dongzhong8691
2018-11-30 08:30
浏览 311
已采纳

使用Golang在Nginx后面运行的GRPC服务的TLS

I have a flutter app (dart based) and a GoLang server, using GRPC.

I wanted to secure it, so I tried setting up Ngninx with certbot(I'm new at this), but the bot requires a challenge where it connects to the Web service (for the Domain) for an http response, which my service doesn't give. It is possible to run both GRPC and HTTP server on the same port, but I couldn't understand how to setup Nginx for that.

Then I tried setting up TLS for my service itself using autocert but doing that with acme requires the same web service response and without that I have to give manual certificates and skip insecure verify which isn't available in dart for now (only two options available secure and insecure). And testing autocert on local doesn't help either as it doesn't even create local certs (at least for me).

I also read about a DNS challenge which requires a DNS TXT record, but I'm not sure if it'll ask me to put up a new TXT record on every renewal.

Anyway, I'm mostly confused as to how to move forwards with this. I connect with GRPC to actual mobile apps and haven't found many tutorials or questions regarding this anywhere. My GoLang server also interacts with other internal micro-services, so making it TLS supported would also mean redeploying all other services with secure flag enabled.

Any help regarding what I should do to secure my GRPC connection to apps, would be amazing!

Relevant docs:

Apologies if this is a stupid question, but I've been stuck on this for a week.

图片转代码服务由CSDN问答提供 功能建议

我有一个使用GRPC的Flutter应用程序(基于飞镖)和GoLang服务器。

我想保护它,所以我尝试使用 certbot 设置 Ngninx (这是我的新手),但是 僵尸程序需要挑战,即它连接到Web服务(用于域)以获取http响应,而我的服务没有提供。 可以在同一端口上同时运行GRPC和HTTP服务器,但是我不明白如何为此设置 Nginx

然后我尝试设置 使用 autocert 为我的服务本身设置TLS,但是使用acme进行此操作需要相同的Web服务响应,否则,我必须提供手动证书并跳过不安全的验证,这在dart中暂时不可用(仅 secure insecure 这两个选项可用)。 并且在本地测试 autocert 也无济于事,因为它甚至都没有创建本地证书(至少对我而言)。

我还阅读了有关DNS的文章 挑战需要DNS TXT记录,但我不确定是否会要求我在每次续订时都添加新的TXT记录。

无论如何,我通常感到困惑,因为 如何继续前进。 我将GRPC连接到实际的移动应用程序,却在任何地方都找不到很多关于此的教程或问题。 我的GoLang服务器还与其他内部微服务进行交互,因此使其支持TLS也意味着在启用安全标志的情况下重新部署所有其他服务。

有关我应该如何保护我的我的安全的任何帮助 GRPC与应用程序的连接将非常棒!

相关文档:

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • doudou3213 2019-05-06 09:41
    已采纳

    Just posting what I ended up doing for my setup. Nginx does support GRPC with version 1.3.10+ but requires a lot of manual work and a cron job to auto renew certificates, and it lacked documentation for a how-to.

    I ended up using Traefik instead, I've documented the whole process and why I chose Traefik on a blog post here

    In short, Traefik allowed for a simpler setup and very detailed GRPC documentation to get started. Another plus was it runs inside of a docker itself, so could easily test on my mac for the same version I'd deploy on the servers. It provided auto cert renewal in the box and with a DNS challenge, I could easily verify the domains.

    Sample TOML file for TLS termination at the reverse proxy end, for GRPC and normal REST services, supporting http (for older apps) & https.

    defaultEntryPoints = ["http", "https"]
    logLevel = "INFO"
    [traefikLog]
    [accessLog]
      filePath = "/var/log/access.log"
      format = "json"
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
    [api]
    [file]
    [acme]
    email = "admin@example.com"
    storage = "acme.json"
    entryPoint = "https"
    acmeLogging = true
      [acme.dnsChallenge]
        provider = "gcloud"
      [[acme.domains]]
        main = "*.example.com"
        sans = ["www.example.com"]
    [backends]
      [backends.foo]
        [backends.foo.servers.server1]
        url = "h2c://127.0.0.1:3000"
      [backends.bar]
        [backends.bar.servers.server1]
        url = "http://127.0.0.1:3001"
    [frontends]
      [frontends.foo]
      backend = "foo"
        [frontends.foo.routes.server1]
        rule = "Host:foo.example.com"
      passHostHeader = true
      passTLSCert = false
      [frontends.bar]
      backend = "bar"
        [frontends.bar.routes.server1]
        rule = "Host:bar.example.com"
      passHostHeader = true
      passTLSCert = false
    

    Only issue was figuring out the Google Cloud settings for provider (dnsChallenge), which are quite hard to find and setup if doing for the first time! Read more about configuring traefik with GRPC here

    点赞 评论

相关推荐 更多相似问题