Kong-验证上游ssl(ssl_proxy开启) [英] Kong - verify upstream ssl (ssl_proxy on)

问题描述

我已经为API成功安装了kong网关，该API通过上游到多个目标(应用程序服务器)实现负载平衡.

现在，我对我的应用程序服务器具有自签名证书，ssl握手应该在kong和目标之间失败.我推断出kong不验证上游证书.

经过一些研究，我发现nginx的 ssl_proxy on; 配置正确.

我想在openresty中找到与之等效的文件，以验证上游ssl证书.

解决方案可能是修改kong nginx配置以激活 ssl_proxy ，但在同一实例上具有不同目标时会瘫痪.

解决方案

我希望您采取另一种方法:让您的后端服务在与您的服务联系时验证Kong是否具有特定的SSL证书，以便实际上，只有Kong可以连接到服务，因此，任何API客户端都必须通过Kong进行连接.

我们对wicked.haufe.io(使用Kong 0.11.0)进行了此操作，您可以在此处找到合适的 nginx_conf.lua 文件: 解决方案

I would have expected you to do it the other way around: Let your backend service verify that Kong has a specific SSL certificate when it contacts your services, so that in effect only Kong can connect to the services, and in consequence, any API clients must go via Kong to connect.

We did that for wicked.haufe.io, with Kong 0.11.0, and you can find a suitable nginx_conf.lua file here: https://github.com/apim-haufe-io/wicked.kong/blob/master/templates/nginx_kong.lua

The interesting bit here is:

proxy_ssl_certificate /root/proxy-cert.pem;
proxy_ssl_certificate_key /root/proxy-key.pem;

Which specifies the certificate and key which nginx uses to do proxying calls to backend services. This is heeded by Kong.

By checking what we did for the Kong docker image for wicked.haufe.io, you should be able to adapt to your own needs; the other interesting bit is startup.sh, where the certificate/key is extracted from environment variables and added to the /root/proxy-...pem files.

这篇关于Kong-验证上游ssl(ssl_proxy开启)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！