背景
公网访问不安全
证书生成
// server端证书
keytool -genkeypair -alias server -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server.p12 -validity 3650
// client端证书
keytool -genkeypair -alias client -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore client.p12 -validity 3650
// 导出证书
keytool -export -alias server -file server.crt --keystore server.p12
keytool -export -alias client -file client.crt --keystore client.p12
// 将server.crt文件导入client.p12, 使client端信任server端的证书, server端同理
keytool -import -alias server -file server.crt -keystore client.p12
keytool -import -alias client -file client.crt -keystore server.p12
服务配置
// eureka server配置
server:
port: 8861
ssl:
enabled: true
key-store: classpath:server.p12
key-store-password: juzhenxing
key-store-type: PKCS12
key-alias: server
spring:
application:
name: eureka-server
eureka:
instance:
hostname: localhost
securePort: ${server.port}
securePortEnable: true
nonSecurePortEnable: false
homePageUrl: https://${eureka.instance.hostname}:${server.port}/
statusPageUrl: https://${eureka.instance.hostname}:${server.port}/
client:
register-with-eureka: false
fetch-registry: false
serviceUrl:
defaultZone: https://${eureka.instance.hostname}:${server.port}/eureka/
server:
waitTimeInMsWhenSyncEmpty: 0
enableSelfPreservation: false
// eureka client端配置
// 引入依赖
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.5</version>
</dependency>
// 配置文件
server:
port: 8081
spring:
application:
name: client1
eureka:
client:
securePortEnabled: true
ssl:
key-store: client.p12
key-store-password: client
serviceUrl:
defaultZone: https://localhost:8861/eureka/
// 代码中指定DiscoveryClient.DiscoveryClientOptionArgs
import com.netflix.discovery.DiscoveryClient;
import com.netflix.discovery.shared.transport.jersey.EurekaJerseyClientImpl;
import org.apache.http.ssl.SSLContextBuilder;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import javax.net.ssl.SSLContext;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
@Profile({"https"})
@Configuration
public class EurekaHttpsClientConfig {
@Value("${eureka.client.ssl.key-store}")
String keyStoreFileName;
@Value("${eureka.client.ssl.key-store-password}")
String keyStorePassword;
@Bean
public DiscoveryClient.DiscoveryClientOptionalArgs discoveryClientOptionalArgs() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException {
EurekaJerseyClientImpl.EurekaJerseyClientBuilder builder = new EurekaJerseyClientImpl.EurekaJerseyClientBuilder();
builder.withClientName("eureka-https-client");
SSLContext sslContext = new SSLContextBuilder()
.loadTrustMaterial(
this.getClass().getClassLoader().getResource(keyStoreFileName),keyStorePassword.toCharArray()
)
.build();
builder.withCustomSSL(sslContext);
builder.withMaxTotalConnections(10);
builder.withMaxConnectionsPerHost(10);
DiscoveryClient.DiscoveryClientOptionalArgs args = new DiscoveryClient.DiscoveryClientOptionalArgs();
args.setEurekaJerseyClient(builder.build());
return args;
}
}