Firewall Whitelist
Overview
ProxySQL 2.0.9 introduced firewall capabilities to manage query access through whitelisting. Rather than creating thousands of rules to block queries, this feature enables administrators to explicitly permit specific queries per user and schema.
Key Tables
mysql_firewall_whitelist_users
Defines users subject to whitelist enforcement with three operational modes:
| Mode | Behaviour |
|---|---|
OFF | Permits all queries |
DETECTING | Allows any query, but queries not explicitly whitelisted generate an error log entry |
PROTECTING | Only executes whitelisted queries; blocks all others |
mysql_firewall_whitelist_rules
Contains approved query digests for specific user/schema combinations. Lookup is performed after
mysql_query_rules processing.
Configuration Steps
- Collect traffic data from
stats_mysql_query_digest - Populate
mysql_firewall_whitelist_userswith target accounts - Insert approved query digests into
mysql_firewall_whitelist_rules - Execute
LOAD MYSQL FIREWALL TO RUNTIME - Enable globally via
mysql-firewall_whitelist_enabled = 1
Global Variables
| Variable | Description |
|---|---|
mysql-firewall_whitelist_enabled | Toggle firewall on/off |
mysql-firewall_whitelist_errormsg | Custom error message for blocked queries |
Management Commands
LOAD MYSQL FIREWALL TO RUNTIME;
LOAD MYSQL FIREWALL FROM MEMORY;
SAVE MYSQL FIREWALL TO DISK;
SAVE MYSQL FIREWALL FROM MEMORY;
LOAD MYSQL FIREWALL TO MEMORY;
LOAD MYSQL FIREWALL FROM DISK;