introduce

With a full example of TLS/SSL enabled in the GOgf/GF framework, I’m what we call HTTPS.

We will use RK-boot to start the GoGF/GF microservice.

Please visit the following address for the full tutorial:

  • rkdocs.netlify.app/cn

Generate the Self – Signed Certificate

Users can purchase certificates from major cloud vendors or create custom certificates using CFSSL.

We show you how to generate certificates locally.

1. Download the CFSSL & cfssljson command lines

The rK command line is recommended.

$ go get -u github.com/rookie-ninja/rk/cmd/rk
$ rk install cfssl
$ rk install cfssljson
Copy the code

Official website to download

$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/cfssljson
Copy the code

2. Generate the CA

$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json
Copy the code

Modify ca-config.json and ca-csr.json as required.

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
Copy the code

3. Generate a server certificate

Server. CSR, server. Pem and server-key.pem will be generated.

$ cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www ca-csr.json | cfssljson -bare server
Copy the code

The installation

go get github.com/rookie-ninja/rk-boot/gf
Copy the code

Quick start

Rk-boot allows the GOGF/GF service to obtain certificates in the following ways.

  • Local file system
  • Remote file system
  • Consul
  • ETCD

Let’s start by looking at how to get the certificate locally and start it.

1. Create the boot. Yaml

In this example, we only start the server’s certificate. Locale is used to distinguish cert control in different environments.

Please refer to the previous article for details:

---
cert:
  - name: "local-cert"                     # Required
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
gf:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS
Copy the code

2. Create a main. Go

// Copyright (c) 2021 rookie-ninja
//
// Use of this source code is governed by an Apache-style
// license that can be found in the LICENSE file.

package main

import (
	"context"
	"github.com/gogf/gf/v2/net/ghttp"
	"github.com/rookie-ninja/rk-boot"
	"github.com/rookie-ninja/rk-boot/gf"
	"net/http"
)

// @title Swagger Example API
/ / @ version 1.0
// @description This is a sample rk-demo server.
// @termsOfService http://swagger.io/terms/

// @securityDefinitions.basic BasicAuth

// @contact.name API Support
// @contact.url http://www.swagger.io/support
// @contact.email [email protected]

/ / @ license. Name the Apache 2.0
/ / @ license. The url http://www.apache.org/licenses/LICENSE-2.0.html
func main(a) {
	// Create a new boot instance.
	boot := rkboot.NewBoot()

	// Register handler
	entry := rkbootgf.GetGfEntry("greeter")
	entry.Server.BindHandler("/v1/hello", hello)

	// Bootstrap
	boot.Bootstrap(context.TODO())

	boot.WaitForShutdownSig(context.TODO())
}

// @Summary Hello
// @Id 1
// @Tags Hello
/ / @ version 1.0
// @produce application/json
// @Success 200 string string
// @Router /v1/hello [get]
func hello(ctx *ghttp.Request) {
	ctx.Response.WriteHeader(http.StatusOK)
	ctx.Response.WriteJson(map[string]string{
		"message": "hello!"})},Copy the code

3. Folder structure

. ├ ─ ─ the boot. Yaml ├ ─ ─ cert │ ├ ─ ─ server - key. Pem │ └ ─ ─ for server pem ├ ─ ─. Mod ├ ─ ─. Sum └ ─ ─ main. Go 1 directory, 6 filesCopy the code

4. Start the main. Go

$ go run main.go
Copy the code

5. Verify

$ curl -X GET --insecure https://localhost:8080/v1/hello{"message":"hello!" }Copy the code

architecture

Parameter is introduced

1. Read the certificate from the local PC

Configuration items details Need to be The default value
cert.localFs.name Name of the local file system getter is “”
cert.localFs.locale Comply with the locale: < realm > : < region > : : < az > : : < domain > is “”
cert.localFs.serverCertPath Server Certificate Path no “”
cert.localFs.serverKeyPath Path of the server certificate key no “”
cert.localFs.clientCertPath Path of the client certificate no “”
cert.localFs.clientCertPath Path of the client certificate key no “”
  • example
---
cert:
  - name: "local-cert"                     # Required
    description: "Description of entry"    # Optional
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
gf:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS
Copy the code

2. Read the certificate from the remote file service

Configuration items details Need to be The default value
cert.remoteFs.name Name of the remote file service getter is “”
cert.remoteFs.locale Comply with locale :< realm>::<region>::<az>::<domain> is “”
cert.remoteFs.endpoint Remote Address:http://x.x.x.xOr X.X.X.X is N/A
cert.remoteFs.basicAuth Basic auth:user:pass. no “”
cert.remoteFs.serverCertPath Server Certificate Path no “”
cert.remoteFs.serverKeyPath Path of the server certificate key no “”
cert.remoteFs.clientCertPath Path of the client certificate no “”
cert.remoteFs.clientCertPath Path of the client certificate key no “”
  • example
---
cert:
  - name: "remote-cert"                    # Required
    description: "Description of entry"    # Optional
    provider: "remoteFs"                   # Required, etcd, consul, localFs, remoteFs are supported options
    endpoint: "localhost:8081"             # Required, both http://x.x.x.x or x.x.x.x are acceptable
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
gf:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "remote-cert"                   # Enable grpc TLS
Copy the code

3. Obtain the certificate from Consul

Configuration items details Need to be The default value
cert.consul.name Consul Specifies the Consul name is “”
cert.consul.locale Comply with the locale: < realm > : < region > : : < az > : : < domain > is “”
cert.consul.endpoint The Consul address:http://x.x.x.x or x.x.x.x is N/A
cert.consul.datacenter Consul Data Center is “”
cert.consul.token Consul access key no “”
cert.consul.basicAuth Consul Basic Auth, format:user:pass. no “”
cert.consul.serverCertPath Server Certificate Path no “”
cert.consul.serverKeyPath Path of the server certificate key no “”
cert.consul.clientCertPath Path of the server certificate key no “”
cert.consul.clientCertPath Path of the server certificate key no “”
  • example
---
cert:
  - name: "consul-cert"                    # Required
    provider: "consul"                     # Required, etcd, consul, localFS, remoteFs are supported options
    description: "Description of entry"    # Optional
    locale: * : : : : : : "*"                   # Required, ""
    endpoint: "localhost:8500"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    datacenter: "dc1"                      # Optional, default: "", consul datacenter
    serverCertPath: "server.pem"           # Optional, default: "", key of value in consul
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in consul
gf:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "consul-cert"                   # Enable grpc TLS
Copy the code

4. Read the certificate from the ETCD

Configuration items details Need to be The default value
cert.etcd.name ETCD getter name is “”
cert.etcd.locale Comply with the locale: < realm > : < region > : : < az > : : < domain > is “”
cert.etcd.endpoint ETCD address:http://x.x.x.x or x.x.x.x is N/A
cert.etcd.basicAuth ETCD Basic Authuser:pass. no “”
cert.etcd.serverCertPath Server Certificate Path no “”
cert.etcd.serverKeyPath Server Certificate Path no “”
cert.etcd.clientCertPath Path of the client certificate no “”
cert.etcd.clientCertPath Path of the client certificate key no “”
  • example
---
cert:
  - name: "etcd-cert"                      # Required
    description: "Description of entry"    # Optional
    provider: "etcd"                       # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    endpoint: "localhost:2379"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    serverCertPath: "server.pem"           # Optional, default: "", key of value in etcd
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in etcd
gf:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "etcd-cert"                   # Enable grpc TLS
Copy the code