I have added an entry to my HAProxy connection to connect to a MySQL database. It is only for reading at present, not writing.
I have set it up as follows:
frontend db_read_port33517
mode tcp
option tcplog
bind *:33517
default_backend db_slave_con
backend db_slave_con
option mysql-check user haproxy post-41
server database1 1.2.3.4:3307 check port 3307
server database2 1.2.3.5:3307 check port 3307 backup
It is MySQL 5.7, and I have added a basic user to MySQL:
CREATE USER 'haproxy'@'1.0.0.0/255.0.0.0' IDENTIFIED BY 'some_password';
But looking at the the stats page, it can't connect to either database. This is the first time I have used the mysql-check option, but I'm guessing I have missed something, but having been through all the notes I can't see what it is?
n.b. the databases both exist, and I can connect to them with the haproxy user..
Looking in the logs, I can see I am getting 0Access denied for user 'haproxy'@'1.2.3.6'. I have modified the user to be haproxy@% but that makes no difference.
I am guessing that it is because the user was created with a password, (our policy dictates all database users must have a password) and HAProxy isn't passing across the password. Is there a way to specify the password in the HAProxy config?
It seems that I was right, as soon as I removed the password, HAProxy could see the databases. I've gone through the notes for HAProxy, and there doesn't appear to be any way to specify a password.
Whilst I appreciate it is only using that user to connect / disconnect this still seems like a bit of a security issue, as I now have a user in my database with no password. The best I can do for now I think is lock down the IP Address for the user as tightly as possible.