英文:
Performing mTLS for a Go HTTP API running in AWS Lambda
问题
目前我有一个使用github.com/gin-gonic/gin
库设置的Go HTTP API,用于执行mTLS,如下所示:
router := gin.New()
router.GET("/ping", handlers.GinHandler{GC: globalConf, H: handler.Ping}.Handle())
// 我正在检查错误,但为了简单起见,省略了错误检查
caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool, _ := x509.SystemCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
server := &http.Server{
Addr: ":" + "8443",
TLSConfig: tlsConfig,
Handler: router,
}
server.ListenAndServeTLS("ssl.crt", "ssl.key")
看起来我需要使用类似github.com/apex/gateway
的东西与AWS Lambda兼容,但是它只有一个ListenAndServe
函数,而不是像net/http
包那样有一个ListenAndServeTLS
。
在AWS Lambda函数内部是否可以执行这样的mTLS?
还是需要重写以在API Gateway内执行mTLS?如果是这样,是否可以将证书转发给Go应用程序/Lambda函数以检查CN?
英文:
Currently have a Go HTTP API using the github.com/gin-gonic/gin
library set up to perform mTLS, like so:
router := gin.New()
router.GET("/ping", handlers.GinHandler{GC: globalConf, H: handler.Ping}.Handle())
// I'm checking errors but just for simplicity it's ommitted
caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool, _ := x509.SystemCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
server := &http.Server{
Addr: ":" + "8443",
TLSConfig: tlsConfig,
Handler: router,
}
server.ListenAndServeTLS("ssl.crt", "ssl.key")
It seems I need to use something like github.com/apex/gateway
for compatibility with AWS Lambda, but there's only a ListenAndServe
function, rather than a ListenAndServeTLS
like with the net/http
package.
Is it possible to perform mTLS like this, inside an AWS Lambda function?
Or does this need to be rewritten to perform the mTLS inside an API Gateway instead? If so, is it possible to forward the certificate to the Go app/Lambda function for checking the CN?
答案1
得分: 1
不,这是不可能的。TLS连接由API网关终止,然后通过AWS API调用您的Lambda函数。Lambda函数从传入请求中没有网络连接,因此无法在Lambda函数内部执行mTLS。
是的,mTLS功能必须在API网关上实现。我建议按照官方指南进行操作。
英文:
> Is it possible to perform mTLS like this, inside an AWS Lambda
> function?
No it's not possible. The TLS connection is terminated by API gateway, which then invokes your Lambda function via the AWS API. The Lambda function never has the network connection from the incoming request, so there's no way to perform mTLS inside the Lambda function.
> Or does this need to be rewritten to perform the mTLS inside an API
> Gateway instead? If so, is it possible to forward the certificate to
> the Go app/Lambda function for checking the CN?
Yes, the mTLS feature has to be implemented at API Gateway. I suggest following this official guide.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论