service center frontend how to support https? - Githubissues

apache / servicecomb-service-center

A standalone service center to allow services to register their instance information and to discover providers of a given service

Apache License 2.0

1.34k stars 342 forks source link

service center frontend how to support https? #283

Open jjtyro opened 6 years ago

jjtyro commented 6 years ago

service center配置了使用证书的https访问后，frontend如何配置使用https证书模式？

jjtyro commented 6 years ago

我可能没说清楚，是如何让frontend能访问https模式的service center，而且service center设置了认证客户端。 Thanks!

asifdxtreme commented 6 years ago

Hello @jjtyro Currently Service-Center Frontend was developed for the purpose of ease of access of service-centre api's which was purely meant for developer env, in future we do have plans to make the frontend production ready and supporting https is one part of them, we will be adding this support in 1.0.00-m2 release. Feel free to contribute to this feature..

jjtyro commented 6 years ago

Service Center's api server use the same flag 'ssl_verify_client' for client of etcd backend, Because my etcd cluster uses tls authentication, so configure ssl_verify_client = 1, but this also makes the api server open https and then ..... Whether this flag can be divided into two, one for api server and one for etcd client.

asifdxtreme commented 6 years ago

@jjtyro Currently we think that keeping seperate TLS config for SC and etcd will not be safe enough, so as per the suggestion by @little-cui we can make frontend client use go-server to proxy all the request with TLS to SC backend. We have created a JIRA for this in apache SCB-348 , you can track the progress here.. Thanks for bringing up this topic, this helps us a lot to make our products User friendly and helps to understand the UseCase for different Users.

jjtyro commented 6 years ago

thanks for your answer!

jjtyro commented 6 years ago

Temporarily using Nginx as a proxy, it works except the microservice schema testing. Nginx's config is: `events { worker_connections 10; }

http { upstream center { server 10.210.33.53:30100; server 10.210.33.54:30100; server 10.210.33.55:30100; }

server {
    listen       30103;
    server_name  10.210.33.53;
    root   /usr/share/nginx/html;
    index  index.html index.htm;

    #charset utf-8;

    location / {
        try_files $uri $uri/ /index.html;
    }

    location ~ /v[0-9][.0-9]*/.*/(registry|govern) {
        proxy_pass https://center;
        proxy_ssl_certificate         /etc/ssl/front/server.cer;
        proxy_ssl_certificate_key     /etc/ssl/front/server_key.pem;
        proxy_ssl_trusted_certificate /etc/ssl/front/trust.cer;
    }
}

}`

Run nginx using docker, command line like this: docker run --rm --name center-front -v /home/svccomb/center-front/conf/nginx.conf:/etc/nginx/nginx.conf -v /home/svccomb/center-front/app:/usr/share/nginx/html -v /home/svccomb/center/etc/ssl:/etc/ssl/front -p 30103:30103 nginx:1.13 -d