【go-micro】Network初探我们分析了network的应用场景以及存在的不足之处, 其中对于安全不足研究的不够深入,tunnel是在transport基础上建立的,而transport层有mTLS的支持,所以当时所说的在安全方面只有header中的token是错误的。 只是micro当前在network还没有做mTLS环境变量的支持,本文将做一个简单的分享为network增加mTLS支持。

刚刚(2019-11-27)micro又发布了新版本1.17.0,继续采坑🤣

Network修改

当前micronetwork模块并没有提供TLS环境变量配置的支持,需要自己修改源码,在micro/microinternal/helperTLSConfig()方法可以从GLOBAL OPTIONS中生成*tls.Config, 参考当前micro实现mTLS两个command(apiweb),对networktunnel做如下修改:

// create a tunnel
tunOpts := []tunnel.Option{
	tunnel.Address(Address),
	tunnel.Nodes(nodes...),
	tunnel.Token(Token),
}
if ctx.GlobalBool("enable_tls") {
	config, err := helper.TLSConfig(ctx)
	if err != nil {
		fmt.Println(err.Error())
		return
	}
	config.InsecureSkipVerify = true

	tunOpts = append(tunOpts, tunnel.Transport(
		quic.NewTransport(transport.TLSConfig(config)),
	))
}
tun := tunnel.NewTunnel(tunOpts...)

注意这里我们设置了InsecureSkipVerifytrue,由于是双向认证,如果InsecureSkipVerifyfalsenetwork将无法正常连接

mTLS

首先参考下图对mTLS有个了解,serverclient都需要通过CA对彼此的证书进行验证

network_multi_cluster

我们只生成一个CACSR证书,对于生产环境根据自己的场景需要更为完善和复杂的证书管理,这里没有涉及,后面会结合micro生态与安全相关的mTLS做更多的研究分享。

CA证书

使用certstrap工具生成CA证书

# MacOS
$ brew install certstrap

# 未输入密码
$ certstrap init --common-name "MicroCA" --expires "20 years"
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Created out/MicroCA.key
    Created out/MicroCA.crt
    Created out/MicroCA.crl

CSR证书

$ certstrap request-cert -cn network  
	Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Created out/network.key
    Created out/network.csr

CSR证书签名

$ certstrap sign network --CA MicroCA
	Created out/network.crt from out/network.csr signed by out/MicroCA.key

运行Network + mTLS

$ ./micro \
--registry=etcd \
--transport=tcp \
--enable_tls=true \
--tls_cert_file=conf/tls/network.crt  \
--tls_key_file=conf/tls/network.key  \
--tls_client_ca_file=conf/tls/MicroCA.crt \
network

$ ./micro \
--registry=consul \
--transport=tcp \
--enable_tls=true \
--tls_cert_file=conf/tls/network.crt  \
--tls_key_file=conf/tls/network.key  \
--tls_client_ca_file=conf/tls/MicroCA.crt \
network \
--nodes=localhost:8085 \
--address=:8086

Network routes

如果routes中看不到link=network应该是network间未能建立连接

./micro --registry=etcd --transport=tcp network routes  
+------------------+----------------------+----------------------+--------------------------------------+----------+--------+---------+
|     SERVICE      |       ADDRESS        |       GATEWAY        |                ROUTER                | NETWORK  | METRIC |  LINK   |
+------------------+----------------------+----------------------+--------------------------------------+----------+--------+---------+
| consul           | 1919625842587659968  | 17017708900476934200 | f5dc3933-3ccc-4dc0-bafe-cbfd7abebf60 | go.micro | 1      | network |
| go.micro.network | 15624894091238291400 | 17017708900476934200 | f5dc3933-3ccc-4dc0-bafe-cbfd7abebf60 | go.micro | 1      | network |
| go.micro.network | 192.168.1.4:58527    |                      | df521f3c-a39e-455b-abbf-ada184a900c9 | go.micro | 1      | local   |
| go.micro.network | 192.168.1.4:58528    |                      | df521f3c-a39e-455b-abbf-ada184a900c9 | go.micro | 1      | local   |
| go.micro         | 192.168.1.4:8085     |                      | df521f3c-a39e-455b-abbf-ada184a900c9 | go.micro | 1      | local   |
| go.micro         | 9876822083478954444  | 17017708900476934200 | f5dc3933-3ccc-4dc0-bafe-cbfd7abebf60 | go.micro | 1      | network |
+------------------+----------------------+----------------------+--------------------------------------+----------+--------+---------+

./micro --registry=consul --transport=tcp network routes
+------------------+----------------------+---------------------+--------------------------------------+----------+--------+---------+
|     SERVICE      |       ADDRESS        |       GATEWAY       |                ROUTER                | NETWORK  | METRIC |  LINK   |
+------------------+----------------------+---------------------+--------------------------------------+----------+--------+---------+
| consul           | 127.0.0.1:8300       |                     | f5dc3933-3ccc-4dc0-bafe-cbfd7abebf60 | go.micro | 1      | local   |
| go.micro         | 192.168.1.4:8086     |                     | f5dc3933-3ccc-4dc0-bafe-cbfd7abebf60 | go.micro | 1      | local   |
| go.micro         | 9480410441638176179  | 3307701226171868606 | df521f3c-a39e-455b-abbf-ada184a900c9 | go.micro | 2      | network |
| go.micro.network | 11801771601773192119 | 3307701226171868606 | df521f3c-a39e-455b-abbf-ada184a900c9 | go.micro | 2      | network |
| go.micro.network | 192.168.1.4:58843    |                     | f5dc3933-3ccc-4dc0-bafe-cbfd7abebf60 | go.micro | 1      | local   |
| go.micro.network | 192.168.1.4:58844    |                     | f5dc3933-3ccc-4dc0-bafe-cbfd7abebf60 | go.micro | 1      | local   |
+------------------+----------------------+---------------------+--------------------------------------+----------+--------+---------+

Ref

Go 编程: 快速生成自签名证书与双向认证(mTLS)