在AWS Lambda中为Go HTTP API执行mTLS

huangapple go评论81阅读模式
英文:

Performing mTLS for a Go HTTP API running in AWS Lambda

问题

目前我有一个使用github.com/gin-gonic/gin库设置的Go HTTP API,用于执行mTLS,如下所示:

router := gin.New()
router.GET("/ping", handlers.GinHandler{GC: globalConf, H: handler.Ping}.Handle())

// 我正在检查错误,但为了简单起见,省略了错误检查
caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool, _ := x509.SystemCertPool()
caCertPool.AppendCertsFromPEM(caCert)

tlsConfig := &tls.Config{
    ClientCAs:  caCertPool,
    ClientAuth: tls.RequireAndVerifyClientCert,
}

server := &http.Server{
    Addr:      ":" + "8443",
    TLSConfig: tlsConfig,
    Handler:   router,
}

server.ListenAndServeTLS("ssl.crt", "ssl.key")

看起来我需要使用类似github.com/apex/gateway的东西与AWS Lambda兼容,但是它只有一个ListenAndServe函数,而不是像net/http包那样有一个ListenAndServeTLS

在AWS Lambda函数内部是否可以执行这样的mTLS?

还是需要重写以在API Gateway内执行mTLS?如果是这样,是否可以将证书转发给Go应用程序/Lambda函数以检查CN?

英文:

Currently have a Go HTTP API using the github.com/gin-gonic/gin library set up to perform mTLS, like so:

router := gin.New()
router.GET("/ping", handlers.GinHandler{GC: globalConf, H: handler.Ping}.Handle())

// I'm checking errors but just for simplicity it's ommitted
caCert, _ := ioutil.ReadFile("ca.crt")
caCertPool, _ := x509.SystemCertPool()
caCertPool.AppendCertsFromPEM(caCert)

tlsConfig := &tls.Config{
	ClientCAs:  caCertPool,
	ClientAuth: tls.RequireAndVerifyClientCert,
}

server := &http.Server{
	Addr:      ":" + "8443",
	TLSConfig: tlsConfig,
	Handler:   router,
}

server.ListenAndServeTLS("ssl.crt", "ssl.key")

It seems I need to use something like github.com/apex/gateway for compatibility with AWS Lambda, but there's only a ListenAndServe function, rather than a ListenAndServeTLS like with the net/http package.

Is it possible to perform mTLS like this, inside an AWS Lambda function?

Or does this need to be rewritten to perform the mTLS inside an API Gateway instead? If so, is it possible to forward the certificate to the Go app/Lambda function for checking the CN?

答案1

得分: 1

不,这是不可能的。TLS连接由API网关终止,然后通过AWS API调用您的Lambda函数。Lambda函数从传入请求中没有网络连接,因此无法在Lambda函数内部执行mTLS。

是的,mTLS功能必须在API网关上实现。我建议按照官方指南进行操作。

英文:

> Is it possible to perform mTLS like this, inside an AWS Lambda
> function?

No it's not possible. The TLS connection is terminated by API gateway, which then invokes your Lambda function via the AWS API. The Lambda function never has the network connection from the incoming request, so there's no way to perform mTLS inside the Lambda function.

> Or does this need to be rewritten to perform the mTLS inside an API
> Gateway instead? If so, is it possible to forward the certificate to
> the Go app/Lambda function for checking the CN?

Yes, the mTLS feature has to be implemented at API Gateway. I suggest following this official guide.

huangapple
  • 本文由 发表于 2022年10月7日 21:46:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/73988139.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定