資料傳輸 | ​如何開啟 DTLE 的 HTTPS 訪問模式

愛可生雲資料庫發表於2022-04-29

作者:劉安

愛可生測試團隊成員,主要負責 DTLE 開源專案相關測試任務,擅長 Python 自動化測試開發。

本文來源:原創投稿

*愛可生開源社群出品,原創內容未經授權不得隨意使用,轉載請聯絡小編並註明來源。


如何開啟DTLE的HTTPS訪問模式

DTLE預設提供的是HTTP的訪問模式,但是在使用DTLE的過程中不免要通過API提交諸如資料庫的使用者名稱、密碼、IP、埠等資訊。如果這些資訊被第三方獲取到,那麼對於資料庫的使用者簡直就是一場災難。因此DTLE提供了HTTPS的訪問模式,保護我們的資訊保安。

啟用DLTE的HTTPS訪問模式需要SSL證照,如果你搭建的叢集需要向外提供可信的服務可以向證照管理機構申請。本文使用自己生成的SSL證照來演示如何配置DTLE使HTTPS訪問模式生效。

1. 下載安裝DTLE

這裡使用的是dtle-ce-4.22.01.0版本,注意先不要啟動DTLE服務

shell> curl -O "https://github.com/actiontech/dtle/releases/download/v4.22.01.0/dtle-ce-4.22.01.0.x86_64.rpm"
shell> rpm -ivh dtle-ce-4.22.01.0.x86_64.rpm --prefix=/opt/dtle

2. 生成證照檔案和私鑰檔案

# 需要安裝openssl
shell> yum install openssl -y

shell> cd /opt/dtle/etc/dtle/

# 生成私鑰檔案
shell> openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
........++++++
e is 65537 (0x10001)

# 生成證照請求檔案,此步驟可以全部回車,不輸入任何資訊
shell> openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Xuhui
Organization Name (eg, company) [Default Company Ltd]:actiontech
Organizational Unit Name (eg, section) []:qa
Common Name (eg, your name or your server's hostname) []:dtle
Email Address []:852990221@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 生成證照檔案
shell> openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 365
Signature ok
subject=/C=CN/ST=Shanghai/L=Xuhui/O=actiontech/OU=qa/CN=dtle/emailAddress=852990221@qq.com
Getting Private key

shell> ls
consul.hcl  nomad.hcl  server.crt  server.csr  server.key

3. 編輯nomad.hcl,配置證照檔案和私鑰檔案

shell> vi nomad.hcl
...
    cert_file_path = "/opt/dtle/etc/dtle/server.crt"
    key_file_path = "/opt/dtle/etc/dtle/server.key"
...

4. 啟動DTLE

shell> systemctl start dtle-consul dtle-nomad

5. 驗證https開啟成功

# 使用http訪問
shell> curl -X POST "http://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}"
Client sent an HTTP request to an HTTPS server.

# 使用https訪問,但我們的證照沒有通過CA認證
shell> curl -X POST "https://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}"
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

# 使用https訪問,增加-k引數跳過檢查伺服器的SSL證照是否正確
shell> curl -s -k -X POST "https://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}" | jq
{
  "message": "ok",
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTAxMjAzNjcsImdyb3VwIjoicGxhdGZvcm0iLCJuYW1lIjoiYWRtaW4ifQ.I1XDK7Ar1JLKLWlxWEHX0vCWG07dDqBHieCBmjEVz0E"
  }
}

shell> curl -s -k -X GET "https://127.0.0.1:8190/v2/nodes" -H "accept: application/json" -H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTAxMjA0MjYsImdyb3VwIjoicGxhdGZvcm0iLCJuYW1lIjoiYWRtaW4ifQ.PoPwOWQF09uaUf6vu0rTPQVpLfF59UIhq-lLBBVhTbc" | jq
{
  "nodes": [
    {
      "node_address": "127.0.0.1",
      "node_name": "nomad0",
      "node_id": "21bd1636-0beb-e4c6-34fd-d35be32414e9",
      "node_status": "ready",
      "node_status_description": "",
      "datacenter": "dc1",
      "nomad_version": "1.1.2",
      "dtle_version": "4.22.01.0-4.22.01.x-952bb3d",
      "leader": true,
      "member": true
    }
  ],
  "message": "ok"
}

6. 抓包檢視傳輸的資訊

  • 使用https, 登入DTLE提交的資訊是經過加密的:

  • 使用http, 登入DTLE提交的資訊是明文:

結論:

如果您在專案上使用DTLE來傳輸資料,請務必開啟HTTPS訪問模式來保護您的資訊保安。

相關文章