Spring Cloud 微服务 - Eureka 服务器安全 [英] Spring Cloud Microservices - Eureka Server Security

问题描述

由于 Eureka 使用 http/https 协议与其注册者(客户端)进行交互，您可以通过假装是其客户端之一向它发布虚假/错误数据，告诉它服务已关闭，从而轻松欺骗 Eureka 服务器，最终导致从注册表中删除这些服务.在具有许多用户的大型系统中，这是一个很可能的场景.防止此类攻击的替代安全/身份验证方案有哪些?

Since Eureka uses http/https protocols to interact with its registrants (clients), you could easily trick the eureka server by pretending to be one of its clients posting false/erroneous data to it telling that a service is down which eventually result in removal of those services from registry. This is a very likely scenario in a large system with many users. What are the alternative security/authentication schemes to prevent such attack?

推荐答案

如果您的服务发现可以从外部访问，则需要为其添加一些安全性，而 HTTPS 只会防止中间人攻击，所以还不够.

If your service discovery is accessible from the outside, you need to add some security to it, and HTTPS will only protect from man-in-the-middle attacks, so it is not enought.

如果你使用 Eureka 和 spring cloud starter (@EnableEurekaServer)，你可以使用 spring security 来保护你的服务器.

If you use Eureka with the spring cloud starter (@EnableEurekaServer), you could use spring security to protect your server.

举个简单的例子，你可以添加:

For a simple exemple you could add :

security:
  user:
    name: admin
    password: password

并在 spring-boot 客户端这样声明 eureka :

And declare eureka like this on the spring-boot client side :

eureka:
  client:
    serviceUrl:
      defaultZone: http://admin:password@localhost:8002/eureka

您还可以使用 oauth 以及 spring 提供的所有其他安全协议.

You can also use oauth, and all the others security protocol that spring offers.

这篇关于Spring Cloud 微服务 - Eureka 服务器安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！