文章目录

  • 生成证书
  • 测试tls-cert 和tls-key 参数
  • 测试tls-required参数
  • tls-client-auth-policy 参数验证
  • 客户端不合法证书测试
  • nsqadmin证书测试
  • 总结

可以为nsqd服务配置证书增加安全性,这里我们对该功能进行测试

生成证书

通过openssl 如下命令可以生成证书私钥对

 [root@localhost ~]# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Generating a 2048 bit RSA private key
.............+++
............................+++
writing new private key to 'key.pem'

测试tls-cert 和tls-key 参数

如果不配置者两个参数,那么,只能通过http 和 tcp 来访问服务,https服务和端口为开启。
只配置者两个参数 http https tcp tls 都可以访问。
key.pem 和 cert.pem 放到指定目录/root/certs,
如下:

 [root@localhost ~]# mkdir certs
[root@localhost ~]# mv cert.pem  certs/
[root@localhost ~]# mv key.pem  certs/
[root@localhost ~]# ll certs
total 8
-rw-r--r--. 1 root root 1261 Apr 17 21:03 cert.pem
-rw-r--r--. 1 root root 1704 Apr 17 21:03 key.pem

重新启动 三个nsq服务 nsqd 要增加证书参数

[root@localhost nsq]# bin/nsqd  -lookupd-tcp-address "192.168.195.10:4160"  -tls-cert "/root/certs/cert.pem"  -tls-key "/root/certs/key.pem"
[nsqd] 2022/04/17 21:14:23.772212 INFO: nsqd v1.2.1 (built w/go1.16.6)
[nsqd] 2022/04/17 21:14:23.772256 INFO: ID: 856
[nsqd] 2022/04/17 21:14:23.773121 INFO: TOPIC(t1): created
[nsqd] 2022/04/17 21:14:23.773246 INFO: TOPIC(t1): new channel(c1)
[nsqd] 2022/04/17 21:14:23.773374 INFO: TOPIC(t1): new channel(c2)
[nsqd] 2022/04/17 21:14:23.773421 INFO: TOPIC(testtopic): created
[nsqd] 2022/04/17 21:14:23.773427 INFO: NSQ: persisting topic/channel metadata to nsqd.dat
[nsqd] 2022/04/17 21:14:23.775041 INFO: LOOKUP(192.168.195.10:4160): adding peer
[nsqd] 2022/04/17 21:14:23.775062 INFO: LOOKUP connecting to 192.168.195.10:4160
[nsqd] 2022/04/17 21:14:23.775274 INFO: TCP: listening on [::]:4150
[nsqd] 2022/04/17 21:14:23.775391 INFO: HTTP: listening on [::]:4151
[nsqd] 2022/04/17 21:14:23.775414 INFO: HTTPS: listening on [::]:4152
[nsqd] 2022/04/17 21:14:23.776061 INFO: LOOKUPD(192.168.195.10:4160): peer info {TCPPort:4160 HTTPPort:4161 Version:1.2.1 BroadcastAddress:localhost.localdomain}
[nsqd] 2022/04/17 21:14:23.776080 INFO: LOOKUPD(192.168.195.10:4160): REGISTER testtopic
[nsqd] 2022/04/17 21:14:23.776350 INFO: LOOKUPD(192.168.195.10:4160): REGISTER t1 c1
[nsqd] 2022/04/17 21:14:23.776525 INFO: LOOKUPD(192.168.195.10:4160): REGISTER t1 c2
[nsqd] 2022/04/17 21:14:23.776672 INFO: LOOKUPD(192.168.195.10:4160): channel REGISTER t1 c1
[nsqd] 2022/04/17 21:14:23.777508 INFO: LOOKUPD(192.168.195.10:4160): topic REGISTER t1
[nsqd] 2022/04/17 21:14:23.777795 INFO: LOOKUPD(192.168.195.10:4160): channel REGISTER t1 c2

使用to_nsq 和 postman 工具通过http接口向nsqd发送消息,测试结果 二者都可以成功发送,


测试tls-required参数

重启 nsqd服务增加 tls-required 参数配置,这个时候要求客户端链接必须通过tls,http接口不提供服务,https接口默认端口为4152
这个时候必须通过https和tls来访问nsqd服务

bin/nsqd  -lookupd-tcp-address "192.168.195.10:4160"  -tls-cert "/root/certs/cert.pem"  -tls-key "/root/certs/key.pem"  -tls-required true

再次通过 工具发送和接收消息,发现 to_nsq、nsq_tail go测试程序均 提示 失败 需要tls

[root@localhost nsq]# bin/to_nsq --topic t1 --nsqd-tcp-address "192.168.195.10:4150"
123
2022/04/17 21:27:46 INF    1 (192.168.195.10:4150) connecting to nsqd
2022/04/17 21:27:46 ERR    1 (192.168.195.10:4150) protocol error - E_INVALID cannot PUB in current state (TLS required)

nsqadmin 也无法获取nsqd信息了

http接口也是同样的提示,但是提示了 https的端口

将http接口地址更改为:https://192.168.195.10:4152/pub?topic=t1 消息发送成功

go测试代码中加入 tls支持后也可以正常发送消息

func TestPushTLS(t *testing.T) {config := nsq.NewConfig()//config.AuthSecret = secretconfig.TlsV1 = truetlsConfig := &tls.Config{InsecureSkipVerify: true}//tlsConfig.config.TlsConfig = tlsConfigproducer, err := nsq.NewProducer(address, config)if err != nil {t.Fatal(err)}now := time.Now()for i := 0; i < 2000; i++ {messageBody := []byte(fmt.Sprintf("hello %d", i))err = producer.Publish(topicName, messageBody)if err != nil {t.Fatal(err)}// time.Sleep(3 * time.Second)}t.Log(time.Now().Sub(now))producer.Stop()
}

发送成功

支持tls的 go 测试代码也可以正常消费

func TestSub2TLS(t *testing.T) {config := nsq.NewConfig()//config.AuthSecret = secretconfig.TlsV1 = truetlsConfig := &tls.Config{InsecureSkipVerify: true}config.TlsConfig = tlsConfigconsumer, err := nsq.NewConsumer(topicName, channel2, config)if err != nil {t.Fatal(err)}consumer.AddHandler(&myMessageHandler{})err = consumer.ConnectToNSQD(address)if err != nil {t.Fatal(err)}sigChan := make(chan os.Signal, 1)signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)<-sigChanconsumer.Stop()
}

tls-client-auth-policy 参数验证

该参数可以配置客户端证书验证策略,就是双向验证
require:比较宽松,客户端必须也提供一个证书,否则拒绝
require-verify:客户端必须 提供一个 服务端配置的根证书签发的证书,否则拒绝
由此我们需要重新生成一组根据根证书的
生成证书
生成过程见openssl签发证书
如下分别生成 服务端证书、根证书、客户端证书

重启nsqd服务
重启nsqd服务,增加 tls-client-auth-policy 和 tls-root-ca-file 配置

[root@localhost nsq]# bin/nsqd  -lookupd-tcp-address "192.168.195.10:4160"  -tls-cert "/root/certs/server.pem"  -tls-key "/root/certs/server.key"  -tls-required true  -tls-client-auth-policy require -tls-root-ca-file "/root/certs/ca.pem"
[nsqd] 2022/04/17 23:18:08.310057 INFO: nsqd v1.2.1 (built w/go1.16.6)
[nsqd] 2022/04/17 23:18:08.310101 INFO: ID: 856
[nsqd] 2022/04/17 23:18:08.313399 INFO: TOPIC(t1): created
[nsqd] 2022/04/17 23:18:08.314127 INFO: TOPIC(t1): new channel(c1)
[nsqd] 2022/04/17 23:18:08.314203 INFO: DISKQUEUE(t1:c1): readOne() opened t1:c1.diskqueue.000000.dat
[nsqd] 2022/04/17 23:18:08.314683 INFO: TOPIC(t1): new channel(c2)
[nsqd] 2022/04/17 23:18:08.314744 INFO: TOPIC(testtopic): created
[nsqd] 2022/04/17 23:18:08.314753 INFO: NSQ: persisting topic/channel metadata to nsqd.dat
[nsqd] 2022/04/17 23:18:08.315459 INFO: DISKQUEUE(t1:c2): readOne() opened t1:c2.diskqueue.000000.dat
[nsqd] 2022/04/17 23:18:08.316918 INFO: LOOKUP(192.168.195.10:4160): adding peer
[nsqd] 2022/04/17 23:18:08.316930 INFO: LOOKUP connecting to 192.168.195.10:4160
[nsqd] 2022/04/17 23:18:08.317160 INFO: TCP: listening on [::]:4150

访问测试
https接口测试仍然可以正常访问

go测试代码测试也正常

重启nsqd修改tls-client-auth-policy值为 require-verify

[root@localhost nsq]# bin/nsqd  -lookupd-tcp-address "192.168.195.10:4160"  -tls-cert "/root/certs/server.pem"  -tls-key "/root/certs/server.key"  -tls-required true  -tls-client-auth-policy require-verify  -tls-root-ca-file "/root/certs/ca.pem"
[nsqd] 2022/04/17 23:23:49.458810 INFO: nsqd v1.2.1 (built w/go1.16.6)
[nsqd] 2022/04/17 23:23:49.458855 INFO: ID: 856
[nsqd] 2022/04/17 23:23:49.459713 INFO: TOPIC(t1): created
[nsqd] 2022/04/17 23:23:49.459874 INFO: TOPIC(t1): new channel(c2)
[nsqd] 2022/04/17 23:23:49.459922 INFO: TOPIC(t1): new channel(c1)
[nsqd] 2022/04/17 23:23:49.459954 INFO: DISKQUEUE(t1:c2): readOne() opened t1:c2.diskqueue.000000.dat
[nsqd] 2022/04/17 23:23:49.460272 INFO: TOPIC(testtopic): created
[nsqd] 2022/04/17 23:23:49.460283 INFO: NSQ: persisting topic/channel metadata to nsqd.dat
[nsqd] 2022/04/17 23:23:49.460356 INFO: DISKQUEUE(t1:c1): readOne() opened t1:c1.diskqueue.000000.dat
[nsqd] 2022/04/17 23:23:49.462165 INFO: LOOKUP(192.168.195.10:4160): adding peer
[nsqd] 2022/04/17 23:23:49.462291 INFO: LOOKUP connecting to 192.168.195.10:4160
[nsqd] 2022/04/17 23:23:49.462631 INFO: HTTP: listening on [::]:4151
[nsqd] 2022/04/17 23:23:49.462677 INFO: TCP: listening on [::]:4150
[nsqd] 2022/04/17 23:23:49.462681 INFO: HTTPS: listening on [::]:4152
[nsqd] 2022/04/17 23:23:49.463280 INFO: LOOKUPD(192.168.195.10:4160): peer info {TCPPort:4160 HTTPPort:4161 Version:1.2.1 BroadcastAddress:localhost.localdomain}

且支持tls 的go测试代码可以 正常消费

https接口和go测试代码都访问正常? 那这个配置参数有什么用?
猜测是参数没起作用,下载nsq源码在本地编译运行 通过配置文件配置 发现 开启这个选项后https无法访问。与预期相符 。为什么这里的参数没生效后续再排查。
后续经过测试 通过如下命令启动nsqd时 参数生效情况如下,生效不生效命令的区别在于 --tls-required=“true” 参数的方式难道必须 --tls-required=“true” 这样传,tls-client-auth-policy 和 tls-root-ca-file 参数才能生效?

bin/nsqd  -lookupd-tcp-address "192.168.195.10:4160"  -tls-cert "/root/certs/server.pem"  -tls-key "/root/certs/server.key"  --tls-required="true"  --tls-client-auth-policy= "require" --tls-root-ca-file= "/root/certs/ca.pem"  --生效
bin/nsqd  -lookupd-tcp-address "192.168.195.10:4160"  -tls-cert "/root/certs/server.pem"  -tls-key "/root/certs/server.key"  --tls-required="true"  -tls-client-auth-policy "require" -tls-root-ca-file "/root/certs/ca.pem" --生效
bin/nsqd  -lookupd-tcp-address "192.168.195.10:4160"  -tls-cert "/root/certs/server.pem"  -tls-key "/root/certs/server.key"  -tls-required "true"  --tls-client-auth-policy= "require" --tls-root-ca-file= "/root/certs/ca.pem"  ----不生效
bin/nsqd  -lookupd-tcp-address "192.168.195.10:4160"  -tls-cert "/root/certs/server.pem"  -tls-key "/root/certs/server.key"  -tls-required true  --tls-client-auth-policy= "require" --tls-root-ca-file= "/root/certs/ca.pem"  ----不生效

这里我们在虚拟机中也采用配置文件来进行配置,配置文件内容如下:

[root@localhost bin]# cat nsqd.conf##log verbosity level: debug, info, warn, error, or fatal
log_level = "debug"## unique identifier (int) for this worker (will default to a hash of hostname)
# id = 5150## <addr>:<port> to listen on for TCP clients
tcp_address = "0.0.0.0:4150"## <addr>:<port> to listen on for HTTP clients
http_address = "0.0.0.0:4151"## <addr>:<port> to listen on for HTTPS clients
# https_address = "0.0.0.0:4152"## address that will be registered with lookupd (defaults to the OS hostname)
# broadcast_address = ""## cluster of nsqlookupd TCP addressesnsqlookupd_tcp_addresses = ["127.0.0.1:4160"]## duration to wait before HTTP client connection timeout
http_client_connect_timeout = "2s"## duration to wait before HTTP client request timeout
http_client_request_timeout = "5s"## path to store disk-backed messages
# data_path = "/var/lib/nsq"## number of messages to keep in memory (per topic/channel)
mem_queue_size = 10000## number of bytes per diskqueue file before rolling
max_bytes_per_file = 104857600## number of messages per diskqueue fsync
sync_every = 2500## duration of time per diskqueue fsync (time.Duration)
sync_timeout = "2s"## duration to wait before auto-requeing a message
msg_timeout = "60s"## maximum duration before a message will timeout
max_msg_timeout = "15m"## maximum size of a single message in bytes
max_msg_size = 1024768## maximum requeuing timeout for a message
max_req_timeout = "1h"## maximum size of a single command body
max_body_size = 5123840## maximum client configurable duration of time between client heartbeats
max_heartbeat_interval = "60s"## maximum RDY count for a client
max_rdy_count = 2500## maximum client configurable size (in bytes) for a client output buffer
max_output_buffer_size = 65536## maximum client configurable duration of time between flushing to a client (time.Duration)
max_output_buffer_timeout = "1s"## UDP <addr>:<port> of a statsd daemon for pushing stats
# statsd_address = "127.0.0.1:8125"## prefix used for keys sent to statsd (%s for host replacement)
statsd_prefix = "nsq.%s"## duration between pushing to statsd (time.Duration)
statsd_interval = "60s"## toggle sending memory and GC stats to statsd
statsd_mem_stats = true## the size in bytes of statsd UDP packets
# statsd_udp_packet_size = 508## message processing time percentiles to keep track of (float)
e2e_processing_latency_percentiles = [1.0,0.99,0.95
]## calculate end to end latency quantiles for this duration of time (time.Duration)
e2e_processing_latency_window_time = "10m"## path to certificate file
tls_cert = "/root/certs/server.pem"## path to private key file
tls_key = "/root/certs/server.key"## set policy on client certificate (require - client must provide certificate,
##  require-verify - client must provide verifiable signed certificate)
tls_client_auth_policy = "require-verify"## set custom root Certificate Authority
tls_root_ca_file = "/root/certs/ca.pem"## require client TLS upgrades
tls_required = true## minimum TLS version ("ssl3.0", "tls1.0," "tls1.1", "tls1.2")
tls_min_version = ""## enable deflate feature negotiation (client compression)
deflate = true## max deflate compression level a client can negotiate (> values == > nsqd CPU usage)
max_deflate_level = 6## enable snappy feature negotiation (client compression)
snappy = true

使用配置文件重启nsqd服务

[root@localhost bin]# ./nsqd --config nsqd.conf
[nsqd] 2022/04/18 11:21:27.860418 INFO: nsqd v1.2.1 (built w/go1.16.6)
[nsqd] 2022/04/18 11:21:27.860785 INFO: ID: 856
[nsqd] 2022/04/18 11:21:27.861701 INFO: NSQ: persisting topic/channel metadata to nsqd.dat
[nsqd] 2022/04/18 11:21:27.920159 INFO: HTTP: listening on [::]:4151
[nsqd] 2022/04/18 11:21:27.920418 INFO: TCP: listening on [::]:4150
[nsqd] 2022/04/18 11:21:27.920505 INFO: HTTPS: listening on [::]:4152
[nsqd] 2022/04/18 11:21:44.776715 WARNING: http: TLS handshake error from 192.168.195.1:53326: tls: client didn't provide a certificate
[nsqd] 2022/04/18 11:22:18.442487 WARNING: http: TLS handshake error from 192.168.195.1:54206: tls: client didn't provide a certificate

再次 http https 及go TLS代码进行访问测试
http 服务提示通过https 及 4152 端口访问
https 4152端口 提示错误,错误的证书,可见配置生效

go tls 链接代码测试也失败

nsqd服务打印除了 链接错误信息 提示客户端没有提供合法的证书

[nsqd] 2022/04/18 11:27:06.593307 DEBUG: PROTOCOL(V2): [192.168.195.1:52228] [IDENTIFY]
[nsqd] 2022/04/18 11:27:06.593452 DEBUG: PROTOCOL(V2): [192.168.195.1:52228] {ClientID:DESKTOP-OGF3M8K Hostname:DESKTOP-OGF3M8K HeartbeatInterval:30000 OutputBufferSize:16384 OutputBufferTimeout:250 FeatureNegotiation:true TLSv1:true Deflate:false DeflateLevel:6 Snappy:false SampleRate:0 UserAgent:go-nsq/1.1.0 MsgTimeout:0}
[nsqd] 2022/04/18 11:27:06.593468 INFO: [192.168.195.1:52228] IDENTIFY: {ClientID:DESKTOP-OGF3M8K Hostname:DESKTOP-OGF3M8K HeartbeatInterval:30000 OutputBufferSize:16384 OutputBufferTimeout:250 FeatureNegotiation:true TLSv1:true Deflate:false DeflateLevel:6 Snappy:false SampleRate:0 UserAgent:go-nsq/1.1.0 MsgTimeout:0}
[nsqd] 2022/04/18 11:27:06.593699 INFO: PROTOCOL(V2): [192.168.195.1:52228] upgrading connection to TLS
[nsqd] 2022/04/18 11:27:06.598603 ERROR: [192.168.195.1:52228] - E_IDENTIFY_FAILED IDENTIFY failed tls: client didn't provide a certificate - tls: client didn't provide a certificate
[nsqd] 2022/04/18 11:27:06.598767 INFO: PROTOCOL(V2): [192.168.195.1:52228] exiting ioloop
[nsqd] 2022/04/18 11:27:06.598833 ERROR: client(192.168.195.1:52228) - E_IDENTIFY_FAILED IDENTIFY failed tls: client didn't provide a certificate
[nsqd] 2022/04/18 11:27:06.598945 INFO: PROTOCOL(V2): [192.168.195.1:52228] exiting messagePump

go测试也引入证书,发布和订阅消息方法如下;

func TestPushCert(t *testing.T) {config := nsq.NewConfig()//config.AuthSecret = secretconfig.TlsV1 = truecert, err := tls.LoadX509KeyPair("client.pem", "client.key")if err != nil {log.Println(err)return}certBytes, err := ioutil.ReadFile("ca.pem")if err != nil {panic("Unable to read ca.pem")}clientCertPool := x509.NewCertPool()ok := clientCertPool.AppendCertsFromPEM(certBytes)if !ok {panic("failed to parse root certificate")}tlsConfig := &tls.Config{RootCAs:            clientCertPool,Certificates:       []tls.Certificate{cert},InsecureSkipVerify: true,}config.TlsConfig = tlsConfigproducer, err := nsq.NewProducer(address, config)if err != nil {t.Fatal(err)}now := time.Now()for i := 0; i < 2; i++ {messageBody := []byte(fmt.Sprintf("hello %d", i))err = producer.Publish(topicName, messageBody)if err != nil {t.Fatal(err)}// time.Sleep(3 * time.Second)}t.Log(time.Now().Sub(now))producer.Stop()
}func TestSubTLSCert(t *testing.T) {config := nsq.NewConfig()//config.AuthSecret = secretconfig.TlsV1 = truecert, err := tls.LoadX509KeyPair("client.pem", "client.key")if err != nil {log.Println(err)return}certBytes, err := ioutil.ReadFile("ca.pem")if err != nil {panic("Unable to read ca.pem")}clientCertPool := x509.NewCertPool()ok := clientCertPool.AppendCertsFromPEM(certBytes)if !ok {panic("failed to parse root certificate")}tlsConfig := &tls.Config{RootCAs:            clientCertPool,Certificates:       []tls.Certificate{cert},InsecureSkipVerify: true,}config.TlsConfig = tlsConfigconsumer, err := nsq.NewConsumer(topicName, channel1, config)if err != nil {t.Fatal(err)}consumer.AddHandler(&myMessageHandler{})err = consumer.ConnectToNSQD(address)if err != nil {t.Fatal(err)}sigChan := make(chan os.Signal, 1)signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)<-sigChanconsumer.Stop()
}

执行该两个方法 可以正常的发布和消费


注意方法命名 ,执行 go test -v -run 的时候如果两个方法名类似可能会都执行 从而对测试产生干扰。

客户端不合法证书测试

tls_client_auth_policy = require-verify 时 客户端必须 提供一个 服务端配置的根证书签发的证书,否则会被拒绝,这里我们客户端证书修改为非ca 签发的证书。如下

用go代码进行链接测试仍然提示,证书不合法

我们修改tls_client_auth_policy = require 重启nsqd服务
订阅程序仍然报错,该参数的意义是什么呢? 谁知道欢迎留言

nsqadmin证书测试

nsqadmin 也提供了配置证书的参数,不知道是用来干嘛的,这里做个测试。
首先如果nsqd配置了双向证书,那么通过nsqdadmin 就无法查看到 topic 的详情了,提示badcertificate,有错误信息可以看到 nsqadmin 访问nsqd是通过https 的方式。

我们将 客户端证书配置上启动nsqdadmin

[root@localhost nsq]# bin/nsqadmin -lookupd-http-address 192.168.195.10:4161 -http-client-tls-cert "/root/certs/client.pem"  -http-client-tls-key "/root/certs/client.key"    -http-client-tls-insecure-skip-verify true -http-client-tls-root-ca-file "/root/certs/ca.pem"
[nsqadmin] 2022/04/18 21:31:26.459717 INFO: nsqadmin v1.2.1 (built w/go1.16.6)
[nsqadmin] 2022/04/18 21:31:26.461381 INFO: HTTP: listening on [::]:4171
[nsqadmin] 2022/04/18 21:31:35.163107 INFO: 200 GET /nodes (192.168.195.111:62594) 1.208135ms
[nsqadmin] 2022/04/18 21:31:35.311040 INFO: 200 GET /static/base.css (192.168.195.111:62595) 88.178µs
[nsqadmin] 2022/04/18 21:31:35.312602 INFO: 200 GET /static/bootstrap.min.css (192.168.195.111:62594) 864.948µs
[nsqadmin] 2022/04/18 21:31:35.316623 INFO: 200 GET /static/main.js (192.168.195.111:62597) 244.716µs
[nsqadmin] 2022/04/18 21:31:35.318465 INFO: 200 GET /static/vendor.js (192.168.195.111:62596) 1.736194ms
[nsqadmin] 2022/04/18 21:31:35.335134 INFO: 200 GET /static/favicon.png (192.168.195.111:62599) 17.424µs
[nsqadmin] 2022/04/18 21:31:35.388056 INFO: CI: querying nsqlookupd http://192.168.195.10:4161/nodes
[nsqadmin] 2022/04/18 21:31:35.388474 INFO: 200 GET /static/nsq_blue.png (192.168.195.111:62596) 22.041µs
[nsqadmin] 2022/04/18 21:31:35.393234 INFO: 200 GET /api/nodes (192.168.195.111:62597) 5.303567ms
[nsqadmin] 2022/04/18 21:31:35.486099 INFO: 200 GET /static/favicon.png (192.168.195.111:62599) 12.06µs
[nsqadmin] 2022/04/18 21:31:38.314833 INFO: CI: querying nsqlookupd http://192.168.195.10:4161/lookup?topic=t1
[nsqadmin] 2022/04/18 21:31:38.316364 INFO: CI: querying nsqd http://localhost.localdomain:4151/stats?format=json&topic=t1&include_clients=false
[nsqadmin] 2022/04/18 21:31:38.321008 INFO: 200 GET /static/favicon.png (192.168.195.111:62599) 8.752µs
[nsqadmin] 2022/04/18 21:31:38.341699 INFO: 200 GET /api/topics/t1 (192.168.195.111:62597) 27.069914ms

再次访问nsq admin服务,可以正常访问,证明作者为nsqdadmin 也考虑了身份验证。

总结

1、这种方法不需要单独部署认证服务,但是需要签发证书
2、这种方式开启后http 接口形式就无法使用,https如果可以支持双向认证应该也可以正常使用,https 接口如何进行双向测试有待进一步验证
3、这种方式nsqadmin服务提供了证书配置参数,配置了合法证书的nsqadmin可以正常访问、管理nsqd。
4、测试过程中证书中设置的ip并未影响证书的验证。

和 auth 方式对比
1、比auth方式,多了http接口方式认证的支持。auth 无法保护http接口,只能隐藏该服务 ,nsqadmin 如果想要访问nsqd 只能部署在特定范围服务器上。
2、不需要另外部署其他认证服务,自签证书就可以,部署相对简单
综上所述 感觉 证书方式更好一些。

NSQ详细教程4 证书及TLS功能测试相关推荐

  1. HTTPS 简介及使用官方工具 Certbot 配置 SSL 安全证书详细教程

    Homepage » 教程 » HTTPS 简介及使用官方工具 Certbot 配置 Let's Encrypt SSL 安全证书详细教程 HTTPS 简介及使用官方工具 Certbot 配置 Let ...

  2. Windows申请iOS证书上架App Store详细教程 (有这一篇就够了)

    Windows申请iOS证书上架App Store详细教程 上架基本需求资料 1.苹果开发者账号(如还没账号先申请-苹果开发者账号申请教程) 2.开发好的APP 通过本篇教程,可以学习到ios证书申请 ...

  3. 2021 申请SSL证书、Nginx和SpringBoot配置阿里云SSL证书解决HTTP HTTPS及不生效、打包报错详细教程

    2021 申请SSL证书.Nginx和SpringBoot配置阿里云SSL证书解决HTTP HTTPS及不生效.打包报错详细教程 目录 1. 获取SSL证书文件 1.1 购买SSL证书 1.2创建证书 ...

  4. 二进制安装部署 4 kubernetes集群---超详细教程

    二进制安装部署kubernetes集群---超详细教程 前言:本篇博客是博主踩过无数坑,反复查阅资料,一步步搭建完成后整理的个人心得,分享给大家~~~ 本文所需的安装包,都上传在我的网盘中,需要的可以 ...

  5. Kubernetes详细教程

    Kubernetes详细教程 1. Kubernetes介绍 1.1 应用部署方式演变 在部署应用程序的方式上,主要经历了三个时代: 传统部署:互联网早期,会直接将应用程序部署在物理机上 优点:简单, ...

  6. 如何用fiddler抓取HTTPS的详细教程(附fiddler安装教学)

    对于想抓取HTTPS的测试初学者来说,常用的工具就是fiddler,可是在初学时,大家对于fiddler如何抓取HTTPS真是伤了脑筋,可能你一步步按着网上的帖子成功了,那当然是极好的,有可能没有成功 ...

  7. php网页脚本代码大全,PHP编写脚本代码的详细教程

    下面是小编给大家分享的一篇PHP编写脚本代码的详细教程,感兴趣的朋友跟小编一起来了解一下吧! 看看下面的这段PHP脚本,它用来在输入的用户名及口令正确时授权访问一个Web页面: 复制代码 代码如下: ...

  8. vue项目使用Hbuilder打包苹果IOS-App详细教程

    本文主要记录一下本人使用vue开发的移动端App使用Hbuilder打包成苹果IOS-App的详细步骤,仅供参考,如有不足,请指教. 打包苹果IOSapp首先需要准备以下几项东西: 1.已经编写好的v ...

  9. 真正从零开始搭建网站—宝塔面板+wordpress(超详细教程)

    如果还有不了解宝塔面板怎么使用的小伙伴,可以看下我总结的系列教程,保证从新手变老鸟: [宝塔面板精选教程汇总] 宝塔面板教程(1)基于云服务器搭建宝塔面板教程最全详解 宝塔面板教程(2)宝塔面板添加W ...

  10. 基于百度云主机的USDP 2.x 安装详细教程

    基于百度云主机的USDP 2.x 安装详细教程 1. USDP 简介 ​ UCloud Smart Data Platform(简称 USDP),是 UCloud 推出的云上智能化.轻量级的大数据基础 ...

最新文章

  1. CentOS 5.6下创建KVM虚拟机
  2. ESXI5.5添加本地磁盘出错的解决
  3. 微服务架构 — 服务治理 — 服务注册与发现、服务订阅与通知
  4. 最近在弄ionic3的时候遇到的一些问题(遇到就更新)
  5. 【李开复】从优秀到卓越 (二)
  6. Java IO流(三)
  7. 微信OPENID授权方法
  8. 基于Hexo+GitHub Page搭建免费个人博客教程
  9. boost::scoped_ptr与std::unique_ptr
  10. 多线程执行sql报错处理
  11. 查询出两个表中不同的数据
  12. 华为补助武汉员工,最高每日 2000 元;iPhone SE 2 量产或推迟;PowerShell 7.0 发布 | 极客头条...
  13. 程序员 520 表白:我写算法只为找到你!
  14. mysql优于oracle的地方_MYSQL转为ORACLE要注意的地方
  15. md5校验工具hash
  16. Emoji表情存入数据库报错:java.sql.SQLException: Incorrect string value: '\xF0\x9F\x91\xBD\xF0\x9F…'
  17. 怎么设置织梦栏目html结尾,dedecms网站栏目地址url优化成.html结尾的而不是文件夹形式结尾的。请大家来帮忙。...
  18. Spring Boot项目@RunWith注解报错
  19. 【《Real-Time Rendering 3rd》 提炼总结】(二) 第二章 · 图形渲染管线 The Graphics Rendering Pipeline
  20. GraphSAGE NIPS 2017 代码分析(Tensorflow版)

热门文章

  1. 爱蜗影视优码双端影视 全新美化多功能双端影视APP源码 影视视频APP源码 无后门
  2. paper 119:[转]图像处理中不适定问题-图像建模与反问题处理
  3. Android 实现摇晃手机的监听
  4. vue 中循环显示多个图片
  5. 人机对战:电脑太简单了,我是射手 skr~skr~skr
  6. 样板工程为什么变成了豆腐渣
  7. python中sint的意思_PLC里的SINT是什么意思
  8. mysql商品和图片表的意思,MySQL----商品表及商品分类表例子
  9. Walker之注册页面的实现
  10. 电销回拨系统:让销售变得更轻松