乐趣区

关于安全性:数据传输-​如何开启-DTLE-的-HTTPS-访问模式

作者:刘安

爱可生测试团队成员,次要负责 DTLE 开源我的项目相干测试工作,善于 Python 自动化测试开发。

本文起源:原创投稿

* 爱可生开源社区出品,原创内容未经受权不得随便应用,转载请分割小编并注明起源。


如何开启 DTLE 的 HTTPS 拜访模式

DTLE 默认提供的是 HTTP 的拜访模式,然而在应用 DTLE 的过程中未免要通过 API 提交诸如数据库的用户名、明码、IP、端口等信息。如果这些信息被第三方获取到,那么对于数据库的使用者几乎就是一场劫难。因而 DTLE 提供了 HTTPS 的拜访模式,爱护咱们的信息安全。

启用 DLTE 的 HTTPS 拜访模式须要 SSL 证书,如果你搭建的集群须要向外提供可信的服务能够向证书管理机构申请。本文应用本人生成的 SSL 证书来演示如何配置 DTLE 使 HTTPS 拜访模式失效。

1. 下载安装 DTLE

这里应用的是 dtle-ce-4.22.01.0 版本,留神先不要启动 DTLE 服务

shell> curl -O "https://github.com/actiontech/dtle/releases/download/v4.22.01.0/dtle-ce-4.22.01.0.x86_64.rpm"
shell> rpm -ivh dtle-ce-4.22.01.0.x86_64.rpm --prefix=/opt/dtle

2. 生成证书文件和私钥文件

# 须要装置 openssl
shell> yum install openssl -y

shell> cd /opt/dtle/etc/dtle/

# 生成私钥文件
shell> openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
........++++++
e is 65537 (0x10001)

# 生成证书申请文件,此步骤能够全副回车, 不输出任何信息
shell> openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Xuhui
Organization Name (eg, company) [Default Company Ltd]:actiontech
Organizational Unit Name (eg, section) []:qa
Common Name (eg, your name or your server's hostname) []:dtle
Email Address []:852990221@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 生成证书文件
shell> openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 365
Signature ok
subject=/C=CN/ST=Shanghai/L=Xuhui/O=actiontech/OU=qa/CN=dtle/emailAddress=852990221@qq.com
Getting Private key

shell> ls
consul.hcl  nomad.hcl  server.crt  server.csr  server.key

3. 编辑 nomad.hcl,配置证书文件和私钥文件

shell> vi nomad.hcl
...
    cert_file_path = "/opt/dtle/etc/dtle/server.crt"
    key_file_path = "/opt/dtle/etc/dtle/server.key"
...

4. 启动 DTLE

shell> systemctl start dtle-consul dtle-nomad

5. 验证 https 开启胜利

# 应用 http 拜访
shell> curl -X POST "http://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}"
Client sent an HTTP request to an HTTPS server.

# 应用 https 拜访,但咱们的证书没有通过 CA 认证
shell> curl -X POST "https://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}"
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

# 应用 https 拜访,减少 - k 参数跳过查看服务器的 SSL 证书是否正确
shell> curl -s -k -X POST "https://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}" | jq
{
  "message": "ok",
  "data": {"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTAxMjAzNjcsImdyb3VwIjoicGxhdGZvcm0iLCJuYW1lIjoiYWRtaW4ifQ.I1XDK7Ar1JLKLWlxWEHX0vCWG07dDqBHieCBmjEVz0E"}
}

shell> curl -s -k -X GET "https://127.0.0.1:8190/v2/nodes" -H "accept: application/json" -H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTAxMjA0MjYsImdyb3VwIjoicGxhdGZvcm0iLCJuYW1lIjoiYWRtaW4ifQ.PoPwOWQF09uaUf6vu0rTPQVpLfF59UIhq-lLBBVhTbc" | jq
{
  "nodes": [
    {
      "node_address": "127.0.0.1",
      "node_name": "nomad0",
      "node_id": "21bd1636-0beb-e4c6-34fd-d35be32414e9",
      "node_status": "ready",
      "node_status_description": "","datacenter":"dc1","nomad_version":"1.1.2","dtle_version":"4.22.01.0-4.22.01.x-952bb3d","leader": true,"member": true
    }
  ],
  "message": "ok"
}

6. 抓包查看传输的信息

  • 应用 https, 登录 DTLE 提交的信息是通过加密的:

  • 应用 http, 登录 DTLE 提交的信息是明文:

论断:

如果您在我的项目上应用 DTLE 来传输数据,请务必开启 HTTPS 拜访模式来爱护您的信息安全。

退出移动版