This page provides a comprehensive, real-world MariaDB configuration baseline for current Debian and RHEL releases, updated for MariaDB 11.4+ with security-first defaults.
Typical locations:
/etc/mysql/mariadb.conf.d/50-server.cnf
/etc/mysql/conf.d/*.cnf
Typical locations:
/etc/my.cnf
/etc/my.cnf.d/*.cnf
mariadb / mysqld Configuration (Debian/RHEL)Use this baseline for a small production deployment on a private network.
[mariadb]
# Network
bind-address = 10.0.0.10
port = 3306
skip_name_resolve = ON
# Connections
max_connections = 100
# Character set / collation
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
# InnoDB baseline (tune for host RAM and workload)
innodb_buffer_pool_size = 1G
innodb_log_file_size = 256M
innodb_flush_log_at_trx_commit = 1
innodb_flush_method = O_DIRECT
# Binary logging (recommended)
server_id = 1
log_bin = mariadb-bin
expire_logs_days = 7
# Slow query logging
slow_query_log = 1
slow_query_log_file = /var/log/mysql/mariadb-slow.log
long_query_time = 0.5
# Security baseline
local_infile = 0
# SSL (enabled by default in MariaDB 11.4+)
ssl = ON
ssl_ca = /etc/mysql/ssl/ca-cert.pem
ssl_cert = /etc/mysql/ssl/server-cert.pem
ssl_key = /etc/mysql/ssl/server-key.pem
# Performance improvements (MariaDB 11.4+)
optimizer_switch = 'semi_join=on'
For production environments with more resources and requirements:
[mariadb]
# Basic server settings
user = mysql
pid-file = /run/mysqld/mysqld.pid
socket = /run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc_messages_dir = /usr/share/mysql
# Network
bind-address = 0.0.0.0 # Adjust to specific IP for security
skip-name-resolve
connect_timeout = 10
max_connect_errors = 100000
max_allowed_packet = 64M
# Connections
max_connections = 200
thread_cache_size = 16
table_open_cache = 400
table_definition_cache = 400
# Character set / collation
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
init-connect = 'SET NAMES utf8mb4'
# InnoDB settings (tune for your hardware)
innodb_buffer_pool_size = 2G # Adjust to ~70-80% of available RAM if dedicated
innodb_buffer_pool_instances = 8
innodb_log_file_size = 512M
innodb_log_files_in_group = 2
innodb_log_buffer_size = 16M
innodb_flush_log_at_trx_commit = 1
innodb_flush_method = O_DIRECT
innodb_file_per_table = 1
innodb_read_io_threads = 8
innodb_write_io_threads = 8
innodb_io_capacity = 1000
innodb_io_capacity_max = 2000
# Query cache (disabled in MariaDB 10.1+, removed in 10.2+)
# query_cache_type = 1
# query_cache_size = 64M
# Binary logging (for replication and point-in-time recovery)
server_id = 1
log_bin = /var/log/mysql/mariadb-bin
log_bin_index = /var/log/mysql/mariadb-bin.index
expire_logs_days = 7
sync_binlog = 1
binlog_format = ROW
max_binlog_size = 100M
# Slow query logging
slow_query_log = 1
slow_query_log_file = /var/log/mysql/mariadb-slow.log
long_query_time = 1.0
log_queries_not_using_indexes = 0
# Security
local_infile = 0
sql_mode = "STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
# SSL (enabled by default in MariaDB 11.4+)
ssl = ON
# Performance improvements (MariaDB 11.4+)
optimizer_switch = 'semi_join=on,materialization=on,loosescan=on,firstmatch=on,mrr=on,mrr_cost_based=off,block_nested_loop=on,batched_key_access=off,materialize_cte=on,prefer_ordering=on'
# Memory settings
sort_buffer_size = 2M
read_buffer_size = 128K
read_rnd_buffer_size = 256K
join_buffer_size = 2M
tmp_table_size = 64M
max_heap_table_size = 64M
bind-address: Restrict listener to trusted interface(s). Use 0.0.0.0 for all interfaces (not recommended for production).skip_name_resolve: Avoid DNS lookups and grant ambiguity.max_connections: Increase only with RAM planning. Each connection uses memory.innodb_buffer_pool_size: Primary performance cache for InnoDB data/indexes. Set to 70-80% of available RAM if MariaDB is the only service.innodb_flush_log_at_trx_commit=1: Best durability for transactional workloads.log_bin: Enables binary log for replication and point-in-time restore.slow_query_log: Captures expensive queries for tuning.local_infile=0: Reduces risk from insecure file import usage.ssl: Enabled by default in MariaDB 11.4+, improves security posture.--ssl-verify-server-cert enabledUse dedicated users with least privilege.
-- Create application user with limited permissions
CREATE USER 'appuser'@'10.0.0.%' IDENTIFIED BY 'strong-password';
GRANT SELECT, INSERT, UPDATE, DELETE ON appdb.* TO 'appuser'@'10.0.0.%';
-- Create read-only user for reporting
CREATE USER 'reportuser'@'10.0.0.%' IDENTIFIED BY 'strong-password';
GRANT SELECT ON appdb.* TO 'reportuser'@'10.0.0.%';
-- Refresh privileges
FLUSH PRIVILEGES;
With MariaDB 11.4+, SSL is enabled by default. For production, consider using proper certificates:
# SSL settings (MariaDB 11.4+)
ssl = ON
ssl_ca = /etc/mysql/ssl/ca-cert.pem
ssl_cert = /etc/mysql/ssl/server-cert.pem
ssl_key = /etc/mysql/ssl/server-key.pem
ssl_cipher = 'TLSv1.2'
require_secure_transport = ON
Generate certificates:
# Create SSL directory
sudo mkdir -p /etc/mysql/ssl
sudo chown mysql:mysql /etc/mysql/ssl
# Generate CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem
# Generate server certificate
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Generate client certificate
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
# Set proper permissions
sudo chmod 600 ca-key.pem server-key.pem client-key.pem
sudo chown mysql:mysql *.pem
sudo mv *.pem /etc/mysql/ssl/
Restart MariaDB after changing config:
sudo systemctl restart mariadb
On some systems, service name may be mysql:
sudo systemctl restart mysql
Validate active settings:
mariadb -u root -p -e "SHOW VARIABLES LIKE 'bind_address';"
mariadb -u root -p -e "SHOW VARIABLES LIKE 'max_connections';"
mariadb -u root -p -e "SHOW VARIABLES LIKE 'innodb_buffer_pool_size';"
mariadb -u root -p -e "SHOW VARIABLES LIKE 'log_bin';"
mariadb -u root -p -e "SHOW VARIABLES LIKE 'ssl%';"
innodb_buffer_pool_size: 70-80% of available RAM if dedicated to MariaDBkey_buffer_size: For MyISAM tables (usually 16-64M for mixed workloads)tmp_table_size and max_heap_table_size: Should be equalmax_connections: Calculate based on application needs and available RAMthread_cache_size: Keep threads ready for new connectionsinnodb_log_file_size: Larger for write-intensive workloadsinnodb_flush_method: O_DIRECT for Linux with hardware RAID/cacheinnodb_io_capacity: Reflects your storage capabilities3306 restricted to trusted private networks.