This topic describes how to configure Secure Sockets Layer (SSL) encryption for a proxy endpoint on an ApsaraDB RDS for MySQL instance. The dedicated proxy of your RDS instance provides advanced features, such as proxy terminal, connection pool, and transaction splitting. You can use SSL encryption to protect the data that is destined for a proxy endpoint.

Prerequisites

  • Your RDS instance runs one of the following MySQL versions and RDS editions:
    • MySQL 8.0 on RDS High-availability Edition with local SSDs (The minor engine version is 20200831 or later.)
    • MySQL 5.7 on RDS High-availability Edition with local SSDs (The minor engine version is 20200831 or later.)
    • MySQL 5.6 on RDS High-availability Edition with local SSDs (The minor engine version is 20200831 or later.)
    Note If your RDS instance is attached with read-only RDS instances, the read-only RDS instances must meet the requirements that are described in Update the minor engine version of an ApsaraDB RDS for MySQL instance.
  • The dedicated proxy is enabled. For more information, see Enable the dedicated proxy service for an ApsaraDB RDS for MySQL instance.
  • The dedicated proxy version of your RDS instance is V1.12.8 or later. For more information, see Upgrade the dedicated proxy version of an ApsaraDB RDS for MySQL instance.
  • The total length of the proxy endpoint that you want to protect does not exceed 64 characters.
  • You are logged on to the new ApsaraDB RDS console. You can configure SSL encryption for a proxy endpoint only by using the new ApsaraDB RDS console. If you are logged on to the original ApsaraDB RDS console, you can click Try New Version in the lower-right corner of the page to switch to the new ApsaraDB RDS console. Try New Version

Precautions

  • SSL encryption can be configured for only one proxy endpoint per proxy terminal.
  • If you enable or disable SSL encryption, change the protected proxy endpoint, or update the validity period of the SSL certificate, your RDS instance restarts. Proceed with caution.

Enable SSL encryption

Notice This operation triggers a restart of your RDS instance. Proceed with caution.
  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Database Proxy.
  3. Click the Proxy Terminal (Original Read/Write Splitting) tab.
  4. Find the proxy terminal to which the proxy endpoint that you want to protect belongs. Turn on the switch next to SSL Certificate Information. In the dialog box that appears, select the proxy endpoint that you want to protect, and click OK.

Change the protected proxy endpoint

Notice This operation triggers an update to the validity period of the SSL certificate. This operation also triggers a restart of your RDS instance. Proceed with caution.
  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Database Proxy.
  3. Click the Proxy Terminal (Original Read/Write Splitting) tab.
  4. Find the proxy terminal to which the protected proxy endpoint belongs. Click Change Protected Endpoint to the right of Protected Endpoint. In the dialog box that appears, select a new proxy endpoint and click OK.

Update the validity period of the SSL certificate

Notice This operation triggers a restart of your RDS instance. Proceed with caution.
  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Database Proxy.
  3. Click the Proxy Terminal (Original Read/Write Splitting) tab.
  4. Find the proxy terminal to which the protected proxy endpoint belongs. Click Update Expiration Time to the right of SSL Certificate Information. In the message that appears, click OK.

Disable SSL encryption

Notice This operation triggers a restart of your RDS instance. Proceed with caution.
  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Database Proxy.
  3. Click the Proxy Terminal (Original Read/Write Splitting) tab.
  4. Find the proxy terminal to which the protected proxy endpoint belongs. Turn off the switch next to SSL Certificate Information. In the message that appears, click OK.

Related operations

Operation Description
ModifyDbProxyInstanceSsl Configures SSL encryption for a proxy endpoint of an RDS instance.
GetDbProxyInstanceSsl Queries the SSL encryption settings for a proxy endpoint of an RDS instance.