关于安全性:数据传输-如何开启-DTLE-的-HTTPS-访问模式

作者：刘安

爱可生测试团队成员，次要负责 DTLE 开源我的项目相干测试工作，善于 Python 自动化测试开发。

本文起源：原创投稿

*爱可生开源社区出品，原创内容未经受权不得随便应用，转载请分割小编并注明起源。

如何开启DTLE的HTTPS拜访模式

DTLE默认提供的是HTTP的拜访模式，然而在应用DTLE的过程中未免要通过API提交诸如数据库的用户名、明码、IP、端口等信息。如果这些信息被第三方获取到，那么对于数据库的使用者几乎就是一场劫难。因而DTLE提供了HTTPS的拜访模式，爱护咱们的信息安全。

启用DLTE的HTTPS拜访模式须要SSL证书，如果你搭建的集群须要向外提供可信的服务能够向证书管理机构申请。本文应用本人生成的SSL证书来演示如何配置DTLE使HTTPS拜访模式失效。

1. 下载安装DTLE

这里应用的是dtle-ce-4.22.01.0版本，留神先不要启动DTLE服务

shell> curl -O "https://github.com/actiontech/dtle/releases/download/v4.22.01.0/dtle-ce-4.22.01.0.x86_64.rpm"shell> rpm -ivh dtle-ce-4.22.01.0.x86_64.rpm --prefix=/opt/dtle

2. 生成证书文件和私钥文件

# 须要装置opensslshell> yum install openssl -yshell> cd /opt/dtle/etc/dtle/# 生成私钥文件shell> openssl genrsa -out server.key 1024Generating RSA private key, 1024 bit long modulus....++++++........++++++e is 65537 (0x10001)# 生成证书申请文件，此步骤能够全副回车,不输出任何信息shell> openssl req -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:ShanghaiLocality Name (eg, city) [Default City]:XuhuiOrganization Name (eg, company) [Default Company Ltd]:actiontechOrganizational Unit Name (eg, section) []:qaCommon Name (eg, your name or your server's hostname) []:dtleEmail Address []:852990221@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# 生成证书文件shell> openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 365Signature oksubject=/C=CN/ST=Shanghai/L=Xuhui/O=actiontech/OU=qa/CN=dtle/emailAddress=852990221@qq.comGetting Private keyshell> lsconsul.hcl  nomad.hcl  server.crt  server.csr  server.key

3. 编辑nomad.hcl，配置证书文件和私钥文件

shell> vi nomad.hcl...    cert_file_path = "/opt/dtle/etc/dtle/server.crt"    key_file_path = "/opt/dtle/etc/dtle/server.key"...

4. 启动DTLE

shell> systemctl start dtle-consul dtle-nomad

5. 验证https开启胜利

# 应用http拜访shell> curl -X POST "http://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}"Client sent an HTTP request to an HTTPS server.# 应用https拜访，但咱们的证书没有通过CA认证shell> curl -X POST "https://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}"curl: (60) Peer's certificate issuer has been marked as not trusted by the user.More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.# 应用https拜访，减少-k参数跳过查看服务器的SSL证书是否正确shell> curl -s -k -X POST "https://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}" | jq{  "message": "ok",  "data": {    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTAxMjAzNjcsImdyb3VwIjoicGxhdGZvcm0iLCJuYW1lIjoiYWRtaW4ifQ.I1XDK7Ar1JLKLWlxWEHX0vCWG07dDqBHieCBmjEVz0E"  }}shell> curl -s -k -X GET "https://127.0.0.1:8190/v2/nodes" -H "accept: application/json" -H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTAxMjA0MjYsImdyb3VwIjoicGxhdGZvcm0iLCJuYW1lIjoiYWRtaW4ifQ.PoPwOWQF09uaUf6vu0rTPQVpLfF59UIhq-lLBBVhTbc" | jq{  "nodes": [    {      "node_address": "127.0.0.1",      "node_name": "nomad0",      "node_id": "21bd1636-0beb-e4c6-34fd-d35be32414e9",      "node_status": "ready",      "node_status_description": "",      "datacenter": "dc1",      "nomad_version": "1.1.2",      "dtle_version": "4.22.01.0-4.22.01.x-952bb3d",      "leader": true,      "member": true    }  ],  "message": "ok"}

6. 抓包查看传输的信息

• 应用https, 登录DTLE提交的信息是通过加密的:

• 应用http, 登录DTLE提交的信息是明文:

论断：

如果您在我的项目上应用DTLE来传输数据，请务必开启HTTPS拜访模式来爱护您的信息安全。