introduce
With a full example of TLS/SSL enabled in the GOgf/GF framework, I’m what we call HTTPS.
We will use RK-boot to start the GoGF/GF microservice.
Please visit the following address for the full tutorial:
- rkdocs.netlify.app/cn
Generate the Self – Signed Certificate
Users can purchase certificates from major cloud vendors or create custom certificates using CFSSL.
We show you how to generate certificates locally.
1. Download the CFSSL & cfssljson command lines
The rK command line is recommended.
$ go get -u github.com/rookie-ninja/rk/cmd/rk
$ rk install cfssl
$ rk install cfssljson
Copy the code
Official website to download
$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/cfssljson
Copy the code
2. Generate the CA
$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json
Copy the code
Modify ca-config.json and ca-csr.json as required.
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
Copy the code
3. Generate a server certificate
Server. CSR, server. Pem and server-key.pem will be generated.
$ cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www ca-csr.json | cfssljson -bare server
Copy the code
The installation
go get github.com/rookie-ninja/rk-boot/gf
Copy the code
Quick start
Rk-boot allows the GOGF/GF service to obtain certificates in the following ways.
- Local file system
- Remote file system
- Consul
- ETCD
Let’s start by looking at how to get the certificate locally and start it.
1. Create the boot. Yaml
In this example, we only start the server’s certificate. Locale is used to distinguish cert control in different environments.
Please refer to the previous article for details:
---
cert:
- name: "local-cert" # Required
provider: "localFs" # Required, etcd, consul, localFs, remoteFs are supported options
locale: * : : : : : : "*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
gf:
- name: greeter
port: 8080
enabled: true
enableReflection: true
cert:
ref: "local-cert" # Enable grpc TLS
Copy the code
2. Create a main. Go
// Copyright (c) 2021 rookie-ninja
//
// Use of this source code is governed by an Apache-style
// license that can be found in the LICENSE file.
package main
import (
"context"
"github.com/gogf/gf/v2/net/ghttp"
"github.com/rookie-ninja/rk-boot"
"github.com/rookie-ninja/rk-boot/gf"
"net/http"
)
// @title Swagger Example API
/ / @ version 1.0
// @description This is a sample rk-demo server.
// @termsOfService http://swagger.io/terms/
// @securityDefinitions.basic BasicAuth
// @contact.name API Support
// @contact.url http://www.swagger.io/support
// @contact.email [email protected]
/ / @ license. Name the Apache 2.0
/ / @ license. The url http://www.apache.org/licenses/LICENSE-2.0.html
func main(a) {
// Create a new boot instance.
boot := rkboot.NewBoot()
// Register handler
entry := rkbootgf.GetGfEntry("greeter")
entry.Server.BindHandler("/v1/hello", hello)
// Bootstrap
boot.Bootstrap(context.TODO())
boot.WaitForShutdownSig(context.TODO())
}
// @Summary Hello
// @Id 1
// @Tags Hello
/ / @ version 1.0
// @produce application/json
// @Success 200 string string
// @Router /v1/hello [get]
func hello(ctx *ghttp.Request) {
ctx.Response.WriteHeader(http.StatusOK)
ctx.Response.WriteJson(map[string]string{
"message": "hello!"})},Copy the code
3. Folder structure
. ├ ─ ─ the boot. Yaml ├ ─ ─ cert │ ├ ─ ─ server - key. Pem │ └ ─ ─ for server pem ├ ─ ─. Mod ├ ─ ─. Sum └ ─ ─ main. Go 1 directory, 6 filesCopy the code
4. Start the main. Go
$ go run main.go
Copy the code
5. Verify
$ curl -X GET --insecure https://localhost:8080/v1/hello{"message":"hello!" }Copy the code
architecture
Parameter is introduced
1. Read the certificate from the local PC
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.localFs.name | Name of the local file system getter | is | “” |
cert.localFs.locale | Comply with the locale: < realm > : < region > : : < az > : : < domain > | is | “” |
cert.localFs.serverCertPath | Server Certificate Path | no | “” |
cert.localFs.serverKeyPath | Path of the server certificate key | no | “” |
cert.localFs.clientCertPath | Path of the client certificate | no | “” |
cert.localFs.clientCertPath | Path of the client certificate key | no | “” |
- example
---
cert:
- name: "local-cert" # Required
description: "Description of entry" # Optional
provider: "localFs" # Required, etcd, consul, localFs, remoteFs are supported options
locale: * : : : : : : "*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
gf:
- name: greeter
port: 8080
enabled: true
enableReflection: true
cert:
ref: "local-cert" # Enable grpc TLS
Copy the code
2. Read the certificate from the remote file service
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.remoteFs.name | Name of the remote file service getter | is | “” |
cert.remoteFs.locale | Comply with locale :< realm>::<region>::<az>::<domain> | is | “” |
cert.remoteFs.endpoint | Remote Address:http://x.x.x.xOr X.X.X.X | is | N/A |
cert.remoteFs.basicAuth | Basic auth:user:pass. | no | “” |
cert.remoteFs.serverCertPath | Server Certificate Path | no | “” |
cert.remoteFs.serverKeyPath | Path of the server certificate key | no | “” |
cert.remoteFs.clientCertPath | Path of the client certificate | no | “” |
cert.remoteFs.clientCertPath | Path of the client certificate key | no | “” |
- example
---
cert:
- name: "remote-cert" # Required
description: "Description of entry" # Optional
provider: "remoteFs" # Required, etcd, consul, localFs, remoteFs are supported options
endpoint: "localhost:8081" # Required, both http://x.x.x.x or x.x.x.x are acceptable
locale: * : : : : : : "*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
gf:
- name: greeter
port: 8080
enabled: true
cert:
ref: "remote-cert" # Enable grpc TLS
Copy the code
3. Obtain the certificate from Consul
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.consul.name | Consul Specifies the Consul name | is | “” |
cert.consul.locale | Comply with the locale: < realm > : < region > : : < az > : : < domain > | is | “” |
cert.consul.endpoint | The Consul address:http://x.x.x.x or x.x.x.x | is | N/A |
cert.consul.datacenter | Consul Data Center | is | “” |
cert.consul.token | Consul access key | no | “” |
cert.consul.basicAuth | Consul Basic Auth, format:user:pass. | no | “” |
cert.consul.serverCertPath | Server Certificate Path | no | “” |
cert.consul.serverKeyPath | Path of the server certificate key | no | “” |
cert.consul.clientCertPath | Path of the server certificate key | no | “” |
cert.consul.clientCertPath | Path of the server certificate key | no | “” |
- example
---
cert:
- name: "consul-cert" # Required
provider: "consul" # Required, etcd, consul, localFS, remoteFs are supported options
description: "Description of entry" # Optional
locale: * : : : : : : "*" # Required, ""
endpoint: "localhost:8500" # Required, http://x.x.x.x or x.x.x.x both acceptable.
datacenter: "dc1" # Optional, default: "", consul datacenter
serverCertPath: "server.pem" # Optional, default: "", key of value in consul
serverKeyPath: "server-key.pem" # Optional, default: "", key of value in consul
gf:
- name: greeter
port: 8080
enabled: true
cert:
ref: "consul-cert" # Enable grpc TLS
Copy the code
4. Read the certificate from the ETCD
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.etcd.name | ETCD getter name | is | “” |
cert.etcd.locale | Comply with the locale: < realm > : < region > : : < az > : : < domain > | is | “” |
cert.etcd.endpoint | ETCD address:http://x.x.x.x or x.x.x.x | is | N/A |
cert.etcd.basicAuth | ETCD Basic Authuser:pass. | no | “” |
cert.etcd.serverCertPath | Server Certificate Path | no | “” |
cert.etcd.serverKeyPath | Server Certificate Path | no | “” |
cert.etcd.clientCertPath | Path of the client certificate | no | “” |
cert.etcd.clientCertPath | Path of the client certificate key | no | “” |
- example
---
cert:
- name: "etcd-cert" # Required
description: "Description of entry" # Optional
provider: "etcd" # Required, etcd, consul, localFs, remoteFs are supported options
locale: * : : : : : : "*" # Required, default: ""
endpoint: "localhost:2379" # Required, http://x.x.x.x or x.x.x.x both acceptable.
serverCertPath: "server.pem" # Optional, default: "", key of value in etcd
serverKeyPath: "server-key.pem" # Optional, default: "", key of value in etcd
gf:
- name: greeter
port: 8080
enabled: true
cert:
ref: "etcd-cert" # Enable grpc TLS
Copy the code