douping6871 2017-05-09 08:35
浏览 195
已采纳

Go lang中的AWS API Gateway客户端证书

I'm trying to secure connection between AWS API Gateway and my API endpoint services exactly as it is described int his documentation: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

AFAIK I need to copy the cert form AWS API Gateway and use http.ListenAndServeTLS method. But it accepts two files: keyFile and certFile func ListenAndServeTLS(addr, certFile, keyFile string, handler Handler).

When I click on copy link (see image below) example of certificate generated by AWS

the only thing I get is the certificate in such format (I've shortened it for explanation purposes):

-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIJAKbyiCf2f5J2MA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV
fYe+dxR0PMFvfUpZaGgaY1ykQG1sNaw/b6NjNg9c1aEVSZ7b1eU/cBmb6XqHw0Ih
7yHtBm+p8Px4NMAT9YhytTxPRBYpApfUsfPMa3qfUWvvj4TD0LR6bW980bebyxUn
BigXToSFlPeiNGdU/Zpiw9crzplojNBFc=
-----END CERTIFICATE-----

So my question is, how exactly I need to configure ListenAndServeTLS method to make sure the any request to my service is from API Gateway? Where I can find private key? It's quite confusing for me.

  • 写回答

1条回答 默认 最新

  • dsjq6977 2017-05-09 09:32
    关注

    The client certificate AWS is given you is for authenticating the client that send requests to your service, which is the AWS gateway.

    This cert is not to be used to start your server, but to authenticates requests.

    See an example of use below, untested code, but as a lead.

    func Hello(w http.ResponseWriter, req *http.Request) {
    io.WriteString(w, "hello, world!
")
}

func main() {
    http.HandleFunc("/hello", Hello)

    certBytes, err := ioutil.ReadFile("aws-gateway.pem")
    if err != nil {
        log.Fatal(err)
    }
    block, certBytes := pem.Decode(certBytes)

    cert, err := x509.ParseCertificate(block.Bytes)
    if err != nil {
       log.Fatal(err)
    }

    clientCertPool := x509.NewCertPool()
    clientCertPool.AddCerts(cert)

    tlsConfig := &tls.Config{
        ClientCAs: clientCertPool,
        // NoClientCert
        // RequestClientCert
        // RequireAnyClientCert
        // VerifyClientCertIfGiven
        // RequireAndVerifyClientCert
        ClientAuth: tls.RequireAndVerifyClientCert,
    }
    tlsConfig.BuildNameToCertificate()

    server := &http.Server{
        Addr:      ":8080",
        TLSConfig: tlsConfig,
    }

    server.ListenAndServeTLS("server.crt", "server.key")
}

    This way, your service will require that all requests provide a certificate and will verify it against the pool of ClientCA. You could, of course, add more certificates to the client pool if desired.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 划分vlan后不通了
  • ¥15 GDI处理通道视频时总是带有白色锯齿
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)
  • ¥15 自适应 AR 模型 参数估计Matlab程序
  • ¥100 角动量包络面如何用MATLAB绘制
  • ¥15 merge函数占用内存过大
  • ¥15 使用EMD去噪处理RML2016数据集时候的原理
  • ¥15 神经网络预测均方误差很小 但是图像上看着差别太大