go语言发布TLS无认证,单向认证,双向认证的REST Service
- 无认证
也就是发布的REST Service是HTTP的。
package main
import (
"fmt"
"log"
"flag"
"net/http"
"encoding/json"
"github.com/gorilla/mux"
)
var (
port int
hostname string
)
func init() {
flag.IntVar(&port, "port", 8080, "The host port on which the REST server will listen")
flag.StringVar(&hostname, "hostname", "0.0.0.0", "The host name on which the REST server will listen")
}
func startServer(address string, router *mux.Router) {
s := &http.Server{
Addr: address,
Handler: router,
}
err := s.ListenAndServe()
if err != nil {
log.Fatalln("ListenAndServeTLS err:", err)
}
}
func SayHello(w http.ResponseWriter, r *http.Request) {
log.Println("Entry SayHello")
res := map[string]string {"hello": "world"}
b, err := json.Marshal(res)
if err == nil {
w.WriteHeader(http.StatusOK)
w.Header().Set("Content-Type", "application/json")
w.Write(b)
}
log.Println("Exit SayHello")
}
func main() {
flag.Parse()
router := mux.NewRouter().StrictSlash(true)
router.HandleFunc("/service/hello", SayHello).Methods("GET")
var address = fmt.Sprintf("%s:%d", hostname, port)
fmt.Println("Server listen on", address)
startServer(address, router)
fmt.Println("Exit main")
}
编译运行:
$ go build server.go
$ ./serverhttp
Server listen on 0.0.0.0:8080
client访问:
$ curl http://localhost:8080/service/hello
{"hello":"world"}
- 单向认证
即客户端验证服务端。
package main
import (
"fmt"
"log"
"flag"
"net/http"
"encoding/json"
"github.com/gorilla/mux"
)
var (
port int
hostname string
keyfile string
signcert string
)
func init() {
flag.IntVar(&port, "port", 8080, "The host port on which the REST server will listen")
flag.StringVar(&hostname, "hostname", "0.0.0.0", "The host name on which the REST server will listen")
flag.StringVar(&keyfile, "key", "", "Path to file containing PEM-encoded key file for service")
flag.StringVar(&signcert, "signcert", "", "Path to file containing PEM-encoded sign certificate for service")
}
func startServer(address string, keyfile string, signcert string, router *mux.Router) {
s := &http.Server{
Addr: address,
Handler: router,
}
err := s.ListenAndServeTLS(signcert, keyfile)
if err != nil {
log.Fatalln("ListenAndServeTLS err:", err)
}
}
func SayHello(w http.ResponseWriter, r *http.Request) {
log.Println("Entry SayHello")
res := map[string]string {"hello": "world"}
b, err := json.Marshal(res)
if err == nil {
w.WriteHeader(http.StatusOK)
w.Header().Set("Content-Type", "application/json")
w.Write(b)
}
log.Println("Exit SayHello")
}
func main() {
flag.Parse()
router := mux.NewRouter().StrictSlash(true)
router.HandleFunc("/service/hello", SayHello).Methods("GET")
var address = fmt.Sprintf("%s:%d", hostname, port)
fmt.Println("Server listen on", address)
startServer(address, keyfile, signcert, router)
fmt.Println("Exit main")
}
编译运行:
$ go build server.go
$ ./serverhttps -signcert tlsserver.pem -key tlsserver.key.pem
Server listen on 0.0.0.0:8080
客户端访问:
$ curl https://localhost:8080/service/hello
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
$
$
$
$ curl --cacert ./tlsca.pem https://localhost:8080/service/hello
{"hello":"world"}
- 双向认证
客户端验证服务端证书,服务端也验证客户端证书。
请参阅单独的一篇:go语言实现双向TLS认证的REST Service