SpringGateway网关增加https证书验证
文章目录
- 前言
- 一、申请证书
- 二、转换证书
- 2.1 设置强密码
- 2.2 转换成.p12文件
- 三、配置gateway网关
- 四、重启网关
- 五、验证
- 总结
前言
设:
网址:bztc.website
网关地址:bztc.website:10086
一、申请证书
申请证书后,会有如下文件:
bztc.website.crt
bztc.website.key
二、转换证书
转换成bztc.website.p12文件。
2.1 设置强密码
密码尽可能复杂。
openssl rand -base64 16
# 示例输出:fD8tYjW7k3K2mN8zT4w0ZA==
2.2 转换成.p12文件
在服务器上执行:
openssl pkcs12 -export \-in bztc.website.crt \-inkey bztc.website.key \-out bztc.website.p12 \-name bztc.website \-passout pass:fD8tYjW7k3K2mN8zT4w0ZA==
然后当前目录会生成bztc.website.p12文件:
三、配置gateway网关
配置yaml文件:
server:ssl:key-store: /root/bztc-gateway/cert/bztc.website.p12key-store-password: fD8tYjW7k3K2mN8zT4w0ZA==key-store-type: PKCS12
spring:cloud:# 网关配置gateway:# 微服务名称配置discovery:locator:enabled: true # 设置为true 请求路径前可以添加微服务名称(开启微服务发现功能)lower-case-service-id: true # 将请求路径上的服务名配置为小写globalcors:corsConfigurations:'[/**]':allowedOrigins:- "https://bztc.website"allowedMethods:- GET- POSTallowedHeaders:- "*"allowCredentials: true
四、重启网关
五、验证
执行:
openssl s_client -connect bztc.website:10086
会输出如下内容:
CONNECTED(00000003)
depth=3 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=2 C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R46
verify return:1
depth=1 C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36
verify return:1
depth=0 CN = bztc.website
verify return:1
---
Certificate chain0 s:CN = bztc.websitei:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R361 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R462 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R46i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGhTCCBO2gAwIBAgIQDuUsPcCGslpPkloIAE4f3zANBgkqhkiG9w0BAQsFADBg
…………………………………………………………
MxQfDEuUqQf7FuhtEvxdLAW4exUecNZM+eOIMpWs0Jv51w53AL3e+Ts=
-----END CERTIFICATE-----
subject=CN = bztc.websiteissuer=C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5548 bytes and written 394 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:Protocol : TLSv1.3……………………………………………………………………………………………………………………………………………………………………………………………………00c0 - ef 43 fb cf 65 ff f3 65-c3 4b 67 c9 06 91 1f 6d .C..e..e.Kg....m00d0 - 20 18 4c 1c 1b 20 0d 78-51 c0 ef 01 cc be a0 1f .L.. .xQ.......00e0 - ab 8e b9 20 1b 55 1b 86-80 ea da 73 19 be ee 8c ... .U.....s....Start Time: 1752073620Timeout : 7200 (sec)Verify return code: 0 (ok)Extended master secret: noMax Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:Protocol : TLSv1.3……………………………………………………………………………………………………………………………………………………………………00c0 - e5 d8 24 15 be b7 8d 36-97 fb a5 7f 05 71 65 6c ..$....6.....qel00d0 - 1b 1c ac 1a 2f 93 10 d6-09 c9 a9 d0 09 db 49 25 ..../.........I%00e0 - d6 bc a3 19 6d 39 1e fd-45 42 bf 22 78 ed cd 00 ....m9..EB."x...Start Time: 1752073620Timeout : 7200 (sec)Verify return code: 0 (ok)Extended master secret: noMax Early Data: 0
---
read R BLOCK
最后需保证网关接口可正常访问。
总结
SpringGateway网关增加https证书验证