Authentication Methods

Overview

ProxySQL supports distinct authentication mechanisms depending on the direction of the connection.

Frontend Authentication (Clients → ProxySQL)

Method	Notes
`mysql_native_password`	Supported in all versions
`mysql_clear_password`	Supported in all versions
`caching_sha2_password`	Full support from v2.6.0; v2.0.2–2.5.x requires cleartext passwords
SPIFFE	Passwordless X.509 certificate-based authentication
LDAP	Directory-based authentication

Backend Authentication (ProxySQL → Databases)

Method	Notes
`mysql_native_password`	Supported in all versions
`mysql_clear_password`	Supported in all versions
`caching_sha2_password`	Full support from v2.6.0

Version-Specific Notes

Pre-2.0.2 — No caching_sha2_password support at all
2.0.2–2.5.x — Frontend caching_sha2_password requires passwords stored in cleartext
2.6.0+ — Full caching_sha2_password support for both frontend and backend with flexible password storage

Configuration

-- Set default authentication plugin
SET mysql-default_authentication_plugin='mysql_native_password';
LOAD MYSQL VARIABLES TO RUNTIME;
SAVE MYSQL VARIABLES TO DISK;

Users are configured in the mysql_users table. See Users Configuration.

Known Limitations

Passwords starting with * may cause detection mechanism failures
Authentication method switching during handshakes presents challenges with caching_sha2_password
MariaDB clients using caching_sha2_password require the --ssl flag for versions before 10.10

Overview​

Frontend Authentication (Clients → ProxySQL)​

Backend Authentication (ProxySQL → Databases)​

Version-Specific Notes​

Configuration​

Known Limitations​

See Also​

Overview

Frontend Authentication (Clients → ProxySQL)

Backend Authentication (ProxySQL → Databases)

Version-Specific Notes

Configuration

Known Limitations

See Also