介绍
通过一个完整例子,在 gogf/gf 框架中开启 TLS/SSL,我就是我们常说的 https。
我们将会使用 rk-boot 来启动 gogf/gf 微服务。
请访问如下地址获取完整教程:
- https://rkdocs.netlify.app/cn
生成 Self-Signed Certificate
用户可以从各大云厂商购买证书,或者使用 cfssl 创建自定义证书。
我们介绍如何在本地生成证书。
1.下载 cfssl & cfssljson 命令行
代码语言:shell script复制推荐使用 rk 命令行来下载。
$ go get -u github.com/rookie-ninja/rk/cmd/rk
$ rk install cfssl
$ rk install cfssljson
代码语言:shell script复制官网下载
$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/cfssljson
2.生成 CA
代码语言:shell script复制$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json
根据需要修改 ca-config.json 和 ca-csr.json。
代码语言:shell script复制$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
3.生成服务端证书
server.csr,server.pem 和 server-key.pem 将会被生成。
代码语言:shell script复制$ cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www ca-csr.json | cfssljson -bare server
安装
代码语言:go复制go get github.com/rookie-ninja/rk-boot/gf
快速开始
rk-boot 支持通过如下方式让 gogf/gf 服务获取证书。
- 本地文件系统
- 远程文件系统
- Consul
- ETCD
我们先看看如何从本地获取证书并启动。
1.创建 boot.yaml
在这个例子中,我们只启动服务端的证书。其中,locale 用于区分不同环境下 cert。
请参考之前的文章了解详情:
代码语言:yaml复制---
cert:
- name: "local-cert" # Required
provider: "localFs" # Required, etcd, consul, localFs, remoteFs are supported options
locale: "*::*::*::*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
gf:
- name: greeter
port: 8080
enabled: true
enableReflection: true
cert:
ref: "local-cert" # Enable grpc TLS
2.创建 main.go
代码语言:go复制// Copyright (c) 2021 rookie-ninja
//
// Use of this source code is governed by an Apache-style
// license that can be found in the LICENSE file.
package main
import (
"context"
"github.com/gogf/gf/v2/net/ghttp"
"github.com/rookie-ninja/rk-boot"
"github.com/rookie-ninja/rk-boot/gf"
"net/http"
)
// @title Swagger Example API
// @version 1.0
// @description This is a sample rk-demo server.
// @termsOfService http://swagger.io/terms/
// @securityDefinitions.basic BasicAuth
// @contact.name API Support
// @contact.url http://www.swagger.io/support
// @contact.email support@swagger.io
// @license.name Apache 2.0
// @license.url http://www.apache.org/licenses/LICENSE-2.0.html
func main() {
// Create a new boot instance.
boot := rkboot.NewBoot()
// Register handler
entry := rkbootgf.GetGfEntry("greeter")
entry.Server.BindHandler("/v1/hello", hello)
// Bootstrap
boot.Bootstrap(context.TODO())
boot.WaitForShutdownSig(context.TODO())
}
// @Summary Hello
// @Id 1
// @Tags Hello
// @version 1.0
// @produce application/json
// @Success 200 string string
// @Router /v1/hello [get]
func hello(ctx *ghttp.Request) {
ctx.Response.WriteHeader(http.StatusOK)
ctx.Response.WriteJson(map[string]string{
"message": "hello!",
})
}
3.文件夹结构
代码语言:shell script复制.
├── boot.yaml
├── cert
│ ├── server-key.pem
│ └── server.pem
├── go.mod
├── go.sum
└── main.go
1 directory, 6 files
4.启动 main.go
代码语言:shell script复制$ go run main.go
5.验证
代码语言:shell script复制$ curl -X GET --insecure https://localhost:8080/v1/hello
{"message":"hello!"}
架构
参数介绍
1.从本地读取证书
配置项 | 详情 | 需要 | 默认值 |
---|---|---|---|
cert.localFs.name | 本地文件系统获取器名称 | 是 | "" |
cert.localFs.locale | 遵从 locale: <realm>::<region>::<az>::<domain> | 是 | "" |
cert.localFs.serverCertPath | 服务器证书路径 | 否 | "" |
cert.localFs.serverKeyPath | 服务器证书密钥路径 | 否 | "" |
cert.localFs.clientCertPath | 客户端证书路径 | 否 | "" |
cert.localFs.clientCertPath | 客户端证书密钥路径 | 否 | "" |
- 例子
---
cert:
- name: "local-cert" # Required
description: "Description of entry" # Optional
provider: "localFs" # Required, etcd, consul, localFs, remoteFs are supported options
locale: "*::*::*::*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
gf:
- name: greeter
port: 8080
enabled: true
enableReflection: true
cert:
ref: "local-cert" # Enable grpc TLS
2.从远程文件服务读取证书
配置项 | 详情 | 需要 | 默认值 |
---|---|---|---|
cert.remoteFs.name | 远程文件服务获取器名称 | 是 | "" |
cert.remoteFs.locale | 遵从 locale:<realm>::<region>::<az>::<domain> | 是 | "" |
cert.remoteFs.endpoint | 远程地址: http://x.x.x.x 或者 x.x.x.x | 是 | N/A |
cert.remoteFs.basicAuth | Basic auth: <user:pass>. | 否 | "" |
cert.remoteFs.serverCertPath | 服务器证书路径 | 否 | "" |
cert.remoteFs.serverKeyPath | 服务器证书密钥路径 | 否 | "" |
cert.remoteFs.clientCertPath | 客户端证书路径 | 否 | "" |
cert.remoteFs.clientCertPath | 客户端证书密钥路径 | 否 | "" |
- 例子
---
cert:
- name: "remote-cert" # Required
description: "Description of entry" # Optional
provider: "remoteFs" # Required, etcd, consul, localFs, remoteFs are supported options
endpoint: "localhost:8081" # Required, both http://x.x.x.x or x.x.x.x are acceptable
locale: "*::*::*::*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
gf:
- name: greeter
port: 8080
enabled: true
cert:
ref: "remote-cert" # Enable grpc TLS
3.从 Consul 读取证书
配置项 | 详情 | 需要 | 默认值 |
---|---|---|---|
cert.consul.name | Consul 获取器名称 | 是 | "" |
cert.consul.locale | 遵从 locale: <realm>::<region>::<az>::<domain> | 是 | "" |
cert.consul.endpoint | Consul 地址: http://x.x.x.x or x.x.x.x | 是 | N/A |
cert.consul.datacenter | Consul 数据中心 | 是 | "" |
cert.consul.token | Consul 访问密钥 | 否 | "" |
cert.consul.basicAuth | Consul Basic auth,格式:<user:pass>. | 否 | "" |
cert.consul.serverCertPath | 服务器证书路径 | 否 | "" |
cert.consul.serverKeyPath | 服务器证书密钥路径 | 否 | "" |
cert.consul.clientCertPath | 服务器证书密钥路径 | 否 | "" |
cert.consul.clientCertPath | 服务器证书密钥路径 | 否 | "" |
- 例子
---
cert:
- name: "consul-cert" # Required
provider: "consul" # Required, etcd, consul, localFS, remoteFs are supported options
description: "Description of entry" # Optional
locale: "*::*::*::*" # Required, ""
endpoint: "localhost:8500" # Required, http://x.x.x.x or x.x.x.x both acceptable.
datacenter: "dc1" # Optional, default: "", consul datacenter
serverCertPath: "server.pem" # Optional, default: "", key of value in consul
serverKeyPath: "server-key.pem" # Optional, default: "", key of value in consul
gf:
- name: greeter
port: 8080
enabled: true
cert:
ref: "consul-cert" # Enable grpc TLS
4.从 ETCD 读取证书
配置项 | 详情 | 需要 | 默认值 |
---|---|---|---|
cert.etcd.name | ETCD 获取器名称 | 是 | "" |
cert.etcd.locale | 遵从 locale: <realm>::<region>::<az>::<domain> | 是 | "" |
cert.etcd.endpoint | ETCD 地址:http://x.x.x.x or x.x.x.x | 是 | N/A |
cert.etcd.basicAuth | ETCD basic auth,格式:<user:pass>. | 否 | "" |
cert.etcd.serverCertPath | 服务器证书路径 | 否 | "" |
cert.etcd.serverKeyPath | 服务器证书路径 | 否 | "" |
cert.etcd.clientCertPath | 客户端证书路径 | 否 | "" |
cert.etcd.clientCertPath | 客户端证书密钥路径 | 否 | "" |
- 例子
---
cert:
- name: "etcd-cert" # Required
description: "Description of entry" # Optional
provider: "etcd" # Required, etcd, consul, localFs, remoteFs are supported options
locale: "*::*::*::*" # Required, default: ""
endpoint: "localhost:2379" # Required, http://x.x.x.x or x.x.x.x both acceptable.
serverCertPath: "server.pem" # Optional, default: "", key of value in etcd
serverKeyPath: "server-key.pem" # Optional, default: "", key of value in etcd
gf:
- name: greeter
port: 8080
enabled: true
cert:
ref: "etcd-cert" # Enable grpc TLS