[grpc]使用mTLS加密认证
前言
假设gRPC服务端的主机名为qw.er.com,需要为gRPC服务端和客户端之间的通信配置tls双向认证加密。
生成证书
- 生成ca根证书。生成过程会要求填写密码、CN、ON、OU等信息,记住密码。
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -subj "/CN=qw.er.com" -days 365
- 新建并编辑文件
openssl.cnf文件。req_distinguished_name中内容按需填写,DNS.1要替换成实际域名。
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = Anhui
localityName = Hefei
organizationName = zhangsan
commonName = qw.er.com
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = qw.er.com
- 生成服务端证书
openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -subj "/CN=qw.er.com" -config openssl.cnf
# 提示输入ca私钥的密码
openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -extensions v3_req -extfile openssl.cnf
- 生成客户端证书
openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/CN=qw.er.com" -config openssl.cnf
# 提示输入ca私钥的密码
openssl x509 -req -in client.csr -out client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -extensions v3_req -extfile openssl.cnf
proto示例
用的还是入门级的helloworld
syntax = "proto3"; // protocol buffers版本
option go_package = "./;proto"; // 生成的Go代码将被放在当前目录,并使用proto作为包名称
// 定义grpc服务的接口。服务就是一组可被远程调用的方法
service Greeter {
// 定义远程调用方法
rpc SayHello (HelloRequest) returns (HelloReply);
}
// 定义消息格式和消息类型
message HelloRequest {
string name = 1; // 1 是二进制格式中的字段编号, 应该唯一
}
message HelloReply {
string message = 1;
}
生成go代码:
protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative hello.proto
服务端代码示例
如果需要客户端和服务端直接通信,可以参考以下示例代码。
package main
import (
pb "grpcs/proto"
"context"
"crypto/tls"
"crypto/x509"
"flag"
"fmt"
"log"
"net"
"os"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)
var (
port = flag.Int("port", 8010, "the server port")
crtFile = flag.String("crt", "server.crt", "the server crt file")
keyFile = flag.String("key", "server.key", "the server key file")
caFile = flag.String("ca", "ca.crt", "the server ca file")
)
type server struct{
pb.UnimplementedGreeterServer
}
func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
log.Printf("Received: %v", in.GetName())
return &pb.HelloReply{Message: "Hello " + in.GetName()}, nil
}
func main() {
flag.Parse()
// 通过服务端的证书和密钥直接创建X.509密钥对
certificate, err := tls.LoadX509KeyPair(*crtFile, *keyFile)
if err != nil {
log.Fatalf("Failed to load key pair: %v", err)
}
// 通过CA创建证书池
certPool := x509.NewCertPool()
ca, err := os.ReadFile(*caFile)
if err != nil {
log.Fatalf("Failed to read ca: %v", err)
}
// 将来自CA的客户端证书附加到证书池
if ok := certPool.AppendCertsFromPEM(ca); !ok {
log.Fatalf("Failed to append ca certificate")
}
opts := []grpc.ServerOption{
grpc.Creds( // 为所有传入的连接启用TLS
credentials.NewTLS(&tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{certificate},
ClientCAs: certPool,
},
)),
}
listen, err := net.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", *port))
if err != nil {
log.Fatalf("failed to listen %d port", *port)
}
// 通过传入的TLS服务器凭证创建新的gRPC服务实例
s := grpc.NewServer(opts...)
pb.RegisterGreeterServer(s, &server{})
log.Printf("server listening at %v", listen.Addr())
if err := s.Serve(listen); err != nil {
log.Fatalf("Failed to serve: %v", err)
}
}
运行:
go build -o server.bin
./server.bin -ca ca.crt -crt server.crt -key server.key -port 8010
客户端代码示例
package main
import (
pb "grpcc/proto"
"context"
"crypto/tls"
"crypto/x509"
"flag"
"log"
"os"
"time"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)
var (
addr = flag.String("addr", "qw.er.com:8010", "server address")
hostname = flag.String("host", "qw.er.com", "server hostname")
crtFile = flag.String("crt", "client.crt", "client crt file")
keyFile = flag.String("key", "client.key", "client key file")
caFile = flag.String("ca", "ca.crt", "ca file")
name = flag.String("n", "zhangsan", "name")
)
func main() {
flag.Parse()
certificate, err := tls.LoadX509KeyPair(*crtFile, *keyFile)
if err != nil {
log.Fatalf("Failed to load client key pair, %v", err)
}
certPool := x509.NewCertPool()
ca, err := os.ReadFile(*caFile)
if err != nil {
log.Fatalf("Failed to read %s, error: %v", *caFile, err)
}
if ok := certPool.AppendCertsFromPEM(ca); !ok {
log.Fatalf("Failed to append ca certs")
}
opts := []grpc.DialOption{
grpc.WithTransportCredentials(credentials.NewTLS(
&tls.Config{
ServerName: *hostname,
Certificates: []tls.Certificate{certificate},
RootCAs: certPool,
})),
}
// conn, err := grpc.Dial(*addr, grpc.WithTransportCredentials(insecure.NewCredentials()))
conn, err := grpc.Dial(*addr, opts...)
if err != nil {
log.Fatalf("Connect to %s failed", *addr)
}
defer conn.Close()
client := pb.NewGreeterClient(conn)
// 创建带有超时时间的上下文, cancel可以取消上下文
ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
defer cancel()
// 业务代码处理部分 ...
r, err := client.SayHello(ctx, &pb.HelloRequest{Name: *name})
if err != nil {
log.Printf("Failed to greet, error: %v", err)
} else {
log.Printf("Greeting: %v",r.GetMessage())
}
}
运行:
go build -o client.bin
./client.bin -addr qw.er.com:8010 -host qw.er.com -ca ca.crt -crt client.crt -key client.key -name 'lisi'
nginx代理
某些场景下服务端和客户端无法直接通信,需要在中间加个nginx反向代理服务端。目前个人方案是客户端与nginx之间为https双向加密通信,nginx与服务端之间为http普通通信。
客户端代码无需改动,服务端就是去掉tls相关配置,示例:
package main
import (
"context"
"flag"
"fmt"
"log"
"net"
pb "grpcs/proto"
"google.golang.org/grpc"
)
var (
port = flag.Int("port", 8010, "The server port")
)
// server is used to implement hello.GreeterServer.
type server struct {
pb.UnimplementedGreeterServer
}
// SayHello 实现 proto 中的 service Greeter
func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
log.Printf("Received: %v", in.GetName())
return &pb.HelloReply{Message: "Hello " + in.GetName()}, nil
}
func main() {
flag.Parse()
lis, err := net.Listen("tcp", fmt.Sprintf(":%d", *port))
if err != nil {
log.Fatalf("failed to listen: %v", err)
}
s := grpc.NewServer()
pb.RegisterGreeterServer(s, &server{})
log.Printf("server listening at %v", lis.Addr())
if err := s.Serve(lis); err != nil {
log.Fatalf("failed to serve: %v", err)
}
}
tls证书配到nginx:
server {
listen 80 ssl http2;
server_name qw.er.com;
# 证书文件路径
ssl_certificate /home/admin/apps/openresty/nginx/certs/qwer/server.crt;
ssl_certificate_key /home/admin/apps/openresty/nginx/certs/qwer/server.key;
# 验证客户端证书
ssl_verify_client on;
ssl_client_certificate /home/admin/apps/openresty/nginx/certs/qwer/ca.crt;
# 反向代理服务端
location / {
grpc_pass grpc://192.168.1.111:8010;
}
}
本文来自博客园,作者:花酒锄作田,转载请注明原文链接:https://www.cnblogs.com/XY-Heruo/p/17569273.html
