SPIFFE Support

Overview

ProxySQL supports SPIFFE (Secure Production Identity Framework For Everyone) authentication, enabling workload identity verification through X.509 certificates with Subject Alternative Name (SAN) URI fields.

Configuration

User Attribute Setup

The spiffe_id user attribute must be configured with the target workload identifier:

UPDATE mysql_users SET attributes='{"spiffe_id": "spiffe://example.org/workload-proxysql"}'
WHERE username='myuser';
LOAD MYSQL USERS TO RUNTIME;

Note: the spiffe:// prefix is mandatory.

Client Connection Requirements

Client must supply an SSL certificate verifiable against proxysql-cert.pem
Certificate must contain an X509v3 SAN URI matching the configured spiffe_id

Regular Expression Support

Since version 2.4.0, regex patterns are supported by prefixing the spiffe_id value with !:

{"spiffe_id": "!spiffe:\\/\\/example\\.org\\/workload-proxysql\\/.*"}

This allows matching multiple certificates, e.g.:

spiffe://example.org/workload-proxysql/service-A
spiffe://example.org/workload-proxysql/service-B

Intermediate CA Certificate Integration

When using SPIRE or similar implementations that generate intermediate CA certificates, bundle them into proxysql-ca.pem:

cat IntermediateCA.pem proxysql-ca.pem >> proxysql-ca.pem.tmp && mv proxysql-ca.pem.tmp proxysql-ca.pem

Limitations

ProxySQL does not support mTLS for standard SSL connections
SPIFFE certificate verification only occurs when the SAN URI starts with spiffe
COM_CHANGE_USER is not supported for SPIFFE-authenticated connections

Overview​

Configuration​

User Attribute Setup​

Client Connection Requirements​

Regular Expression Support​

Intermediate CA Certificate Integration​

Limitations​