在我的公司,我们需要将 TLSv1.3 与 kong 一起使用,我们使用的是 kong 的 0.12.1 版本,它本身不支持 TLSv1.3 协议,所以我们更新到 0.14.1,看起来它支持它。此外,如果我们设法使其工作,我们将继续升级到最新版本。
我们使用 docker 使其也适用于 konga。这是我们完整的 docker-compose.yml 文件
version: "2.1"
services:
########
# datebase used by kong
########
kong-database-admon:
container_name: kong-database-admon
image: postgres:10.7
restart: always
ports:
- "5432:5432"
environment:
POSTGRES_USER: kong
POSTGRES_PASSWORD: kong
POSTGRES_DB: kong
volumes:
- "kong-data:/var/lib/postgresql/data"
healthcheck:
test: ["CMD-SHELL", "pg_isready"]
interval: 10s
timeout: 5s
retries: 5
networks:
admon-network:
aliases:
- kong-database
########
# kong: datebase migration
########
kong-migration-admon:
#image: kong:1.4.0
image: kong:0.14.1
restart: on-failure
container_name: kong-migration-admon
depends_on:
kong-database-admon:
condition: service_healthy
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-database
KONG_PG_PORT: 5432
KONG_PG_DATABASE: kong
KONG_PG_PASSWORD: kong
KONG_PG_USER: kong
#command: sh -c "kong migrations bootstrap && kong migrations up && kong migrations finish"
command: kong migrations up
networks:
admon-network:
aliases:
- kong-migration
########
# kong: the api gateway
########
kong-admon:
container_name: kong-admon
# image: kong:1.4.0
image: kong:0.14.1
# restart: on-failure
depends_on:
kong-database-admon:
condition: service_healthy
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-database
KONG_PG_PORT: 5432
KONG_PG_PASSWORD: kong
KONG_PG_DATABASE: kong
KONG_PG_USER: kong
KONG_LOG_LEVEL: debug
KONG_PROXY_ACCESS_LOG: /dev/stdout
KONG_ADMIN_ACCESS_LOG: /dev/stdout
KONG_PROXY_ERROR_LOG: /dev/stderr
KONG_ADMIN_ERROR_LOG: /dev/stderr
KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 http2 ssl
KONG_PROXY_LISTEN: 0.0.0.0:8000, 0.0.0.0:8443 http2 ssl
KONG_SSL_PROTOCOLS: TLSv1.3
KONG_SSL_CIPHER_SUITE : modern
KONG_SSL_CIPHERS: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
volumes:
- "kong-data:/usr/local/kong"
- ${HOME}/git/admon/deployment/nginx/config/pfs-certificates:/usr/local/kong/ssl
- ${HOME}/git/admon/deployment/nginx/config/kong-configuration:/etc/kong
ports:
- "8000:8000"
- "8443:8443"
- "8001:8001"
- "8444:8444"
healthcheck:
test: ["CMD-SHELL", "curl -I -s -L http://kong:8443 || exit 1"]
interval: 5s
retries: 10
networks:
admon-network:
aliases:
- kong
########
# konga interface
########
konga-admon:
container_name: konga-admon
image: pantsel/konga:0.12.0
restart: always
depends_on:
kong-admon:
condition: service_healthy
ports:
- "1337:1337"
environment:
NODE_ENV: development
DB_ADAPTER: postgres
DB_HOST: kong-database
DB_PORT: 5432
DB_USER: kong
DB_PASSWORD: kong
DB_DATABASE: kong
KONG_ADMIN_URL: 'http://kong:8444'
NO_AUTH: 'false'
KONGA_HOOK_TIMEOUT: 600000
healthcheck:
test: ["CMD-SHELL", "curl -I -s -L http://localhost:1337 || exit 1"]
interval: 10s
retries: 10
volumes:
- "kong-data:/app/konga"
networks:
admon-network:
aliases:
- konga
volumes:
kong-data:
name: admon-kong-development
networks:
admon-network:
name: admon-network
ipam:
driver: default
config:
- subnet: 172.22.4.0/24
gateway: 172.22.4.1
而我们的 kong.conf 如下:
ssl = on # Determines if Nginx should be listening for
# HTTPS traffic on the `proxy_listen_ssl`
ssl_protocols = TLSv1.3
ssl_cipher_suite = custom # Defines the TLS ciphers served by Nginx.
# Accepted values are `modern`, `intermediate`,
# `old`, or `custom`.
# Note: See https://wiki.mozilla.org/Security/Server_Side_TLS for detailed
# descriptions of each cipher suite.
ssl_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt # If `ssl` is enabled, the absolute path to
# the SSL certificate for the
# `proxy_listen_ssl` address.
ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key # If `ssl` is enabled, the absolute path to
# the SSL key for the `proxy_listen_ssl`
# address.
http2 = on # Enables HTTP2 support for HTTPS traffic on
# the `proxy_listen_ssl` address.
client_ssl = on # Determines if Nginx should send client-side
# SSL certificates when proxying requests.
client_ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt # If `client_ssl` is enabled, the absolute path
# to the client SSL certificate for the
# `proxy_ssl_certificate` directive. Note that
# this value is statically defined on the node,
# and currently cannot be configured on a
# per-API basis.
client_ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key # If `client_ssl` is enabled, the absolute path
# to the client SSL key for the
# `proxy_ssl_certificate_key` address. Note
# this value is statically defined on the node,
# and currently cannot be configured on a
# per-API basis.
admin_ssl = on # Determines if Nginx should be listening for
# HTTPS traffic on the `admin_listen_ssl`
# address. If disabled, Nginx will only bind
# itself on `admin_listen`, and all SSL
# settings will be ignored.
admin_ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt # If `admin_ssl` is enabled, the absolute path
# to the SSL certificate for the
# `admin_listen_ssl` address.
admin_ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key # If `admin_ssl` is enabled, the absolute path
# to the SSL key for the `admin_listen_ssl`
# address.
admin_http2 = on # Enables HTTP2 support for HTTPS traffic on
# the `admin_listen_ssl` address.
client_max_body_size = 0 # Defines the maximum request body size allowed
# by requests proxied by Kong, specified in the
# Content-Length request header. If a request
# exceeds this limit, Kong will respond with a
# 413 (Request Entity Too Large). Setting this
# value to 0 disables checking the request body
# size.
# Note: See
# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
# for further description of this parameter. Numeric values may be suffixed with
# 'k' or 'm' to denote limits in terms of kilobytes or megabytes.
client_body_buffer_size = 10m # Defines the buffer size for reading the
# request body. If the client request body is
我们有 SSL 证书,但我们无法使其工作。此外,我们用来测试 TLS v1.3 连接的命令如下:
curl -I -v --tlsv1.3 --tls-max 1.3 https://192.168.70.20:8443/alpha/people
我们做错了什么?