1 of 1

MaxScale 25.01 Securing Your MaxScale Deployment

Securing Your MaxScale Deployment

There are five main components that you need to make sure are completed before you go into production:

Encrypting Plaintext Passwords
Securing the GUI Interface
Managing Users & Passwords
Enabling Audit Logging
Encrypting Database Connections

Encrypting Plaintext Passwords

Ensuring the security of your MaxScale setup involves stringent control over the key file permissions. Utilizing is an effective approach to generate a secure key file.

This generates a keyfile in /var/lib/maxscale

See for more information about maxkeys.

Once generated, this key file can be relocated to a secure location. This key file serves a dual purpose: it enables the encryption of passwords and facilitates MaxScale in decrypting those encrypted passwords.

To maintain confidentiality, it is crucial to adjust the ownership and permissions of the key file appropriately using chown. This step ensures that the key file remains secure and inaccessible to unauthorized users.

Following the secure setup of the key file, you can proceed to encrypt the plaintext passwords of users already created in your databases.

These encrypted passwords can then replace the plaintext passwords in your MaxScale configuration (CNF) files. This enhances the overall security of your database system by reducing the risk that passwords are accidentally shared.

Securing the GUI Interface

To enhance the security of your MaxScale environment, it’s crucial to configure the GUI host address properly. The default setting, 0.0.0.0, allows unrestricted access from any network, which poses a significant security risk. Instead, you should set the admin_host to a more secure address. Additionally, you can change the default port (8989) to another port for added security. For example, you can restrict access to the localhost by setting:

Alternatively, you can specify an internal network IP address to limit access within your internal network, such as:

If you need to allow external access, ensure that the network is adequately secured and that only authorized users can access the MaxScale interface. Consult with your network administrator to determine the most appropriate and secure configuration.

Enabling TLS Encryption

To further secure your MaxScale setup, enable TLS encryption for data in transit. Follow these steps to configure SSL:

1. Set Up SSL Keys and Certificates:

Generate SSL keys and certificates. See
Add them to the MaxScale configuration file.

2. Update the MaxScale Configuration:

Enable secure connections by setting admin_secure_gui to true.
Specify the paths to the SSL certificate and key files in your CNF file:

3. Verify Encryption:

Use the Maxctrl command to verify that TLS encryption is functioning correctly:

4. Update Default Credentials:

It’s essential to change the default admin passwords. Create a new user with a strong password and remove the default admin user for enhanced security.

Managing Users & Passwords

MaxScale allows you to manage user access to its GUI, offering different permission levels to suit various operational needs. Currently, MaxScale supports two primary roles: admin and basic. This functionality is particularly useful for organizations with hierarchical structures or distinct departments, enabling you to grant status view access without allowing execution or manipulation capabilities.

Creating and Deleting Users

To create or delete users in the MaxScale GUI, you can use the maxctrl command. Here’s an example of creating a user with administrative privileges:

To remove an existing user, such as the default admin user, you can use the following command:

Managing Users in the GUI

The MaxScale GUI also provides functionality to manage user access and update the admin password. Through the GUI, you can:

Add Users: Create users with basic or admin access.
Modify User Permissions: Change roles as needed to adapt to evolving security requirements.
Update Admin Password: Enhance security by regularly updating the admin password.

By leveraging these features, you can ensure that your MaxScale environment remains secure and that user access is appropriately managed according to your organization’s needs.

Enabling Audit Logging

Turn on admin auditing to log all login, connection, and configuration changes. Choose an audit file location and set up log rotation.

Enabling and Managing Admin Auditing in MaxScale

Admin auditing in MaxScale provides comprehensive tracking of all administrative activities, including logins, connections, and modifications. These activities are recorded in an audit file for enhanced security and traceability.

To enable admin auditing, add the following configuration to your MaxScale configuration file:

This configuration activates auditing and specifies the location of the audit file. Ensure that the specified directory exists before restarting MaxScale.

Setting Up and Managing Audit Logs

1. Enable Auditing:

Add the configuration lines to your MaxScale configuration file.
Verify the directory specified in admin_audit_file exists.

2. Audit File Management:

Implement log rotation to manage the size and number of audit files. This can be achieved using standard Linux log rotation tools. See

For manual log rotation, you can use the following MaxCtrl command:

Encrypting Database Connections

Configuring SSL Encryption for MaxScale with an Encrypted MariaDB Server

If you have already implemented encryption on your MariaDB server, it’s crucial to extend this encryption configuration to MaxScale to ensure secure communication. Once encryption is enabled on your MariaDB server, follow these steps to configure MaxScale to utilize SSL.

Steps to Configure SSL in MaxScale:

1. Enable SSL:

Add ssl=true to each server section in your MaxScale configuration file.

2. Verify Peer Certificates:

Add ssl_verify_peer_certificate=true to ensure that MaxScale verifies the server’s SSL certificates, providing an additional layer of security.

Your MaxScale configuration file should look something like this:

These settings instruct MaxScale to use SSL for connections to the MariaDB server and to verify peer certificates, enhancing the security of data in transit.

_{This page is licensed: CC BY-SA / Gnu FDL}

MaxScale 25.01 Securing Your MaxScale Deployment

Securing Your MaxScale Deployment

There are five main components that you need to make sure are completed before you go into production:

Encrypting Plaintext Passwords
Securing the GUI Interface
Managing Users & Passwords
Enabling Audit Logging
Encrypting Database Connections

Encrypting Plaintext Passwords

Ensuring the security of your MaxScale setup involves stringent control over the key file permissions. Utilizing is an effective approach to generate a secure key file.

This generates a keyfile in /var/lib/maxscale

See for more information about maxkeys.

Following the secure setup of the key file, you can proceed to encrypt the plaintext passwords of users already created in your databases.

Securing the GUI Interface

Alternatively, you can specify an internal network IP address to limit access within your internal network, such as:

Enabling TLS Encryption

To further secure your MaxScale setup, enable TLS encryption for data in transit. Follow these steps to configure SSL:

1. Set Up SSL Keys and Certificates:

Generate SSL keys and certificates. See
Add them to the MaxScale configuration file.

2. Update the MaxScale Configuration:

Enable secure connections by setting admin_secure_gui to true.
Specify the paths to the SSL certificate and key files in your CNF file:

3. Verify Encryption:

Use the Maxctrl command to verify that TLS encryption is functioning correctly:

4. Update Default Credentials:

It’s essential to change the default admin passwords. Create a new user with a strong password and remove the default admin user for enhanced security.

Managing Users & Passwords

Creating and Deleting Users

To create or delete users in the MaxScale GUI, you can use the maxctrl command. Here’s an example of creating a user with administrative privileges:

To remove an existing user, such as the default admin user, you can use the following command:

Managing Users in the GUI

The MaxScale GUI also provides functionality to manage user access and update the admin password. Through the GUI, you can:

Add Users: Create users with basic or admin access.
Modify User Permissions: Change roles as needed to adapt to evolving security requirements.
Update Admin Password: Enhance security by regularly updating the admin password.

By leveraging these features, you can ensure that your MaxScale environment remains secure and that user access is appropriately managed according to your organization’s needs.

Enabling Audit Logging

Turn on admin auditing to log all login, connection, and configuration changes. Choose an audit file location and set up log rotation.

Enabling and Managing Admin Auditing in MaxScale

To enable admin auditing, add the following configuration to your MaxScale configuration file:

This configuration activates auditing and specifies the location of the audit file. Ensure that the specified directory exists before restarting MaxScale.

Setting Up and Managing Audit Logs

1. Enable Auditing:

Add the configuration lines to your MaxScale configuration file.
Verify the directory specified in admin_audit_file exists.

2. Audit File Management:

Implement log rotation to manage the size and number of audit files. This can be achieved using standard Linux log rotation tools. See

For manual log rotation, you can use the following MaxCtrl command:

Encrypting Database Connections

Configuring SSL Encryption for MaxScale with an Encrypted MariaDB Server

Steps to Configure SSL in MaxScale:

1. Enable SSL:

Add ssl=true to each server section in your MaxScale configuration file.

2. Verify Peer Certificates:

Add ssl_verify_peer_certificate=true to ensure that MaxScale verifies the server’s SSL certificates, providing an additional layer of security.

Your MaxScale configuration file should look something like this:

These settings instruct MaxScale to use SSL for connections to the MariaDB server and to verify peer certificates, enhancing the security of data in transit.

_{This page is licensed: CC BY-SA / Gnu FDL}

MaxScale 25.01 Securing Your MaxScale Deployment

hashtagSecuring Your MaxScale Deployment

hashtagEncrypting Plaintext Passwords

hashtagSecuring the GUI Interface

hashtagEnabling TLS Encryption

hashtagManaging Users & Passwords

hashtagCreating and Deleting Users

hashtagManaging Users in the GUI

hashtagEnabling Audit Logging

hashtagEnabling and Managing Admin Auditing in MaxScale

hashtagSetting Up and Managing Audit Logs

hashtagEncrypting Database Connections

hashtag1. Enable SSL:

hashtag2. Verify Peer Certificates:

MaxScale 25.01 Securing Your MaxScale Deployment

hashtagSecuring Your MaxScale Deployment

hashtagEncrypting Plaintext Passwords

hashtagSecuring the GUI Interface

hashtagEnabling TLS Encryption

hashtagManaging Users & Passwords

hashtagCreating and Deleting Users

hashtagManaging Users in the GUI

hashtagEnabling Audit Logging

hashtagEnabling and Managing Admin Auditing in MaxScale

hashtagSetting Up and Managing Audit Logs

hashtagEncrypting Database Connections

hashtag1. Enable SSL:

hashtag2. Verify Peer Certificates:

Securing Your MaxScale Deployment

Encrypting Plaintext Passwords

Securing the GUI Interface

Enabling TLS Encryption

Managing Users & Passwords

Creating and Deleting Users

Managing Users in the GUI

Enabling Audit Logging

Enabling and Managing Admin Auditing in MaxScale

Setting Up and Managing Audit Logs

Encrypting Database Connections

1. Enable SSL:

2. Verify Peer Certificates:

Securing Your MaxScale Deployment

Encrypting Plaintext Passwords

Securing the GUI Interface

Enabling TLS Encryption

Managing Users & Passwords

Creating and Deleting Users

Managing Users in the GUI

Enabling Audit Logging

Enabling and Managing Admin Auditing in MaxScale

Setting Up and Managing Audit Logs

Encrypting Database Connections

1. Enable SSL:

2. Verify Peer Certificates: