zuul转发https请求及feign到后端服务(https)跳过ssl证书校验

原创 已于 2023-09-02 19:57:27 修改 · 878 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#https #ssl #网络协议

于 2023-08-18 16:54:09 首次发布
本文详细描述了如何在安全需求下,通过NginxDockerfile配置HTTPS,以及如何在Zuul和OkHttp中处理SSL验证,包括自定义SSL信任策略和跳过验证,同时介绍了Nacos的HTTPS配置,确保服务的全链路安全连接。

因为安全要求,需要我们的服务全链路 https

1、web 页面:打包放在nginx里

nginx dockerfile 及配置:

NginxDockerfile:
#NginxDockerfile
FROM nginx
MAINTAINER xxx "xxx@qq.com"
WORKDIR /usr/share/nginx/html/
COPY nginx.conf /etc/nginx/
COPY mime.types /etc/nginx/
COPY default.conf /etc/nginx/conf.d/default.conf
RUN sed -i "s#443#8000#g" /etc/nginx/conf.d/default.conf 
COPY lulu_sit.tar.gz /usr/share/nginx/html
RUN mkdir -p /var/log/nginx && mkdir -p /usr/share/nginx/lulutmp/lulu_sit && tar -xzvf /usr/share/nginx/html/lulu_sit.tar.gz -C /usr/share/nginx/lulutmp/ && mv /usr/share/nginx/lulutmp/lulu_sit/* /usr/share/nginx/html/
RUN chown -R nginx:nginx /usr/share/nginx/html/ && chmod -R 755 /usr/sbin/nginx  && \
        chown -R nginx:nginx /var/cache/nginx && \
        chown -R nginx:nginx /var/log/nginx && \
        chown -R nginx:nginx /etc/nginx/conf.d
RUN touch /var/run/nginx.pid && \
        chown -R nginx:nginx /var/run/nginx.pid
EXPOSE 8000
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["nginx","-c","/etc/nginx/nginx.conf", "-g", "daemon off;"]
nginx 配置:
#nginx.conf
user  nginx;
worker_processes  auto;
error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    #gzip  on;
    include /etc/nginx/conf.d/*.conf;
}

#default.conf
server {
    listen       443    ssl;
    server_name  xxxxxx;
    client_max_body_size 100m;
    client_header_buffer_size 5120k;
    large_client_header_buffers 16 5120k;
    ssl_certificate      /opt/crt/tls.crt;
    ssl_certificate_key  /opt/crt/tls.key;
    ssl_session_timeout  10m;  
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers   ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_prefer_server_ciphers   on;
    location / {
        root /usr/share/nginx/html;
        #add_header Cache-Control "no-cache, no-store, must-revalidate";
        #add_header Pragma "no-cache";
        #add_header Expires 0;
        #add_header Set-Cookie 'env=sit;path=/';
        #index  index.html index.htm;
    }
    #location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|js|css|html)$ {
        #禁止缓存,每次都从服务器请求
        #add_header Cache-Control no-store; 
    #}
    location /web/ {
    	#sh-crm-gate是gate的serviceId,可改为ip
        proxy_pass https://sh-crm-gate:8080/web/;
        proxy_connect_timeout 7000;
        proxy_read_timeout 7000;
        charset utf-8;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

2、后端服务:gate(zuul),interface(此处就不多列业务服务了),xxljob(1.7.2版本)

2.1.1、(重点)因为某些原因我们这个版本的架构网关路由使用的是 zuul,zuul 在 router 服务时一般情况下使用的是 httpclient(我们的版本是 org.apache.httpcomponents:httpclient:4.5.13)也就是CloseableHttpClient,可以在启动类或者配置类里面加上下面这块代码覆盖Bean :CloseableHttpClient

//跳过ssl验证
 @Bean
    public CloseableHttpClient getIgnoeSSLClient() throws Exception {
        SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, new TrustStrategy() {
            @Override
            public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
                return true;
            }
        }).build();
        //创建httpClient
        CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).
                setSSLHostnameVerifier(new NoopHostnameVerifier()).build();
        return client;
    }

2.1.2、如果是使用了 okhttp 可以加如下代码

package com.arvato.crm.configuration;

import lombok.extern.slf4j.Slf4j;
import lombok.var;
import okhttp3.ConnectionPool;
import okhttp3.OkHttpClient;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import javax.net.ssl.*;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.concurrent.TimeUnit;
@Slf4j
@Configuration
public class OkHttpConfig {

    @Value("${okhttp.connectTimeout:30}")
    private Long connectTimeout;
    @Value("${okhttp.readTimeout:30}")
    private Long readTimeout;
    @Value("${okhttp.writeTimeout:30}")
    private Long writeTimeout;
    @Value("${okhttp.maxConnections:10}")
    private Integer maxConnections;
    @Value("${okhttp.keepAliveDuration:5}")
    private Long keepAliveDuration;

    public static final X509TrustManager IGNORE_SSL_TRUST_MANAGER_X509 = new X509TrustManager() {
        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType) {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType) {
        }

        @Override
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[] {};
        }
    };

    /**
     * Get initialized SSLContext instance which ignored SSL certification
     *
     * @return
     * @throws NoSuchAlgorithmException
     * @throws KeyManagementException
     */
    public static SSLContext getIgnoreInitedSslContext() throws NoSuchAlgorithmException, KeyManagementException {
        var sslContext = SSLContext.getInstance("SSL");
        sslContext.init(null, new TrustManager[] { IGNORE_SSL_TRUST_MANAGER_X509 }, new SecureRandom());
        return sslContext;
    }

    /**
     * Get HostnameVerifier which ignored SSL certification
     *
     * @return
     */
    public static HostnameVerifier getIgnoreSslHostnameVerifier() {
        return new HostnameVerifier() {
            @Override
            public boolean verify(String arg0, SSLSession arg1) {
                return true;
            }
        };
    }

    @Bean
    public OkHttpClient okHttpClient() throws Exception{
        log.info("okhttp.connectTimeout: {}",connectTimeout);
        log.info("okhttp.readTimeout: {}",readTimeout);
        log.info("okhttp.writeTimeout: {}",writeTimeout);
        log.info("okhttp.maxConnections: {}",maxConnections);
        log.info("okhttp.keepAliveDuration: {}",keepAliveDuration);

        return new OkHttpClient.Builder()
                .connectTimeout(connectTimeout, TimeUnit.SECONDS)
                .readTimeout(readTimeout, TimeUnit.SECONDS)
                .writeTimeout(writeTimeout, TimeUnit.SECONDS)
                .retryOnConnectionFailure(false)
                .connectionPool(new ConnectionPool(maxConnections , keepAliveDuration, TimeUnit.MINUTES))
                .sslSocketFactory(getIgnoreInitedSslContext().getSocketFactory(),IGNORE_SSL_TRUST_MANAGER_X509)
                .hostnameVerifier(getIgnoreSslHostnameVerifier())
                .build();
    }
}

2.2、interface 服务使用 feign调用其他服务时需要配置 feign 跳过 ssl 验证:

2.2.1 feign配置类:
package com.arvato.crm.config;

import feign.Client;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.cloud.netflix.ribbon.SpringClientFactory;
import org.springframework.cloud.openfeign.ribbon.CachingSpringLoadBalancerFactory;
import org.springframework.cloud.openfeign.ribbon.LoadBalancerFeignClient;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;

@Configuration
public class FeignConfiguration {

    @Bean
    public CachingSpringLoadBalancerFactory cachingFactory(SpringClientFactory clientFactory) {
        return new CachingSpringLoadBalancerFactory(clientFactory);
    }

    @Bean
    @ConditionalOnMissingBean
    public Client feignClient(CachingSpringLoadBalancerFactory cachingFactory,
                              SpringClientFactory clientFactory) throws NoSuchAlgorithmException, KeyManagementException {
        SSLContext ctx = SSLContext.getInstance("SSL");
        X509TrustManager tm = new X509TrustManager() {
            @Override
            public void checkClientTrusted(X509Certificate[] chain, String authType) {
            }
            @Override
            public void checkServerTrusted(X509Certificate[] chain, String authType) {
            }
            @Override
            public X509Certificate[] getAcceptedIssuers() {
                //如果这里后续报空指针,就return new X509Certificate[0]
                return null;
            }
        };
        ctx.init(null, new TrustManager[]{tm}, null);
        return new LoadBalancerFeignClient(new Client.Default(ctx.getSocketFactory(),
                (hostname, session) -> true),
                cachingFactory, clientFactory);
    }
}
2.2.2:feignclient配置参考:
@FeignClient(name = "sh-crm-gate",url = "https://sh-crm-gate:8080",configuration = FeignConfiguration.class)

2.3、因为使用的 xxljob版本过低,xxljob里的CloseableHttpClient 并没有设置跳过 ssl 校验(高版本已经没有AdminApiUtil这个类了,而且新的类(好像是 xxljobUtil)已经做了跳过ssl校验),所以需要覆盖 xxljob 的类:AdminApiUtil.java,直接复制到我们的项目里,包名路径保持和 xxljob 里的一样,只需要修改callapi 方法里的CloseableHttpClient即可,代码如下

SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, new TrustStrategy() {
            @Override
            public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
                return true;
            }
        }).build();
        //创建httpClient
        CloseableHttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).
                setSSLHostnameVerifier(new NoopHostnameVerifier()).build();

3.注册中心是使用的 nacos

nacos https配置(重点):

#例如gate服务 注册为 https 的服务
spring:
    application:
        name: sh-crm-gate
    cloud:
      nacos:
        discovery:
          secure: true
        service:
          secure: true
server:
    port: 8080
    tomcat:
        uri-encoding: UTF-8
        max-threads: 5000
        max-connections: 50000
  #ssl配置
    ssl:
      enabled: true
      key-store: /opt/xxx.p12
      key-store-password: xxxxxxx
      key-alias: xxxxxx
      key-store-type: PKCS12

GateDockerfile

FROM alpine:3.17.1
RUN sed -i -e 's|dl-cdn.alpinelinux.org|mirrors.aliyun.com|g' /etc/apk/repositories
RUN apk add openjdk8 curl jq
RUN apk upgrade && apk add tzdata
WORKDIR /build
#设置时区
RUN cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && echo 'Asia/Shanghai' >/etc/timezone \
    && mkdir config
EXPOSE 8080
RUN addgroup -g 5000 -S lululemonapp \
    && adduser -h /home/lululemonapp lululemonapp  -D -G lululemonapp -u 5000 -s /bin/sh \
    && chown -R lululemonapp:lululemonapp /opt \
    && chown -R lululemonapp:lululemonapp /build \
    && chown -R lululemonapp:lululemonapp /mnt
USER lululemonapp
COPY gate.* /build
COPY gate_server.jar /build
COPY GateDockerfile /build
COPY saml-pub-key /build
#启动脚本
CMD sh gate.sh

gate.sh

#!/bin/bash
cat /vault/secrets/config.json > config/gate.json
grep db_pwd  -rl config/ | xargs sed -i "s/db_pwd/spring.datasource.password/g"
grep 'redis_pwd'  -rl config/ | xargs sed -i 's/redis_pwd/spring.redis.password/g'
grep rabbit_pwd  -rl config/ | xargs sed -i "s/rabbit_pwd/spring.rabbitmq.password/g"
config=$(cat config/gate.json)
echo "service starting................"
java  -Dspring.application.json="$config"  -jar "gate_server.jar" --spring.config.location=/opt/bootstrap.yml
carlos_ch
关注
Spring Cloud 微服务开发:入门、进阶与源码剖析 —— 7.2 技术实战
极客挖掘机
02-04 2082
7.2 技术实战 7.2.1 数据访问层 工程ch7_1_data_service,项目依赖pom.xml如下: 代码清单:ch7_1/ch7_1_data_service/pom.xml <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xml...
最核心的逻辑来了:RibbonRoutingFilter是如何将请求转发服务
zjuwzp的博客
06-28 4307
1.RibbonRoutingFilter类 @Override public Object run() { RequestContext context = RequestContext.getCurrentContext(); this.helper.addIgnoredHeaders(); try { RibbonCommandContext commandContext = bu...
Feign绕过SSL验证的方案,Feign调用https接口,亲测可用,引入包非常少,非常简单
weixin_36007745的博客
08-10 2356
代码】Feign绕过SSL验证的方案,Feign调用https接口,亲测可用,引入包非常少,非常简单。
http网关/转发 - spring boot zuul方案
lanse_huanxiang的专栏
06-15 877
过滤器功能可选- 如果不需要过滤啥操作, 可以不添加,服务正常转发@Component@Override@Overridereturn 0;@Override@Overriderc.setResponseBody("{status:401, message:\"未登录\"}");
spring cloud zuul 配置https
chuixihan7083的博客
02-14 503
1.获取阿里云免费证书:阿里云免费证书藏得比较深,要按套路出牌才能找到: 进入阿里云证书购买界面:选择品牌-Symantec,证书类型选择-增强型 OV SSL,就会出现以下界面,然后点击购买绑定域名下载即可: 2.配置SSL: 将*.pfx 文件放到项目得resources目录下,...
Feign-跳过SSL验证的方案
qq_42582773的博客
08-17 1555
Feign:跳过SSL验证的方案
服务入门(Nacos,Feign,网关Zuul
weixin_45773628的博客
08-02 3051
日志级别尽量用basic使用HttpClient或OKHttp代替URLConnection引入feign-httpClient依赖配置文件开启httpClient功能,设置连接池参数。
API网关Zuul配置详解(这一篇就够了)
skh2015java的博客
09-06 4921
zuul常用配置 主机相关配置 配置项 说明 默认值 zuul.host.connect-timeout-millis 连接主机的超时时间,默认单位ms 2000 zuul.host.max-per-route-connections 每个路由的连接数 20 zuul.host.max-total-connections 总连接数 200 zuul.host.connection-request-timeout-millis 连接请求
Gateway-Feign-Nacos-Ribbon-Sentinal
weixin_73241486的博客
04-04 621
Feign 是一个声明web服务客户端,这使得编写web服务客户端更容易他将我们需要调用的服务方法定义成抽象方法保存在本地就可以了, 不需要自己构建Http请求了,直接调用接口就行了, 调用方法要和本地抽象方法的映射路径 , 参数和返回类型一致。一个服务可以有多个实例 , 假如这些实例分布于全国各地的不同机房 ,Nacos就将同一机房内的实例 划分为一个集群 , 一个服务可以包含多个集群,形成分级模型配置 discovery: cluster-name: HZ # 集群名称即可实现。
Spring Cloud 学习笔记(2 3)
m0_67392811的博客
07-28 630
大神结论MartinFowler的相关论文熔断类型熔断打开请求不再进行调用当前服务,内部设置时钟一般为MTTR(平均故障处理时间),当打开时长达到所设时钟则进入半熔断状态。熔断关闭熔断关闭不会对服务进行熔断。熔断半开部分请求根据规则调用当前服务,如果请求成功且符合规则则认为当前服务恢复正常,关闭熔断。官网断路器流程图官网步骤link断路器在什么情况下开始起作用//=====服务熔断快照时间窗请求总数阀值在快照时间窗内,必须满足请求总数阀值才有资格熔断。错误百分比阀值1。...
Feign 发送https请求跳过证书认证
ShineupUP的博客
04-21 966
Feign 发送https请求跳过证书认证。
Java feign使用okhttp跳过https安全校验
欢迎阅读程序猿小张的博客~
07-20 944
Java feign使用okhttp跳过https安全校验
zuul路由网关集成ssl,实现http到https的转变
weixin_42060512的博客
02-25 933
1 前言   最近几天刚开始接触微信小程序的开发,才接触到了https的概念(微信小程序中的请求必须为https请求,不然请求无法成功)。https算是对http的安全封装,在http的基础上加了ssl证书机制,此处不赘述,想要详细了解自行百度区别。所以博主就在考虑怎么让整个小程序后台(用的spring boot来作为后台)都能通过https访问,终于经过两天的研究,我发现了将ssl结合sprin...
解决Feign HTTPS远程调用绕过SSL证书验证
编程神经元的博客
06-02 5370
最近小编在做一个项目的时候,使用了feginClient作为一个http请求工具,用来调用第三方接口,但是由于第三方接口是https开头,导致我调用的时候,程序需要ssl认证,在网上搜了很多文章也没有找到解决办法,最终在有一位作者给出了解决办法,绕过https认证。下面给出解决方案 源文档链接:https://blog.youkuaiyun.com/Chipslyc/article/details/98851831, 贴出代码 import feign.Client; import org.springfram
OpenFegin跳过SSL验证
MaoSLv的博客
02-01 715
OpenFegin跳过SSL验证
zuul开启https
xwnxwn的专栏
04-07 544
springboot项目jar包方式启动通用   1.证书放入资源文件夹      2.server添加 ssl配置    踩坑点: key-store: classpath后面的冒号需要紧跟着classpath,不能有空格。
Feign调用https接口忽略证书,禁用SSL证书验证
weixin_43959505的博客
07-26 3232
Feign调用https接口忽略证书,禁用SSL证书验证
Feign 绕过https安全认证
kaili_0230的博客
07-28 1287
Fegin 配置绕过安全认证 import feign.Client; import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.TrustAllStrategy; import org.apache.http.ssl.SSLContexts; import org.springframework.context.annotation.Bean; import org.springframewo
Openfeign和okHttp的https请求忽略ssl证书认证
thekenofDIS的专栏
01-23 2302
因为我调用的接口是https接口。要么就导入证书,要么就忽略证书验证。okhttpclent忽略。
zuul 同时转发请求到另一个服务器 实现方式
最新发布
05-23
Zuul 是一种常用的微服务网关工具,能够将客户端的请求路由至不同的后端服务。然而,默认情况下,Zuul 的设计是一个请求只会被转发到一个目标服务。为了实现将同一个请求同时转发到多个服务器的功能,可以通过自定义...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值