Golang gin 搭建https服务
我把证书放在了F:\test\目录下
package main
import (
"github.com/gin-gonic/gin"
"github.com/unrolled/secure"
)
func TlsHandler() gin.HandlerFunc {
return func(c *gin.Context) {
secureMiddleware := secure.New(secure.Options{
SSLRedirect: true,
SSLHost: "localhost:8081",
})
err := secureMiddleware.Process(c.Writer, c.Request)
if err != nil {
c.Abort()
return
}
if status := c.Writer.Status(); status > 300 && status < 399 {
c.Abort()
}
c.Next()
}
}
func Android(context *gin.Context){
context.JSON(200,gin.H{
"message":"data",
})
}
func StartServer(){
r := gin.Default()
r.Use(TlsHandler())
r.GET("/android",Android)
r.RunTLS(":8081", "F:\\test\\server.crt", "F:\\test\\server.key")
}
func main() {
StartServer()
}
启动服务器,浏览器中输入地址显示结果:
可见https服务搭建成功!!!!
客户端发起请求
package main
import (
"fmt"
"io/ioutil"
"net/http"
)
func main() {
// tonybai.com是我服务端证书申请的时候填下的,也写进了hosts
url := "https://tonybai.com:8081/android"
client := &http.Client{}
resp, err := client.Get(url)
if err != nil {
fmt.Println("Get error:", err)
return
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
fmt.Println(string(body))
}
结果如下:
报错了?为什么浏览器可以?
其实这是因为客户端对服务器的证书进行了校验,也可以不进行校验,这里的不校验是客户端针对服务器返回的证书,是客户端行为,Python里面有veify=False,也是同样的道理,浏览器应该也是跳过了校验。稍微更改一下代码,以跳过校验:
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
)
func main() {
url := "https://tonybai.com:8081/android"
//caCertPath := "F:\\test\\ca.crt"
//
//pool := x509.NewCertPool()
//caCrt, err := ioutil.ReadFile(caCertPath)
//if err != nil {
// fmt.Println("ReadFile err:", err)
// return
//}
//pool.AppendCertsFromPEM(caCrt)
//
tr := &http.Transport{
TLSClientConfig: &tls.Config{
//RootCAs: pool,
InsecureSkipVerify:true,
},
}
client := &http.Client{Transport: tr}
resp, err := client.Get(url)
if err != nil {
fmt.Println("Get error:", err)
return
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
fmt.Println(string(body))
}
添加 InsecureSkipVerify: true就是你想要的结果:
但是服务器会有一条错误日志:
能不能没有这一条日志呢?当然是可以的
校验server的证书
client端需要验证server端的数字证书,因此client端需要预先加载ca.crt,以用于服务端数字证书的校验,稍微做一点改动:
package main
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net/http"
)
func main() {
url := "https://tonybai.com:8081/android"
caCertPath := "F:\\test\\ca.crt"
pool := x509.NewCertPool()
caCrt, err := ioutil.ReadFile(caCertPath)
if err != nil {
fmt.Println("ReadFile err:", err)
return
}
pool.AppendCertsFromPEM(caCrt)
tr := &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: pool,
},
}
client := &http.Client{Transport: tr}
resp, err := client.Get(url)
if err != nil {
fmt.Println("Get error:", err)
return
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
fmt.Println(string(body))
}
把ca证书添加进去,并请求:
这就是单向校验
Android端的单向校验:
to be continued…