如何解决如何使用kong激活TLSv1.3?
在我的公司上,我们需要在kong上使用TLSv1.3,我们使用的是0.12.1版本的kong,它不支持TLSv1.3协议本身,因此我们更新为0.14.1,看起来像它支持的它。另外,如果我们设法使其正常运行,我们将寻求继续升级到最新版本。
我们使用docker使它也可以与konga一起使用。这是我们完整的docker-compose.yml文件
version: "2.1"
services:
########
# datebase used by kong
########
kong-database-admon:
container_name: kong-database-admon
image: postgres:10.7
restart: always
ports:
- "5432:5432"
environment:
POSTGRES_USER: kong
POSTGRES_PASSWORD: kong
POSTGRES_DB: kong
volumes:
- "kong-data:/var/lib/postgresql/data"
healthcheck:
test: ["CMD-SHELL","pg_isready"]
interval: 10s
timeout: 5s
retries: 5
networks:
admon-network:
aliases:
- kong-database
########
# kong: datebase migration
########
kong-migration-admon:
#image: kong:1.4.0
image: kong:0.14.1
restart: on-failure
container_name: kong-migration-admon
depends_on:
kong-database-admon:
condition: service_healthy
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-database
KONG_PG_PORT: 5432
KONG_PG_DATABASE: kong
KONG_PG_PASSWORD: kong
KONG_PG_USER: kong
#command: sh -c "kong migrations bootstrap && kong migrations up && kong migrations finish"
command: kong migrations up
networks:
admon-network:
aliases:
- kong-migration
########
# kong: the api gateway
########
kong-admon:
container_name: kong-admon
# image: kong:1.4.0
image: kong:0.14.1
# restart: on-failure
depends_on:
kong-database-admon:
condition: service_healthy
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-database
KONG_PG_PORT: 5432
KONG_PG_PASSWORD: kong
KONG_PG_DATABASE: kong
KONG_PG_USER: kong
KONG_LOG_LEVEL: debug
KONG_PROXY_ACCESS_LOG: /dev/stdout
KONG_ADMIN_ACCESS_LOG: /dev/stdout
KONG_PROXY_ERROR_LOG: /dev/stderr
KONG_ADMIN_ERROR_LOG: /dev/stderr
KONG_ADMIN_LISTEN: 0.0.0.0:8001,0.0.0.0:8444 http2 ssl
KONG_PROXY_LISTEN: 0.0.0.0:8000,0.0.0.0:8443 http2 ssl
KONG_SSL_PROTOCOLS: TLSv1.3
KONG_SSL_CIPHER_SUITE : modern
KONG_SSL_CIPHERS: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-poly1305:ECDHE-RSA-CHACHA20-poly1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
volumes:
- "kong-data:/usr/local/kong"
- ${HOME}/git/admon/deployment/Nginx/config/pfs-certificates:/usr/local/kong/ssl
- ${HOME}/git/admon/deployment/Nginx/config/kong-configuration:/etc/kong
ports:
- "8000:8000"
- "8443:8443"
- "8001:8001"
- "8444:8444"
healthcheck:
test: ["CMD-SHELL","curl -I -s -L http://kong:8443 || exit 1"]
interval: 5s
retries: 10
networks:
admon-network:
aliases:
- kong
########
# konga interface
########
konga-admon:
container_name: konga-admon
image: pantsel/konga:0.12.0
restart: always
depends_on:
kong-admon:
condition: service_healthy
ports:
- "1337:1337"
environment:
NODE_ENV: development
DB_ADAPTER: postgres
DB_HOST: kong-database
DB_PORT: 5432
DB_USER: kong
DB_PASSWORD: kong
DB_DATABASE: kong
KONG_ADMIN_URL: 'http://kong:8444'
NO_AUTH: 'false'
KONGA_HOOK_TIMEOUT: 600000
healthcheck:
test: ["CMD-SHELL","curl -I -s -L http://localhost:1337 || exit 1"]
interval: 10s
retries: 10
volumes:
- "kong-data:/app/konga"
networks:
admon-network:
aliases:
- konga
volumes:
kong-data:
name: admon-kong-development
networks:
admon-network:
name: admon-network
ipam:
driver: default
config:
- subnet: 172.22.4.0/24
gateway: 172.22.4.1
我们的kong.conf如下所示:
ssl = on # Determines if Nginx should be listening for
# HTTPS traffic on the `proxy_listen_ssl`
ssl_protocols = TLSv1.3
ssl_cipher_suite = custom # Defines the TLS ciphers served by Nginx.
# Accepted values are `modern`,`intermediate`,# `old`,or `custom`.
# Note: See https://wiki.mozilla.org/Security/Server_Side_TLS for detailed
# descriptions of each cipher suite.
ssl_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-poly1305:ECDHE-RSA-CHACHA20-poly1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt # If `ssl` is enabled,the absolute path to
# the SSL certificate for the
# `proxy_listen_ssl` address.
ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key # If `ssl` is enabled,the absolute path to
# the SSL key for the `proxy_listen_ssl`
# address.
http2 = on # Enables HTTP2 support for HTTPS traffic on
# the `proxy_listen_ssl` address.
client_ssl = on # Determines if Nginx should send client-side
# SSL certificates when proxying requests.
client_ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt # If `client_ssl` is enabled,the absolute path
# to the client SSL certificate for the
# `proxy_ssl_certificate` directive. Note that
# this value is statically defined on the node,# and currently cannot be configured on a
# per-API basis.
client_ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key # If `client_ssl` is enabled,the absolute path
# to the client SSL key for the
# `proxy_ssl_certificate_key` address. Note
# this value is statically defined on the node,# and currently cannot be configured on a
# per-API basis.
admin_ssl = on # Determines if Nginx should be listening for
# HTTPS traffic on the `admin_listen_ssl`
# address. If disabled,Nginx will only bind
# itself on `admin_listen`,and all SSL
# settings will be ignored.
admin_ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt # If `admin_ssl` is enabled,the absolute path
# to the SSL certificate for the
# `admin_listen_ssl` address.
admin_ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key # If `admin_ssl` is enabled,the absolute path
# to the SSL key for the `admin_listen_ssl`
# address.
admin_http2 = on # Enables HTTP2 support for HTTPS traffic on
# the `admin_listen_ssl` address.
client_max_body_size = 0 # Defines the maximum request body size allowed
# by requests proxied by Kong,specified in the
# Content-Length request header. If a request
# exceeds this limit,Kong will respond with a
# 413 (Request Entity Too Large). Setting this
# value to 0 disables checking the request body
# size.
# Note: See
# http://Nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
# for further description of this parameter. Numeric values may be suffixed with
# 'k' or 'm' to denote limits in terms of kilobytes or megabytes.
client_body_buffer_size = 10m # Defines the buffer size for reading the
# request body. If the client request body is
我们拥有SSL证书,因此无法使其正常工作。同样,我们用于测试TLS v1.3连接的命令如下:
curl -I -v --tlsv1.3 --tls-max 1.3 https://192.168.70.20:8443/alpha/people
我们在做什么错了?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
