diff --git a/opsec/mysqlmastermaster/0.mp4 b/opsec/mysqlmastermaster/0.mp4 new file mode 100644 index 0000000..5b39006 Binary files /dev/null and b/opsec/mysqlmastermaster/0.mp4 differ diff --git a/opsec/mysqlmastermaster/1.png b/opsec/mysqlmastermaster/1.png new file mode 100644 index 0000000..50f40cb Binary files /dev/null and b/opsec/mysqlmastermaster/1.png differ diff --git a/opsec/mysqlmastermaster/3.png b/opsec/mysqlmastermaster/3.png new file mode 100644 index 0000000..21cccbc Binary files /dev/null and b/opsec/mysqlmastermaster/3.png differ diff --git a/opsec/mysqlmastermaster/4.png b/opsec/mysqlmastermaster/4.png new file mode 100644 index 0000000..540bd7a Binary files /dev/null and b/opsec/mysqlmastermaster/4.png differ diff --git a/opsec/mysqlmastermaster/5.png b/opsec/mysqlmastermaster/5.png new file mode 100644 index 0000000..fc65aa8 Binary files /dev/null and b/opsec/mysqlmastermaster/5.png differ diff --git a/opsec/mysqlmastermaster/6.png b/opsec/mysqlmastermaster/6.png new file mode 100644 index 0000000..6f1bad4 Binary files /dev/null and b/opsec/mysqlmastermaster/6.png differ diff --git a/opsec/mysqlmastermaster/index.html b/opsec/mysqlmastermaster/index.html new file mode 100644 index 0000000..91f790f --- /dev/null +++ b/opsec/mysqlmastermaster/index.html @@ -0,0 +1,935 @@ + + + + + + + + + + + How to setup a MySQL Master-Master replication over Tor + + + + + + + + + + + + + + + + + + + +
+
+
+ + The Nihilism Blog +
+
+ +
+ +
+
+ + + +
+
+
+
+ Previous Page

oxeo0 - 2025 / 02 / 16

+

How to setup a MySQL Master-Master replication over Tor

+ + +
+
+
+
+ + +
+
+
+
+

Introduction

+

+Your dark net vegetable shop turned out to be a wild success!
+With the influx of new users placing orders, you might want to consider high availability and replication across different locations. MySQL has a built-in mechanism for automatic replication between database instances, requiring only a TCP connection and an account with replication permissions.

+ +

This works by having the Master DB send all queries to the Slave DB for execution. This setup is useful for real-time database backups through Master-Slave replication.

+ +

In this guide, we will configure MySQL Master-Master replication over Tor. In this configuration, each database acts as both Master and Slave, automatically replicating queries between them via a Tor connection.

+ +
+
+
+
+ +
+
+
+
+

Overview

+ +

+This guide assumes you already have the stack from the last tutorial running.
+

+ +

+We will synchronize databases automatically between our two hidden services. If a user makes a purchase on one server, the second server will be notified immediately, executing the same SQL query on both databases. All communication between servers will occur over the Tor network, providing authentication and encryption without opening ports or generating SSL certificates. +

+ +

+The MariaDB server running on each machine will connect to an onion address using socat as a background service configured with systemd, since it cannot utilize the socks5 proxy provided by the Tor client directly. +

+ +

+Below is a table showing what ports and services will be active on each server: +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Server 1Server 2
Hostnameserver1server2
Local HTTP (NGINX) port44404440
Public HS URLsrvone[...].onionsrvtwo[...].onion
External HTTP port8080
Internal* HS URLintone[...].onioninttwo[...].onion
Local MySQL port33063306
MySQL HS port3306133062
+ +

+

* The Internal Hidden Service is used exclusively for inter-server communication, and its URL should remain private.

+ +

+Here is a full diagram of what we aim to achieve: +

+ + + +
+
+
+
+ +
+
+
+
+

Prerequisites

+

To follow this guide, you need two instances running the stack set up in the previous tutorial. In production, it's recommended to place them on different servers and networks for high availability. However, for demonstration purposes, you may use Proxmox VE.

+ +

+If using Proxmox, after setting up the vegetable store once, you can clone it to create a second instance. +

+ + + +
+
+ +

You also need socat installed on both servers:

+ +
oxeo@serverN:~$ sudo apt update
+oxeo@serverN:~$ sudo apt install socat
+
+ +

For each server, generate two onion vanity URLs:
+

    +
  • Public Hidden Service URL: This is used for accessing the hidden service as a client. Place this URL in your NGINX configuration to expose the vegetable shop service at port 80.

    • +
  • Internal Hidden Service URL: Used exclusively for inter-service communication.
    • +

+ +

Note that you can use only numbers 2-7 in the onion URL, as they are not part of the base32 alphabet used for encoding onion URLs. In this guide, I use words like one and two instead.

+ +
+
+
+
+ +
+
+
+
+

Part 1

+ +

The steps listed below should be executed on your first server. The second part of this guide will include commands for the second server with slight modifications, but they are mostly the same.
+This part contains explanations of how things work; the second part is primarily a list of commands.

+ +
+
+
+
+ +
+
+
+
+

MySQL Service Configuration

+ +

+You need to create a location for storing relay and binlog log files: +

+ +
oxeo@server1:~$ sudo mkdir /var/log/mysql
+oxeo@server1:~$ sudo chown mysql:mysql /var/log/mysql
+
+ +

+Now edit the /etc/mysql/mariadb.conf.d/50-server.cnf adding the following lines under the [mysqld] section: +

+ +
[mysqld]
+server-id = 1
+log_bin = /var/log/mysql/mysql-bin.log
+binlog-ignore-db = test
+binlog-ignore-db = information_schema
+replicate-ignore-db = test
+replicate-ignore-db = information_schema
+relay-log = "mysql-relay-log"
+auto-increment-increment = 2
+auto-increment-offset = 1
+
+ +
    +
  • + server-id - sets a unique identifier for this MySQL server instance within a replication setup. Each server in a replication topology must have a distinct server-id. +
    • +
  • + log_bin - specifies the path to hold binary logging data used by Master to queue SQL events to send. +
    • +
  • + binlog-ignore-db - excludes metadata and testing databases from being logged in binlog. +
    • +
  • + replicate-ignore-db - same thing but prevents replication of those databases. +
    • +
  • + relay-log - specifies the path for relay log data used by the Slave to queue events received from Master. +
    • +
  • + auto-increment-increment - the same as number of master nodes, it ensures every second row insertion to prevent write collisions. +
    • +
  • + auto-increment-offset - the same as current server number, sets the first row index to write into. In our setup it will write odd rowse for server 1 and even for server 2. +
    • +
+ +

+Restart the MariaDB service to apply these changes: +

+ +
oxeo@server1:~$ sudo systemctl restart mariadb
+
+ +
+
+
+
+ +
+
+
+
+

MySQL Replication User

+ +

+Add a replication user on the first server using MySQL shell. +

+ +
oxeo@server1:~$ sudo mysql
+Welcome to the MariaDB monitor.  Commands end with ; or \g.
+Your MariaDB connection id is 56
+Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
+
+Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
+
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+MariaDB [(none)]> CREATE USER 'repl'@'%' IDENTIFIED BY 'YOUR_GENERATED_SLAVE_PASSWORD';
+Query OK, 0 rows affected (0.001 sec)
+
+MariaDB [(none)]> grant replication slave on *.* to 'repl'@'%';
+Query OK, 0 rows affected (0.001 sec)
+
+ +

+You can generate a reasonably secure slave password with the following command: +

+ +
oxeo@server1:~$ tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 12 && echo
+3adaQtXsu50w
+
+ +

+Replace YOUR_GENERATED_SLAVE_PASSWORD with the generated password and note it down for configuring the second server. +

+ +
+
+
+
+ +
+
+
+
+

Tor Configuration

+ +

+To make our MySQL instance accessible to the second server, create another hidden service in /etc/tor/torrc. You should have two hidden services: one public and one internal. +

+ +
HiddenServiceDir /var/lib/tor/veggie_service/
+HiddenServicePort 80 127.0.0.1:4440
+
+HiddenServiceDir /var/lib/tor/internal_service/
+HiddenServicePort 33061 127.0.0.1:3306
+
+ +

+Restart the Tor daemon to apply these changes (Tor will automatically create necessary directories and set permissions): +

+ +
oxeo@server1:~$ sudo systemctl restart tor
+
+ +

+Verify that the directories were successfully created. +

+ +
oxeo@server1:~$ sudo ls -la /var/lib/tor/internal_service
+total 23
+drwx--S--- 3 debian-tor debian-tor  6 Feb 16 17:23 .
+drwx--S--- 5 debian-tor debian-tor 11 Feb 16 17:23 ..
+drwx--S--- 2 debian-tor debian-tor  2 Feb 16 17:23 authorized_clients
+-rw------- 1 debian-tor debian-tor 63 Feb 16 17:23 hostname
+-rw------- 1 debian-tor debian-tor 64 Feb 16 17:23 hs_ed25519_public_key
+-rw------- 1 debian-tor debian-tor 96 Feb 16 17:23 hs_ed25519_secret_key
+
+ +

+Of course automatically generated hidden service hostname will be random so in order to use your generated vanity URLs, you need to put the appropriate keys in this directory.
+In my case I have generated vanity addresses on my computer so I tarred them (onions.tar) and transfered using scp: +

+ +
oxeo@main-pc:~$ scp onions.tar oxeo@server1:/tmp
+onions.tar                                    100%   20KB   4.9MB/s   00:00
+
+ +

+Now extract the archive on a remote server and copy keys to the hidden service directory. +

+ +
oxeo@server1:~$ cd /tmp
+oxeo@server1:/tmp$ tar xvf onions.tar 
+srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/
+srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_public_key
+srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_secret_key
+srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hostname
+srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/
+srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hostname
+srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_public_key
+srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_secret_key
+inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/
+inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_secret_key
+inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_public_key
+inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hostname
+intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/
+intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_secret_key
+intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hostname
+intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_public_key
+
+oxeo@server1:/tmp$ sudo cp -v srvone*/* /var/lib/tor/veggie_service 
+'srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hostname' -> '/var/lib/tor/veggie_service/hostname'
+'srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_public_key' -> '/var/lib/tor/veggie_service/hs_ed25519_public_key'
+'srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_secret_key' -> '/var/lib/tor/veggie_service/hs_ed25519_secret_key'
+
+oxeo@server1:/tmp$ sudo cp -v intone*/* /var/lib/tor/internal_service
+'intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hostname' -> '/var/lib/tor/internal_service/hostname'
+'intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_public_key' -> '/var/lib/tor/internal_service/hs_ed25519_public_key'
+'intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_secret_key' -> '/var/lib/tor/internal_service/hs_ed25519_secret_key'
+
+oxeo@server1:/tmp$ sudo rm -rv onions.tar *.onion
+
+ +

+If you haven't already, update the server_name also in /etc/nginx/sites-available/veggie-shop.conf: +

server {
+    listen 4440;
+    server_name srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion;
+    root /srv/shop/;
+    index index.php;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php-fpm.sock;
+    }
+}
+
+

+ +

+Restart Nginx and Tor once again, then verify you can access your veggie shop under new onion URL: +

+ +
oxeo@server1:~$ sudo systemctl restart tor nginx
+
+ + + +
+
+
+
+ + +
+
+
+
+

Socat Forwarding Service

+ +

+Now we need to create a systemd service forwarding MySQL traffic to the onion address.
+Here's how it will look like from the perspective of first server:
+ +

+ +

+To achieve this, create a new systemd service by creating file under /etc/systemd/system/socat-tor.service with following contents: +

+ +
[Unit]
+Description=Socat TCP Listener to SOCKS4A Proxy
+After=network.target tor.service
+Requires=tor.service
+
+[Service]
+ExecStart=/usr/bin/socat TCP-LISTEN:33062,fork,bind=127.0.0.1 SOCKS4A:127.0.0.1:inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion:33062,socksport=9050
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+ +

+Remember to replace inttwo[...].onion with your actual second server internal URL. +

+ +

+And enable the service: +

+ +
oxeo@server1:~$ sudo systemctl daemon-reload
+oxeo@server1:~$ sudo systemctl enable --now socat-tor
+
+ +
+
+
+
+ +
+
+
+
+

Part 2

+ +

+Now log into your 2nd server and run the commands listed below. They're mostly the same with very slight differences. When you need to change something I will add a note but generally, if you get stuck on something, you should look it up in the first part. +

+ +
+
+
+
+ +
+
+
+
+

MySQL Service Configuration

+ +
oxeo@server2:~$ sudo mkdir /var/log/mysql
+oxeo@server2:~$ sudo chown mysql:mysql /var/log/mysql
+
+ +

+/etc/mysql/mariadb.conf.d/50-server.cnf: +

+ +
[mysqld]
+server-id = 2
+log_bin = /var/log/mysql/mysql-bin.log
+binlog-ignore-db = test
+binlog-ignore-db = information_schema
+replicate-ignore-db = test
+replicate-ignore-db = information_schema
+relay-log = "mysql-relay-log"
+auto-increment-increment = 2
+auto-increment-offset = 2
+
+ +
oxeo@server2:~$ sudo systemctl restart mariadb
+
+ +
+
+
+
+ +
+
+
+
+

MySQL Replication User

+ +

+Now you can open MySQL shell on the first server and add replication user. +

+ +
oxeo@server2:~$ sudo mysql
+Welcome to the MariaDB monitor.  Commands end with ; or \g.
+Your MariaDB connection id is 56
+Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
+
+Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
+
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+MariaDB [(none)]> CREATE USER 'repl'@'%' IDENTIFIED BY 'YOUR_GENERATED_SLAVE_PASSWORD';
+Query OK, 0 rows affected (0.001 sec)
+
+MariaDB [(none)]> grant replication slave on *.* to 'repl'@'%';
+Query OK, 0 rows affected (0.001 sec)
+
+ +

+Replace YOUR_GENERATED_SLAVE_PASSWORD with the one you generated earlier. +

+ +
+
+
+
+ +
+
+
+
+

Tor Configuration

+ +

+Add to /etc/tor/torrc: +

+ +
HiddenServiceDir /var/lib/tor/veggie_service/
+HiddenServicePort 80 127.0.0.1:4440
+
+HiddenServiceDir /var/lib/tor/internal_service/
+HiddenServicePort 33062 127.0.0.1:3306
+
+ +
oxeo@server2:~$ sudo systemctl restart tor
+
+ +
oxeo@server2:~$ sudo ls -la /var/lib/tor/internal_service
+total 23
+drwx--S--- 3 debian-tor debian-tor  6 Feb 16 17:23 .
+drwx--S--- 5 debian-tor debian-tor 11 Feb 16 17:23 ..
+drwx--S--- 2 debian-tor debian-tor  2 Feb 16 17:23 authorized_clients
+-rw------- 1 debian-tor debian-tor 63 Feb 16 17:23 hostname
+-rw------- 1 debian-tor debian-tor 64 Feb 16 17:23 hs_ed25519_public_key
+-rw------- 1 debian-tor debian-tor 96 Feb 16 17:23 hs_ed25519_secret_key
+
+ +
oxeo@main-pc:~$ scp onions.tar oxeo@server2:/tmp
+oxeo@server2's password: 
+onions.tar                                    100%   20KB   4.9MB/s   00:00
+
+ +
oxeo@server2:~$ cd /tmp
+oxeo@server2:/tmp$ tar xvf onions.tar 
+srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/
+srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_public_key
+srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_secret_key
+srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hostname
+srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/
+srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hostname
+srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_public_key
+srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_secret_key
+inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/
+inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_secret_key
+inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_public_key
+inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hostname
+intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/
+intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_secret_key
+intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hostname
+intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_public_key
+
+oxeo@server2:/tmp$ sudo cp -v srvtwo*/* /var/lib/tor/veggie_service 
+'srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hostname' -> '/var/lib/tor/veggie_service/hostname'
+'srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_public_key' -> '/var/lib/tor/veggie_service/hs_ed25519_public_key'
+'srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_secret_key' -> '/var/lib/tor/veggie_service/hs_ed25519_secret_key'
+
+oxeo@server2:/tmp$ sudo cp -v inttwo*/* /var/lib/tor/internal_service
+'inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hostname' -> '/var/lib/tor/internal_service/hostname'
+'inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_public_key' -> '/var/lib/tor/internal_service/hs_ed25519_public_key'
+'inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_secret_key' -> '/var/lib/tor/internal_service/hs_ed25519_secret_key'
+
+oxeo@server2:/tmp$ sudo rm -rv onions.tar *.onion
+
+ +

+/etc/nginx/sites-available/veggie-shop.conf: +

server {
+    listen 4440;
+    server_name srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion;
+    root /srv/shop/;
+    index index.php;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php-fpm.sock;
+    }
+}
+
+

+ +
oxeo@server1:~$ sudo systemctl restart tor nginx
+
+ +
+
+
+
+ + +
+
+
+
+

Socat Forwarding Service

+ +

+/etc/systemd/system/socat-tor.service: +

+ +
[Unit]
+Description=Socat TCP Listener to SOCKS4A Proxy
+After=network.target tor.service
+Requires=tor.service
+
+[Service]
+ExecStart=/usr/bin/socat TCP-LISTEN:33061,fork,bind=127.0.0.1 SOCKS4A:127.0.0.1:intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion:33061,socksport=9050
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+ +

+Remember to replace intone[...].onion with your actual first server internal URL. +

+ +
oxeo@server2:~$ sudo systemctl daemon-reload
+oxeo@server2:~$ sudo systemctl enable --now socat-tor
+
+ +
+
+
+
+ +
+
+
+
+

Part 3 - MySQL Master Configuration

+ +

+To enable Master-Master replication, both databases must be synchronized. Export the database from the first server and restore it on the second one. +

+ +

+Dump the database on the first server and calculate its MD5 checksum: +

+ +
oxeo@server1:~$ sudo mysqldump -uroot --all-databases --master-data > master1dump.sql
+oxeo@server1:~$ md5sum master1dump.sql
+40c3cfa7e778cc276b6a3b670a3823a6
+
+ +

Transfer the dump to your second server using scp. First, transfer from the first server to your computer:

+ +
oxeo@main-pc:~$ scp oxeo@server1:/home/oxeo/master1dump.sql /tmp/master1dump.sql
+master1dump.sql                                       100% 2428KB 245.1MB/s   00:00
+
+ +

Then, transfer from your computer to the second server:

+ +
oxeo@main-pc:~$ scp /tmp/master1dump.sql oxeo@server2:/home/oxeo/master1dump.sql
+master1dump.sql                                       100% 2428KB 176.3MB/s   00:00 
+
+ +

Verify the MD5 checksum on the second server and restore the database if it matches:

+ +
oxeo@server2:~$ md5sum master1dump.sql
+40c3cfa7e778cc276b6a3b670a3823a6
+oxeo@server2:~$ sudo mysql -u root < master1dump.sql
+
+ +

+Finally, enable the Master role on each database. Here are the commands for the first server: +

+ +
oxeo@server1:~$ sudo mysql
+Welcome to the MariaDB monitor.  Commands end with ; or \g.
+Your MariaDB connection id is 56
+Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
+
+Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
+
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+MariaDB [(none)]> STOP SLAVE;
+Query OK, 0 rows affected (0.001 sec)
+
+MariaDB [(none)]> SHOW MASTER STATUS;
++------------------+----------+--------------+-------------------------+
+| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB        |
++------------------+----------+--------------+-------------------------+
+| mysql-bin.000001 |      328 |              | test,information_schema |
++------------------+----------+--------------+-------------------------+
+1 row in set (0.000 sec)
+
+MariaDB [(none)]> CHANGE MASTER TO master_host = '127.0.0.1', master_user = 'repl', master_port=33062, master_password='YOUR_GENERATED_SLAVE_PASSWORD', master_log_file = 'mysql-bin.000001', master_log_pos = 2490521;
+Query OK, 0 rows affected, 1 warning (0.004 sec)
+
+MariaDB [(none)]> START SLAVE;
+Query OK, 0 rows affected (0.001 sec)
+
+ +

+And on the second server: +

+ +
oxeo@server2:~$ sudo mysql
+Welcome to the MariaDB monitor.  Commands end with ; or \g.
+Your MariaDB connection id is 53
+Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
+
+Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
+
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+MariaDB [(none)]> STOP SLAVE;
+Query OK, 0 rows affected (0.001 sec)
+
+MariaDB [(none)]> SHOW MASTER STATUS;
++------------------+----------+--------------+-------------------------+
+| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB        |
++------------------+----------+--------------+-------------------------+
+| mysql-bin.000001 |  2490521 |              | test,information_schema |
++------------------+----------+--------------+-------------------------+
+1 row in set (0.000 sec)
+
+MariaDB [(none)]> CHANGE MASTER TO master_host = '127.0.0.1', master_user = 'repl', master_port=33061, master_password='YOUR_GENERATED_SLAVE_PASSWORD', master_log_file = 'mysql-bin.000001', master_log_pos = 328;
+Query OK, 0 rows affected, 1 warning (0.022 sec)
+
+MariaDB [(none)]> START SLAVE;
+Query OK, 0 rows affected (0.001 sec)
+
+ +

+Replace YOUR_GENERATED_SLAVE_PASSWORD with the one you generated earlier. +

+ +

+Now a breakdown of what they do: +

    +
  • + STOP SLAVE - stops the Slave role. We need to stop it temporarily when configuring Master parameters. +

    • +
  • + SHOW MASTER STATUS - displays information about the binary log status of Master server. Here, the Position column is the most important. It indicates the position within the binary log file where replication or recovery would begin. In the next command you need to put the Position value from the 2nd database into the master_log_pos of the 1st database. And the other way around for the master_log_pos on 2nd database. +

    • +
  • + CHANGE MASTER TO [...] - tells the database to connect to Master at socat forwared port with the password we configured for repl user. The replication should start from master_log_pos as described above. +

    • +
  • + START SLAVE - starts the Slave role with a newly configured Master. +
    • +
+

+ +
+
+
+
+ +
+
+
+
+

Closing Remarks

+ +

+Congratulations! - You have just succesfully configured MySQL replication over Tor. Not many people ever achieved that ;) +

+ +

+If you need even more security for inter-server communication, you cloud configure Client Authorization. Nowadays it shouldn't be necessary unless your internal onion URL has been compromised. It provides additional protection by requiring a private key approved by your Hidden Service to access internal services. +

+ +

+In the next tutorial of this series, we will configure Onionbalance - a service that automatically distributes requests over multiple backends on the same onion URL. +

+ +

+Additional resources +

+

+ +
+
+
+
+ + + +
+
+
+
+

Nihilism

+

+ Until there is Nothing left.



Creative Commons Zero: No Rights Reserved
+ +

+
+ +
+

My Links

+

+ + RSS Feed
SimpleX Chat
+ +

+
+ +
+

About nihilist

+

Donate XMR: + 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +


+

Donate XMR to the author: + 862Sp3N5Y8NByFmPVLTPrJYzwdiiVxkhQgAdt65mpYKJLdVDHyYQ8swLgnVr8D3jKphDUcWUCVK1vZv9u8cvtRJCUBFb8MQ

+

Contact: nihilist@contact.nowhere.moe (PGP)

+
+ +
+ +
+
+ + + + + + +