英文:
Is it possible to host multiple domain TLS in golang with net/http?
问题
我有多个域名(比如abc.com和xyz.org),每个域名都有不同的证书。是否可以在不深入底层和使用net.Listen等的情况下,根据主机名使用密钥和证书?只是使用简单的http.ListenAndServeTLS(...)或类似的方法?基本上就像nginx所做的那样。
英文:
I have multiple domain (let's say abc.com and xyz.org) with diffrent certificate. Is it possible to use key and certificate based on hostname without going deep low level and net.Listen, etc. Just using simple http.ListenAndServeTLS(...) or similar ?
Basically like what nginx does.
答案1
得分: 23
BuildNameToCertificate()函数将从证书中提取主机名。如果没有匹配的SNI信息,它将返回[0]。
更新至Go 1.14 - 请参阅https://github.com/golang/go/commit/eb93c684d40de4924fc0664d7d9e98a84d5a100b
package main
import (
"crypto/tls"
"net/http"
"time"
"log"
)
func myHandler(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("tls"))
}
func main() {
t := log.Logger{}
var err error
tlsConfig := &tls.Config{}
tlsConfig.Certificates = make([]tls.Certificate, 3)
// go http server treats the 0'th key as a default fallback key
tlsConfig.Certificates[0], err = tls.LoadX509KeyPair("test0.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
tlsConfig.Certificates[1], err = tls.LoadX509KeyPair("test1.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
tlsConfig.Certificates[2], err = tls.LoadX509KeyPair("test2.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
// as of go 1.14 this line is no longer needed
// load the certs as above and skip BuildNameToCertificate()
tlsConfig.BuildNameToCertificate()
http.HandleFunc("/", myHandler)
server := &http.Server{
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
TLSConfig: tlsConfig,
}
listener, err := tls.Listen("tcp", ":8443", tlsConfig)
if err != nil {
t.Fatal(err)
}
log.Fatal(server.Serve(listener))
}
以上是要翻译的内容。
英文:
BuildNameToCertificate() will sniff the hostname from the cert. If none match the SNI info it serves the [0].
https://golang.org/src/crypto/tls/common.go?s=18204:18245#L947
Update for Go 1.14 - see https://github.com/golang/go/commit/eb93c684d40de4924fc0664d7d9e98a84d5a100b
package main
import (
"crypto/tls"
"net/http"
"time"
"log"
)
func myHandler(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("tls"))
}
func main() {
t := log.Logger{}
var err error
tlsConfig := &tls.Config{}
tlsConfig.Certificates = make([]tls.Certificate, 3)
// go http server treats the 0'th key as a default fallback key
tlsConfig.Certificates[0], err = tls.LoadX509KeyPair("test0.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
tlsConfig.Certificates[1], err = tls.LoadX509KeyPair("test1.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
tlsConfig.Certificates[2], err = tls.LoadX509KeyPair("test2.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
// as of go 1.14 this line is no longer needed
// load the certs as above and skip BuildNameToCertificate()
tlsConfig.BuildNameToCertificate()
http.HandleFunc("/", myHandler)
server := &http.Server{
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
TLSConfig: tlsConfig,
}
listener, err := tls.Listen("tcp", ":8443", tlsConfig)
if err != nil {
t.Fatal(err)
}
log.Fatal(server.Serve(listener))
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论