; + # -1 disables, 0 logs all temp files +log_timezone = 'UTC' + + +# - Process Title - + +#cluster_name = '' # added to process titles if nonempty + # (change requires restart) +#update_process_title = on + + +#------------------------------------------------------------------------------ +# RUNTIME STATISTICS +#------------------------------------------------------------------------------ + +# - Query/Index Statistics Collector - + +#track_activities = on +#track_counts = on +#track_io_timing = off +#track_functions = none # none, pl, all +#track_activity_query_size = 1024 # (change requires restart) +#stats_temp_directory = 'pg_stat_tmp' + + +# - Statistics Monitoring - + +#log_parser_stats = off +#log_planner_stats = off +#log_executor_stats = off +#log_statement_stats = off + + +#------------------------------------------------------------------------------ +# AUTOVACUUM PARAMETERS +#------------------------------------------------------------------------------ + +#autovacuum = on # Enable autovacuum subprocess? 'on' + # requires track_counts to also be on. +#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and + # their durations, > 0 logs only + # actions running at least this number + # of milliseconds. +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses + # (change requires restart) +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_threshold = 50 # min number of row updates before + # vacuum +#autovacuum_analyze_threshold = 50 # min number of row updates before + # analyze +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum + # (change requires restart) +#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age + # before forced vacuum + # (change requires restart) +#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for + # autovacuum, in milliseconds; + # -1 means use vacuum_cost_delay +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for + # autovacuum, -1 means use + # vacuum_cost_limit + + +#------------------------------------------------------------------------------ +# CLIENT CONNECTION DEFAULTS +#------------------------------------------------------------------------------ + +# - Statement Behavior - + +#search_path = '"$user", public' # schema names +#default_tablespace = '' # a tablespace name, '' uses the default +#temp_tablespaces = '' # a list of tablespace names, '' uses + # only default tablespace +#check_function_bodies = on +#default_transaction_isolation = 'read committed' +#default_transaction_read_only = off +#default_transaction_deferrable = off +#session_replication_role = 'origin' +#statement_timeout = 0 # in milliseconds, 0 is disabled +#lock_timeout = 0 # in milliseconds, 0 is disabled +#vacuum_freeze_min_age = 50000000 +#vacuum_freeze_table_age = 150000000 +#vacuum_multixact_freeze_min_age = 5000000 +#vacuum_multixact_freeze_table_age = 150000000 +#bytea_output = 'hex' # hex, escape +#xmlbinary = 'base64' +#xmloption = 'content' +#gin_fuzzy_search_limit = 0 +#gin_pending_list_limit = 4MB + +# - Locale and Formatting - + +datestyle = 'iso, mdy' +#intervalstyle = 'postgres' +timezone = 'UTC' +#timezone_abbreviations = 'Default' # Select the set of available time zone + # abbreviations. Currently, there are + # Default + # Australia (historical usage) + # India + # You can create your own file in + # share/timezonesets/. +#extra_float_digits = 0 # min -15, max 3 +#client_encoding = sql_ascii # actually, defaults to database + # encoding + +# These settings are initialized by initdb, but they can be changed. +lc_messages = 'en_US.utf8' # locale for system error message + # strings +lc_monetary = 'en_US.utf8' # locale for monetary formatting +lc_numeric = 'en_US.utf8' # locale for number formatting +lc_time = 'en_US.utf8' # locale for time formatting + +# default configuration for text search +default_text_search_config = 'pg_catalog.english' + +# - Other Defaults - + +#dynamic_library_path = '$libdir' +#local_preload_libraries = '' +#session_preload_libraries = '' + + +#------------------------------------------------------------------------------ +# LOCK MANAGEMENT +#------------------------------------------------------------------------------ + +#deadlock_timeout = 1s +#max_locks_per_transaction = 64 # min 10 + # (change requires restart) +# Note: Each lock table slot uses ~270 bytes of shared memory, and there are +# max_locks_per_transaction * (max_connections + max_prepared_transactions) +# lock table slots. +#max_pred_locks_per_transaction = 64 # min 10 + # (change requires restart) + + +#------------------------------------------------------------------------------ +# VERSION/PLATFORM COMPATIBILITY +#------------------------------------------------------------------------------ + +# - Previous PostgreSQL Versions - + +#array_nulls = on +#backslash_quote = safe_encoding # on, off, or safe_encoding +#default_with_oids = off +#escape_string_warning = on +#lo_compat_privileges = off +#operator_precedence_warning = off +#quote_all_identifiers = off +#sql_inheritance = on +#standard_conforming_strings = on +#synchronize_seqscans = on + +# - Other Platforms and Clients - + +#transform_null_equals = off + + +#------------------------------------------------------------------------------ +# ERROR HANDLING +#------------------------------------------------------------------------------ + +#exit_on_error = off # terminate session on any error? +#restart_after_crash = on # reinitialize after backend crash? + + +#------------------------------------------------------------------------------ +# CONFIG FILE INCLUDES +#------------------------------------------------------------------------------ + +# These options allow settings to be loaded from files other than the +# default postgresql.conf. + +#include_dir = 'conf.d' # include files ending in '.conf' from + # directory 'conf.d' +#include_if_exists = 'exists.conf' # include file only if it exists +#include = 'special.conf' # include file + + +#------------------------------------------------------------------------------ +# CUSTOMIZED OPTIONS +#------------------------------------------------------------------------------ + +# Add settings for extensions here +ssl = on +ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' +ssl_cert_file = '/var/ssl/server.crt' +ssl_key_file = '/var/ssl/server.key' +ssl_ca_file = '/var/ssl/ca.pem' +#ssl_renegotiation_limit = 512MB # amount of data between renegotiations diff --git a/postgres/ssl/18.X_ssl/conf/ssl.conf b/postgres/ssl/18.X_ssl/conf/ssl.conf new file mode 100644 index 0000000..f26d30f --- /dev/null +++ b/postgres/ssl/18.X_ssl/conf/ssl.conf @@ -0,0 +1,6 @@ +ssl = on +ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' +ssl_cert_file = '/var/lib/postgresql/data/server.crt' +ssl_key_file = '/var/lib/postgresql/data/server.key' +#ssl_ca_file = '' # (change requires restart) +#ssl_renegotiation_limit = 512MB # amount of data between renegotiations diff --git a/redis/7-ssl/gencertwithsan.ssh b/redis/7-ssl/gencert.sh similarity index 100% rename from redis/7-ssl/gencertwithsan.ssh rename to redis/7-ssl/gencert.sh