[grpc]使用mTLS加密认证

前言

假设gRPC服务端的主机名为qw.er.com，需要为gRPC服务端和客户端之间的通信配置tls双向认证加密。

生成证书

1. 生成ca根证书。生成过程会要求填写密码、CN、ON、OU等信息，记住密码。

openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -subj "/CN=qw.er.com" -days 365

2. 新建并编辑文件openssl.cnf文件。req_distinguished_name中内容按需填写，DNS.1要替换成实际域名。

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
countryName = CN
stateOrProvinceName = Anhui
localityName = Hefei
organizationName = zhangsan
commonName = qw.er.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = qw.er.com

3. 生成服务端证书

openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -subj "/CN=qw.er.com" -config openssl.cnf

# 提示输入ca私钥的密码
openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -extensions v3_req -extfile openssl.cnf

3. 生成客户端证书

openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/CN=qw.er.com" -config openssl.cnf

# 提示输入ca私钥的密码
openssl x509 -req -in client.csr -out client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -extensions v3_req -extfile openssl.cnf

proto示例

用的还是入门级的helloworld

syntax = "proto3";   // protocol buffers版本
option go_package = "./;proto";   // 生成的Go代码将被放在当前目录，并使用proto作为包名称

// 定义grpc服务的接口。服务就是一组可被远程调用的方法
service Greeter {
	// 定义远程调用方法
    rpc SayHello (HelloRequest) returns (HelloReply);
}

// 定义消息格式和消息类型
message HelloRequest {
    string name = 1; // 1 是二进制格式中的字段编号, 应该唯一
}

message HelloReply {
    string message = 1;
}

生成go代码：

protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative hello.proto

服务端代码示例

如果需要客户端和服务端直接通信，可以参考以下示例代码。

package main

import (
	pb "grpcs/proto"
	"context"
	"crypto/tls"
	"crypto/x509"
	"flag"
	"fmt"
	"log"
	"net"
	"os"

	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
)

var (
	port    = flag.Int("port", 8010, "the server port")
	crtFile = flag.String("crt", "server.crt", "the server crt file")
	keyFile = flag.String("key", "server.key", "the server key file")
	caFile  = flag.String("ca", "ca.crt", "the server ca file")
)

type server struct{
	pb.UnimplementedGreeterServer
}

func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
	log.Printf("Received: %v", in.GetName())
	return &pb.HelloReply{Message: "Hello " + in.GetName()}, nil
}

func main() {
	flag.Parse()

	// 通过服务端的证书和密钥直接创建X.509密钥对
	certificate, err := tls.LoadX509KeyPair(*crtFile, *keyFile)
	if err != nil {
		log.Fatalf("Failed to load key pair: %v", err)
	}

	// 通过CA创建证书池
	certPool := x509.NewCertPool()
	ca, err := os.ReadFile(*caFile)
	if err != nil {
		log.Fatalf("Failed to read ca: %v", err)
	}

	// 将来自CA的客户端证书附加到证书池
	if ok := certPool.AppendCertsFromPEM(ca); !ok {
		log.Fatalf("Failed to append ca certificate")
	}

	opts := []grpc.ServerOption{
		grpc.Creds( // 为所有传入的连接启用TLS
			credentials.NewTLS(&tls.Config{
				ClientAuth: tls.RequireAndVerifyClientCert,
				Certificates: []tls.Certificate{certificate},
				ClientCAs: certPool,
			},
		)),
	}

	listen, err := net.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", *port))
	if err != nil {
		log.Fatalf("failed to listen %d port", *port)
	}
	// 通过传入的TLS服务器凭证创建新的gRPC服务实例
	s := grpc.NewServer(opts...)
	pb.RegisterGreeterServer(s, &server{})
	log.Printf("server listening at %v", listen.Addr())
	if err := s.Serve(listen); err != nil {
		log.Fatalf("Failed to serve: %v", err)
	}
}

运行：

go build -o server.bin
./server.bin -ca ca.crt -crt server.crt -key server.key -port 8010

客户端代码示例

package main

import (
	pb "grpcc/proto"
	"context"
	"crypto/tls"
	"crypto/x509"
	"flag"
	"log"
	"os"
	"time"

	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
)

var (
	addr     = flag.String("addr", "qw.er.com:8010", "server address")
	hostname = flag.String("host", "qw.er.com", "server hostname")
	crtFile  = flag.String("crt", "client.crt", "client crt file")
	keyFile  = flag.String("key", "client.key", "client key file")
	caFile   = flag.String("ca", "ca.crt", "ca file")
	name = flag.String("n", "zhangsan", "name")
)

func main() {
	flag.Parse()

	certificate, err := tls.LoadX509KeyPair(*crtFile, *keyFile)
	if err != nil {
		log.Fatalf("Failed to load client key pair, %v", err)
	}

	certPool := x509.NewCertPool()
	ca, err := os.ReadFile(*caFile)
	if err != nil {
		log.Fatalf("Failed to read %s, error: %v", *caFile, err)
	}

	if ok := certPool.AppendCertsFromPEM(ca); !ok {
		log.Fatalf("Failed to append ca certs")
	}

	opts := []grpc.DialOption{
		grpc.WithTransportCredentials(credentials.NewTLS(
			&tls.Config{
				ServerName:   *hostname,
				Certificates: []tls.Certificate{certificate},
				RootCAs:      certPool,
			})),
	}

	// conn, err := grpc.Dial(*addr, grpc.WithTransportCredentials(insecure.NewCredentials()))
	conn, err := grpc.Dial(*addr, opts...)
	if err != nil {
		log.Fatalf("Connect to %s failed", *addr)
	}
	defer conn.Close()

	client := pb.NewGreeterClient(conn)
	// 创建带有超时时间的上下文, cancel可以取消上下文
	ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
	defer cancel()

	// 业务代码处理部分 ...
	r, err := client.SayHello(ctx, &pb.HelloRequest{Name: *name})
	if err != nil {
		log.Printf("Failed to greet, error: %v", err)
	} else {
		log.Printf("Greeting: %v",r.GetMessage())
	}
}

运行：

go build -o client.bin
./client.bin -addr qw.er.com:8010 -host qw.er.com -ca ca.crt -crt client.crt -key client.key -name 'lisi'

nginx代理

某些场景下服务端和客户端无法直接通信，需要在中间加个nginx反向代理服务端。目前个人方案是客户端与nginx之间为https双向加密通信，nginx与服务端之间为http普通通信。

客户端代码无需改动，服务端就是去掉tls相关配置，示例：

package main

import (
	"context"
	"flag"
	"fmt"
	"log"
	"net"

	pb "grpcs/proto"

	"google.golang.org/grpc"
)

var (
	port = flag.Int("port", 8010, "The server port")
)

// server is used to implement hello.GreeterServer.
type server struct {
	pb.UnimplementedGreeterServer
}

// SayHello 实现 proto 中的 service Greeter
func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
	log.Printf("Received: %v", in.GetName())
	return &pb.HelloReply{Message: "Hello " + in.GetName()}, nil
}

func main() {
	flag.Parse()
	lis, err := net.Listen("tcp", fmt.Sprintf(":%d", *port))
	if err != nil {
		log.Fatalf("failed to listen: %v", err)
	}
	s := grpc.NewServer()
	pb.RegisterGreeterServer(s, &server{})
	log.Printf("server listening at %v", lis.Addr())
	if err := s.Serve(lis); err != nil {
		log.Fatalf("failed to serve: %v", err)
	}
}

tls证书配到nginx：

server {
    listen       80 ssl http2;
    server_name  qw.er.com;

	# 证书文件路径
    ssl_certificate /home/admin/apps/openresty/nginx/certs/qwer/server.crt;
    ssl_certificate_key /home/admin/apps/openresty/nginx/certs/qwer/server.key;
    # 验证客户端证书
    ssl_verify_client on;
    ssl_client_certificate /home/admin/apps/openresty/nginx/certs/qwer/ca.crt;

	# 反向代理服务端
    location / {
        grpc_pass grpc://192.168.1.111:8010;
    }
}