Skip to content

enable-tls-for-mysql-client: add tiproxy #2957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: release-1.x
Choose a base branch
from
+31 −0
Open

enable-tls-for-mysql-client: add tiproxy #2957

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cbceca4
enable-tls-for-mysql-client: add tiproxy
dveeden Oct 21, 2025
9b67728
fixup
dveeden Oct 21, 2025
161ba6e
update based on review
dveeden Oct 22, 2025
5b9e9cd
Merge remote-tracking branch 'upstream/master' into client_tiproxy
dveeden Nov 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions en/enable-tls-for-mysql-client.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -669,6 +669,10 @@ In this step, you create a TiDB cluster and perform the following operations:

## Configure the MySQL client to use an encrypted connection

> **Note:**
>
> By default the client certificate is not validated by the server. Use [`ALTER USER`](https://docs.pingcap.com/tidb/stable/sql-statement-alter-user/) to configure the account with `REQUIRE X509` or other constraints on the client certificate.

To connect the MySQL client with the TiDB cluster, use the client-side certificate created above and take the following methods. For details, refer to [Configure the MySQL client to use encrypted connections](https://docs.pingcap.com/tidb/stable/enable-tls-between-clients-and-servers#configure-the-mysql-client-to-use-encrypted-connections).

Execute the following command to acquire the client-side certificate and connect to the TiDB server:
Expand All @@ -688,3 +692,30 @@ mysql --comments -uroot -p -P 4000 -h ${tidb_host} --ssl-cert=client-tls.crt --s
```

Finally, to verify whether TLS is successfully enabled, refer to [checking the current connection](https://docs.pingcap.com/tidb/stable/enable-tls-between-clients-and-servers#check-whether-the-current-connection-uses-encryption).

## TiProxy

When using TiProxy in front of a set of TiDB servers you also need to configure TLS for it.

Depending on the `TiProxyCertLayout` a different certificate layout is chosen:

- not set: This is the legacy layout.
- `v1`: This is version one of the layout. This is recommended.

There are TLS settings for these components of TiProxy:

- `security.cluster-tls`: used to access other hosts in the cluster as a client.
Copy link

@ideascf ideascf Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do mTLS between components of a TC so that this cert is presented as both server-side cert and client-side cert.

- `security.server-tls`: used for serving MySQL protocol access on port 6000.
- `security.sql-tls`: used to access TiDB as a client.
- `security.server-http-tls` used to serve HTTP services on port 3080.

See also [the security section of the configuration](https://docs.pingcap.com/tidb/stable/tiproxy-configuration/#security).

TiProxy will try to use the TLS secret from TiDB for client/server connections by default. If you do this make sure these certificates also contain the hostname of the TiProxy hosts.

Other settings that influence this:

- `tlsCluster.enabled`
- `tlsClient.enabled`

The certificates can be generated with cfssl or cert-manager.