Блог

Главная - Вопросы по программированию - Как активировать TLSv1.3 с помощью kong?

Как активировать TLSv1.3 с помощью kong?

#javascript #docker #ssl #kong #tls1.3

#javascript #docker #ssl #kong #tls1.3

Вопрос:

В моей компании нам нужно использовать TLSv1.3 с kong, мы использовали версию kong 0.12.1, которая не поддерживает сам протокол TLSv1.3, поэтому мы обновили до 0.14.1, который, похоже, поддерживает его. Кроме того, если нам удастся заставить его работать, мы будем стремиться продолжать обновление до последних версий.

Мы используем docker, чтобы заставить его работать и с konga. Это наш полный файл docker-compose.yml

  version: "2.1"

services:

  ########
  # datebase used by kong
  ########
  kong-database-admon:
    container_name: kong-database-admon
    image: postgres:10.7
    restart: always
    ports:
      - "5432:5432"
    environment:
      POSTGRES_USER: kong
      POSTGRES_PASSWORD: kong
      POSTGRES_DB: kong
    volumes:
      - "kong-data:/var/lib/postgresql/data"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      admon-network:
        aliases:
          - kong-database

  ########
  # kong: datebase migration
  ########
  kong-migration-admon:
    #image: kong:1.4.0
    image: kong:0.14.1
    restart: on-failure
    container_name: kong-migration-admon
    depends_on:
      kong-database-admon:
        condition: service_healthy
    environment:
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-database
      KONG_PG_PORT: 5432
      KONG_PG_DATABASE: kong
      KONG_PG_PASSWORD: kong
      KONG_PG_USER: kong
    #command: sh -c "kong migrations bootstrap amp;amp; kong migrations up amp;amp; kong migrations finish"
    command: kong migrations up
    networks:
      admon-network:
        aliases:
          - kong-migration

  ########
  # kong: the api gateway
  ########        
  kong-admon:
    container_name: kong-admon
   # image: kong:1.4.0
    image: kong:0.14.1
   # restart: on-failure
    depends_on:
      kong-database-admon:
        condition: service_healthy
    environment:
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-database
      KONG_PG_PORT: 5432
      KONG_PG_PASSWORD: kong
      KONG_PG_DATABASE: kong
      KONG_PG_USER: kong
      KONG_LOG_LEVEL: debug                      
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 http2 ssl
      KONG_PROXY_LISTEN: 0.0.0.0:8000, 0.0.0.0:8443 http2 ssl
      KONG_SSL_PROTOCOLS: TLSv1.3
      KONG_SSL_CIPHER_SUITE : modern
      KONG_SSL_CIPHERS: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    volumes:
      - "kong-data:/usr/local/kong"
      - ${HOME}/git/admon/deployment/nginx/config/pfs-certificates:/usr/local/kong/ssl
      - ${HOME}/git/admon/deployment/nginx/config/kong-configuration:/etc/kong
    ports:
      - "8000:8000"
      - "8443:8443"
      - "8001:8001"
      - "8444:8444"
    healthcheck:
      test: ["CMD-SHELL", "curl -I -s -L http://kong:8443 || exit 1"]
      interval: 5s
      retries: 10
    networks:
      admon-network:
        aliases:
          - kong

  ########
  # konga interface
  ########  
  konga-admon:
    container_name: konga-admon
    image: pantsel/konga:0.12.0
    restart: always
    depends_on:
      kong-admon:
        condition: service_healthy
    ports:
      - "1337:1337"
    environment:
      NODE_ENV: development
      DB_ADAPTER: postgres
      DB_HOST: kong-database
      DB_PORT: 5432
      DB_USER: kong
      DB_PASSWORD: kong
      DB_DATABASE: kong
      KONG_ADMIN_URL: 'http://kong:8444'
      NO_AUTH: 'false'
      KONGA_HOOK_TIMEOUT: 600000
    healthcheck:
      test: ["CMD-SHELL", "curl -I -s -L http://localhost:1337 || exit 1"]
      interval: 10s
      retries: 10
    volumes:
      - "kong-data:/app/konga"
    networks:
      admon-network:
        aliases:
          - konga

volumes:
  kong-data:
    name: admon-kong-development

networks:
  admon-network:
    name: admon-network
    ipam:
      driver: default
      config:
      - subnet: 172.22.4.0/24
        gateway: 172.22.4.1

И наш kong.conf выглядит следующим образом:

 ssl = on                        # Determines if Nginx should be listening for
                                 # HTTPS traffic on the `proxy_listen_ssl`
ssl_protocols = TLSv1.3

ssl_cipher_suite = custom       # Defines the TLS ciphers served by Nginx.
                                 # Accepted values are `modern`, `intermediate`,
                                 # `old`, or `custom`.
# Note: See https://wiki.mozilla.org/Security/Server_Side_TLS for detailed
# descriptions of each cipher suite.

ssl_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt                      # If `ssl` is enabled, the absolute path to
                                 # the SSL certificate for the
                                 # `proxy_listen_ssl` address.

ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key                  # If `ssl` is enabled, the absolute path to
                                 # the SSL key for the `proxy_listen_ssl`
                                 # address.

http2 = on                     # Enables HTTP2 support for HTTPS traffic on
                                 # the `proxy_listen_ssl` address.

client_ssl = on                # Determines if Nginx should send client-side
                                 # SSL certificates when proxying requests.

client_ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt              # If `client_ssl` is enabled, the absolute path
                                 # to the client SSL certificate for the
                                 # `proxy_ssl_certificate` directive. Note that
                                 # this value is statically defined on the node,
                                 # and currently cannot be configured on a
                                 # per-API basis.

client_ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key          # If `client_ssl` is enabled, the absolute path
                                 # to the client SSL key for the
                                 # `proxy_ssl_certificate_key` address. Note
                                 # this value is statically defined on the node,
                                 # and currently cannot be configured on a
                                 # per-API basis.

admin_ssl = on                  # Determines if Nginx should be listening for
                                 # HTTPS traffic on the `admin_listen_ssl`
                                 # address. If disabled, Nginx will only bind
                                 # itself on `admin_listen`, and all SSL
                                 # settings will be ignored.

admin_ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt                # If `admin_ssl` is enabled, the absolute path
                                 # to the SSL certificate for the
                                 # `admin_listen_ssl` address.

admin_ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key            # If `admin_ssl` is enabled, the absolute path
                                 # to the SSL key for the `admin_listen_ssl`
                                 # address.

admin_http2 = on               # Enables HTTP2 support for HTTPS traffic on
                                 # the `admin_listen_ssl` address.


client_max_body_size = 0         # Defines the maximum request body size allowed
                                 # by requests proxied by Kong, specified in the
                                 # Content-Length request header. If a request
                                 # exceeds this limit, Kong will respond with a
                                 # 413 (Request Entity Too Large). Setting this
                                 # value to 0 disables checking the request body
                                 # size.
# Note: See
# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
# for further description of this parameter. Numeric values may be suffixed with
# 'k' or 'm' to denote limits in terms of kilobytes or megabytes.

client_body_buffer_size = 10m    # Defines the buffer size for reading the
                                 # request body. If the client request body is

У нас есть SSL-сертификаты, и мы не можем заставить его работать. Также команда, которую мы используем для проверки соединения TLS версии v1.3, выглядит следующим образом:

curl -I -v --tlsv1.3 --tls-max 1.3 https://192.168.70.20:8443/alpha/people

Что мы делаем не так?