grpc SSL/TLS
gRPC提供了内置的授权机制(Authorization),也提供接口用于扩展自定义授权验证。gRPC旨在和多种身份验证(Authentication)机制配合使用,可以轻松安全的使用gRPC同其他系统进行通信。
gRPC支持下面几种机制:
- SSL/TLS:gRPC集成了SSL/TLS,并促进使用SSL/TLS对服务进行身份验证,并对客户端和服务端之间交互的所有数据进行加密
- ALTS
- Token-based authentication with Google
同时,也支持扩展自定义认证机制。
如下面一个最基本的Hello grpc程序中, 请求和响应都是明文传输,容易造成敏感信息、伪造篡改等问题。
server.go
package main
import ( "context" "log" "net"
"google.golang.org/grpc" pb "xwxwgo.com/hello-grpc/lib/protos")
type Server struct { pb.UnimplementedHelloServiceServer}
func (s *Server) SayHello(ctx context.Context, req *pb.HelloReq) (*pb.HelloRsp, error) { return &pb.HelloRsp{Reply: req.Greeting}, nil}
func main() { lis, err := net.Listen("tcp", ":8080") if err != nil { log.Fatalf("failed to listen: %v", err) }
server := grpc.NewServer() pb.RegisterHelloServiceServer(server, &Server{}) server.Serve(lis)}client/main.go
package main
import ( "context" "log"
"google.golang.org/grpc" pb "xwxwgo.com/hello-grpc/lib/protos")
func main() { conn, err := grpc.Dial(":8080", grpc.WithInsecure()) if err != nil { log.Fatalf("dail field: %v", err) } defer conn.Close()
client := pb.NewHelloServiceClient(conn) rsp, err := client.SayHello(context.Background(), &pb.HelloReq{Greeting: "Hello grpc"}) if err != nil { log.Fatalf("call server failed: %v", err) } log.Printf("SayHello: %+v", rsp)}通过Wireshark本地gRPC抓包,可以看到请求具体信息:
通过SSL/TLS对服务进行身份认证,可以客户端和服务端之间交互的所有数据进行加密。
2. SSL/TLS认证
Section titled “2. SSL/TLS认证”# 私钥$ openssl ecparam -genkey -name secp384r1 -out server.key
# 自签公钥$ openssl req -new -x509 -sha256 -key server.key -out server.pem -days 3650
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:Client:
credentials.NewClientTLSFromFile:通过服务端的自签公钥和服务名称,来构造TLS凭证
creds, _ := credentials.NewClientTLSFromFile(certFile, "hello-grpc")conn, _ := grpc.Dial("localhost:50051", grpc.WithTransportCredentials(creds))// error handling omittedclient := pb.NewHelloServiceClient(conn)// ...Server:
credentials.NewServerTLSFromFile:服务端证书文件和密钥构造 TLS 凭证
creds, _ := credentials.NewServerTLSFromFile(certFile, keyFile)s := grpc.NewServer(grpc.Creds(creds))pb.RegisterHelloServiceServer(s, &server.HelloServer{})lis, _ := net.Listen("tcp", "localhost:50051")// error handling omitteds.Serve(lis)再次进行抓包:
