rust和c_云中Rust TLS和Postgres的故事

rust和c

How to Connect Securely to Amazon RDS for PostgreSQL using Tokio and Rustls

如何使用Tokio和Rustls安全连接到PostgreSQLAmazon RDS

Recently I ran into a curious problem while working on a piece of asynchronous database code for a micro-service written in Rust — it looked something like this:

最近，在为用Rust编写的微服务处理一段异步数据库代码时，我遇到了一个奇怪的问题-看起来像这样：

This particular module used Tokio Postgres along with Deadpool Postgres — part of my favorite Rust stack — to interact with an AWS RDS for PostgreSQL database. Of course, everything worked great when I ran it against a Postgres instance deployed in my local Docker container — the Deadpool documentation contains easy-to-follow examples that can get you going in minutes.

这个特定的模块使用Tokio Postgres和Deadpool Postgres (我最喜欢的Rust堆栈的一部分)与AWS RDS for PostgreSQL数据库进行交互。 当然，当我针对部署在本地Docker容器中的Postgres实例运行所有东西时，它们都工作得很好– Deadpool文档包含易于理解的示例 ，可让您在几分钟之内完成操作。

I knew I’d have to support connecting to the database securely in order to deploy the code to production — the deployment policy requires (as it should!) that all connections to RDS instances use TLS. By default, the Tokio Postgres crate supports plain-text connections to help you get started, but luckily also outlines steps to enable TLS.

我知道我必须支持安全地连接到数据库才能将代码部署到生产中-部署策略要求(应该如此！)所有与RDS实例的连接都使用TLS。 默认情况下，Tokio Postgres板条箱支持纯文本连接来帮助您入门，但是幸运的是，还概述了启用TLS的步骤 。

To be honest, I was a bit crestfallen when I didn’t see Rustls listed as one of the supported methods; only (effectively) OpenSSL. After all, there are many good reasons to use Rustls, in addition to the fact that it was already part of my stack (e.g., both Reqwest and Warp support it) and would allow me to crank out statically linked binaries more easily.

老实说，当我没有将Rustls列为受支持的方法之一时，我有些沮丧。 仅(有效)OpenSSL。 毕竟，除了它已经成为我的堆栈的一部分(例如， Reqwest和Warp都支持它)并且使我能够更轻松地开发出静态链接的二进制文件之外，还有很多使用Rustls的充分理由 。

Never fear — the amazing Rust community has your back! A quick search through crates.io produced the tokio-postgres-rustls crate, which was exactly what I needed; after a small addition to my configuration and database connection pool setup, I was on my way:

不用担心-惊人的Rust社区支持您！ 快速搜索crates.io产生了tokio-postgres-rustls的箱子，这正是我所需要的； 在对配置和数据库连接池设置进行少量补充之后，我就开始了：

眼见为实 (Reality Bites)

As luck would have it, after pointing my Postgres client configuration to the RDS instance, I was met with the unpleasant surprise I had mentioned earlier — BadCertificate error! Wha… wha… whad’ya MEAN??

幸运的是，在将Postgres客户端配置指向RDS实例之后，我遇到了我之前提到的令人不愉快的惊喜-BadCertificate错误！ 哇……哇……哇，是吗？

I must admit — in all my excitement I only skimmed through tokio-postgres-rustls documentation, and didn’t even peek at rustls, since the basic configuration example happened to compile just fine (yikes!). After a stern mental self-admonishment I carefully scanned Rustls’s Getting Started example and sure enough, I discovered that I may have missed a step:

我必须承认-激动不已，我只浏览了tokio-postgres-rustls文档，甚至没有偷看rustls，因为基本的配置示例恰好可以编译(赞！)。 经过一番严厉的心理自我训斥之后，我仔细查看了Rustls的“ 入门”示例，果然，我发现自己可能错过了以下步骤：

Of course! Rustls (probably) doesn’t come with any pre-configured root certificates! That would make sense — Rust libraries tend to defer use-case-specific decisions to the user — why include files/bytes that may not even be needed?

当然！ Rustls(可能)未附带任何预配置的根证书！ 那将是有道理的-Rust库倾向于将用例特定的决定推迟给用户-为什么要包含甚至不需要的文件/字节？

拿两个 (Take Two)

Ok — new dependency included, Mozilla’s trusted root certificates added. That must have been the problem! Alas, the same error:

好的-包括新的依赖性，添加了Mozilla的受信任的根证书。 那一定是问题所在！ ,，同样的错误：

“This means war!”, I thought to myself. Rather, it meant that I had to read the documentation more carefully — a little bit of sleuthing revealed that AWS utilized their own/separate root certificates for their RDS instances. This, it turns out, is also helpfully indicated in the database instance details in RDS console — if you know what to look for!

“这意味着战争！”，我心想。 相反，这意味着我必须更仔细地阅读文档-一点点侦查表明AWS为其RDS实例使用了自己的/单独的根证书 。 事实证明，这也可以在RDS控制台的数据库实例详细信息中有帮助地指出-如果您知道要查找的内容！

Clipping of the Connectivity & security section

裁剪“连接性和安全性”部分

第三次是魅力 (Third Time’s a Charm)

After downloading the requisite root certificate and adding it to my database pool’s TLS configuration:

下载所需的根证书并将其添加到数据库池的TLS配置后：

Success!

成功！

结论 (Conclusion)

There are many great libraries that help you build modern micro-services and native cloud applications in Rust. If you ever find yourself working with PostgreSQL, use Tokio Postgres with Deadpool to build responsive, scalable applications with Rust’s powerful asynchronous constructs.

有很多很棒的库可以帮助您在Rust中构建现代微服务和本机云应用程序。 如果您发现自己使用PostgreSQL，请将Tokio Postgres与Deadpool结合使用，以使用Rust强大的异步构造来构建响应式，可扩展的应用程序。

To secure your client connection, use Rustls; however, make sure it is configured properly either with Mozilla’s trusted root certificates or your service provider’s own root certificates!

为了保护您的客户端连接，请使用Rustls； 但是，请确保使用Mozilla的受信任的根证书或您的服务提供商自己的根证书正确配置它！

To try the approach outlined in this article, check out the demo project hosted on GitHub.

要尝试本文概述的方法，请查看GitHub上托管的演示项目。

翻译自: https://medium.com/@pnehrer/a-curious-tale-of-rust-tls-and-postgres-in-the-cloud-969a4d2bea9

rust和c