Azure RESTAPI上的HTTPS

时间:2017-05-15 15:52:02

标签: rest api azure ssl certificate

我正在Azure上部署一个docker镜像,它正在发布一些可用于在数据库中存储一些信息的REST API。
问题是:是否可以强制使用HTTPS而不是HTTP并使用自签名证书?

所以,如果我的休息api是这样的:

curl -i -H "Content-type: application/json" http://AZURE_IP_ADDRESS:5100/module/api/v1.0/person -X POST -d '{ "name" : "test", "surname": "test_surname" }'

我希望只有证书机器才能执行上一个命令。

据我所知,Azure使用Truster CA的证书注册,但我想在做任何事情之前做一些测试。

简而言之,我只想在我正在进行HTTPS请求的机器是" Admitted"执行请求。
我有点困惑。我的意思是,我想知道如何保护我在Azure上运行的docker提供的REST API ..但我想更通用..就不使用Azure功能而言,当我使用其他东西时,请准备好天青。

按照以下步骤操作:

# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

# We're self signing our own server cert here.  This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

# Sign the client certificate with our CA cert.  Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt



openssl rsa -in server.key -out server_without_key.key

并按如下方式配置nginx.conf:

server {
        listen 443 ssl;


        ssl_certificate        /etc/nginx/certs/server.crt;
        ssl_certificate_key    /etc/nginx/certs/server_without_key.key;
        ssl_client_certificate /etc/nginx/certs/ca.crt; # the cert used to sign the client certificates
        ssl_verify_client      on; # force SSL verification (can also be set to 'optional')


        ssl     on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        keepalive_timeout   70;

    }

一旦我卷曲:

curl -v -s -k --key client.key --cert client.crt https://172.18.0.9

(在存储client.key和* crt的目录中)我有以下输出

* Rebuilt URL to: https://172.18.0.9/
*   Trying 172.18.0.9...
* Connected to 172.18.0.9 (172.18.0.9) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 698 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* error reading X.509 key or certificate file: Error while reading file.
* Closing connection 0

有什么建议吗?可能吗?

由于

1 个答案:

答案 0 :(得分:2)

根据您使用的Web服务器,您的确切配置详细信息会有所不同,但简而言之,您要做的是将所有http请求重定向到https。请参阅下面的链接。

在客户端,要使其工作,您需要遵循重定向。通常,浏览器配置为自动执行此操作。使用curl,这是通过-L标志完成的。

curl -L -i -H "Content-type: application/json" http://AZURE_IP_ADDRESS:5100/module/api/v1.0/person -X POST -d '{ "name" : "test", "surname": "test_surname" }'

在服务器端,这些是可能有用的说明。

<强> NGINX https://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom

<强>的Apache https://wiki.apache.org/httpd/RedirectSSL

<强> IIS https://www.iis.net/configreference/system.webserver/httpredirect

相关问题
最新问题