introduce

With a full example of TLS/SSL enabled in the GOgf/GF framework, I’m what we call HTTPS.

We will use RK-boot to start the GoGF/GF microservice.

Please visit the following address for the full tutorial:

• rkdocs.netlify.app/cn

Generate the Self – Signed Certificate

Users can purchase certificates from major cloud vendors or create custom certificates using CFSSL.

We show you how to generate certificates locally.

1. Download the CFSSL & cfssljson command lines

The rK command line is recommended.

$ go get -u github.com/rookie-ninja/rk/cmd/rk
$ rk install cfssl
$ rk install cfssljson
Copy the code

Official website to download

$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/cfssljson
Copy the code

2. Generate the CA

$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json
Copy the code

Modify ca-config.json and ca-csr.json as required.

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
Copy the code

3. Generate a server certificate

Server. CSR, server. Pem and server-key.pem will be generated.

$ cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www ca-csr.json | cfssljson -bare server
Copy the code

The installation

go get github.com/rookie-ninja/rk-boot/gf
Copy the code

Quick start

Rk-boot allows the GOGF/GF service to obtain certificates in the following ways.

• Local file system
• Remote file system
• Consul
• ETCD

Let’s start by looking at how to get the certificate locally and start it.

1. Create the boot. Yaml

In this example, we only start the server’s certificate. Locale is used to distinguish cert control in different environments.

Please refer to the previous article for details:

---
cert:
  - name: "local-cert"                     # Required
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
gf:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS
Copy the code

2. Create a main. Go

// Copyright (c) 2021 rookie-ninja
//
// Use of this source code is governed by an Apache-style
// license that can be found in the LICENSE file.

package main

import (
	"context"
	"github.com/gogf/gf/v2/net/ghttp"
	"github.com/rookie-ninja/rk-boot"
	"github.com/rookie-ninja/rk-boot/gf"
	"net/http"
)

// @title Swagger Example API
/ / @ version 1.0
// @description This is a sample rk-demo server.
// @termsOfService http://swagger.io/terms/

// @securityDefinitions.basic BasicAuth

// @contact.name API Support
// @contact.url http://www.swagger.io/support
// @contact.email [email protected]

/ / @ license. Name the Apache 2.0
/ / @ license. The url http://www.apache.org/licenses/LICENSE-2.0.html
func main(a) {
	// Create a new boot instance.
	boot := rkboot.NewBoot()

	// Register handler
	entry := rkbootgf.GetGfEntry("greeter")
	entry.Server.BindHandler("/v1/hello", hello)

	// Bootstrap
	boot.Bootstrap(context.TODO())

	boot.WaitForShutdownSig(context.TODO())
}

// @Summary Hello
// @Id 1
// @Tags Hello
/ / @ version 1.0
// @produce application/json
// @Success 200 string string
// @Router /v1/hello [get]
func hello(ctx *ghttp.Request) {
	ctx.Response.WriteHeader(http.StatusOK)
	ctx.Response.WriteJson(map[string]string{
		"message": "hello!"})},Copy the code

3. Folder structure

. ├ ─ ─ the boot. Yaml ├ ─ ─ cert │ ├ ─ ─ server - key. Pem │ └ ─ ─ for server pem ├ ─ ─. Mod ├ ─ ─. Sum └ ─ ─ main. Go 1 directory, 6 filesCopy the code

4. Start the main. Go

$ go run main.go
Copy the code

5. Verify

$ curl -X GET --insecure https://localhost:8080/v1/hello{"message":"hello!" }Copy the code

architecture

Parameter is introduced

1. Read the certificate from the local PC

Configuration items	details	Need to be	The default value
cert.localFs.name	Name of the local file system getter	is	“”
cert.localFs.locale	Comply with the locale: < realm > : < region > : : < az > : : < domain >	is	“”
cert.localFs.serverCertPath	Server Certificate Path	no	“”
cert.localFs.serverKeyPath	Path of the server certificate key	no	“”
cert.localFs.clientCertPath	Path of the client certificate	no	“”
cert.localFs.clientCertPath	Path of the client certificate key	no	“”

• example

---
cert:
  - name: "local-cert"                     # Required
    description: "Description of entry"    # Optional
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
gf:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS
Copy the code

2. Read the certificate from the remote file service

Configuration items	details	Need to be	The default value
cert.remoteFs.name	Name of the remote file service getter	is	“”
cert.remoteFs.locale	Comply with locale :< realm>::<region>::<az>::<domain>	is	“”
cert.remoteFs.endpoint	Remote Address:http://x.x.x.xOr X.X.X.X	is	N/A
cert.remoteFs.basicAuth	Basic auth:user:pass.	no	“”
cert.remoteFs.serverCertPath	Server Certificate Path	no	“”
cert.remoteFs.serverKeyPath	Path of the server certificate key	no	“”
cert.remoteFs.clientCertPath	Path of the client certificate	no	“”
cert.remoteFs.clientCertPath	Path of the client certificate key	no	“”

• example

---
cert:
  - name: "remote-cert"                    # Required
    description: "Description of entry"    # Optional
    provider: "remoteFs"                   # Required, etcd, consul, localFs, remoteFs are supported options
    endpoint: "localhost:8081"             # Required, both http://x.x.x.x or x.x.x.x are acceptable
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
gf:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "remote-cert"                   # Enable grpc TLS
Copy the code

3. Obtain the certificate from Consul

Configuration items	details	Need to be	The default value
cert.consul.name	Consul Specifies the Consul name	is	“”
cert.consul.locale	Comply with the locale: < realm > : < region > : : < az > : : < domain >	is	“”
cert.consul.endpoint	The Consul address:http://x.x.x.x or x.x.x.x	is	N/A
cert.consul.datacenter	Consul Data Center	is	“”
cert.consul.token	Consul access key	no	“”
cert.consul.basicAuth	Consul Basic Auth, format:user:pass.	no	“”
cert.consul.serverCertPath	Server Certificate Path	no	“”
cert.consul.serverKeyPath	Path of the server certificate key	no	“”
cert.consul.clientCertPath	Path of the server certificate key	no	“”
cert.consul.clientCertPath	Path of the server certificate key	no	“”

• example

---
cert:
  - name: "consul-cert"                    # Required
    provider: "consul"                     # Required, etcd, consul, localFS, remoteFs are supported options
    description: "Description of entry"    # Optional
    locale: * : : : : : : "*"                   # Required, ""
    endpoint: "localhost:8500"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    datacenter: "dc1"                      # Optional, default: "", consul datacenter
    serverCertPath: "server.pem"           # Optional, default: "", key of value in consul
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in consul
gf:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "consul-cert"                   # Enable grpc TLS
Copy the code

4. Read the certificate from the ETCD

Configuration items	details	Need to be	The default value
cert.etcd.name	ETCD getter name	is	“”
cert.etcd.locale	Comply with the locale: < realm > : < region > : : < az > : : < domain >	is	“”
cert.etcd.endpoint	ETCD address:http://x.x.x.x or x.x.x.x	is	N/A
cert.etcd.basicAuth	ETCD Basic Authuser:pass.	no	“”
cert.etcd.serverCertPath	Server Certificate Path	no	“”
cert.etcd.serverKeyPath	Server Certificate Path	no	“”
cert.etcd.clientCertPath	Path of the client certificate	no	“”
cert.etcd.clientCertPath	Path of the client certificate key	no	“”

• example

---
cert:
  - name: "etcd-cert"                      # Required
    description: "Description of entry"    # Optional
    provider: "etcd"                       # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    endpoint: "localhost:2379"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    serverCertPath: "server.pem"           # Optional, default: "", key of value in etcd
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in etcd
gf:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "etcd-cert"                   # Enable grpc TLS
Copy the code