go如何搭建一个零信任网络?
网友回复
Go语言搭建零信任网络完整方案
零信任架构核心组件
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ 客户端 │─────▶│ 认证网关 │─────▶│ 后端服务 │
│ (mTLS) │ │ (验证层) │ │ (资源) │
└─────────────┘ └──────────────┘ └─────────────┘
│
▼
┌──────────────┐
│ 策略引擎 │
│ (OPA/RBAC) │
└──────────────┘ 1. mTLS双向认证实现
生成证书脚本
#!/bin/bash
# generate_certs.sh
# CA证书
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
-subj "/CN=Zero-Trust-CA"
# 服务端证书
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr \
-subj "/CN=service.local"
openssl x509 -req -days 365 -in server.csr -CA ca.crt \
-CAkey ca.key -CAcreateserial -out server.crt
# 客户端证书
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr \
-subj "/CN=client.local"
openssl x509 -req -days 365 -in client.csr -CA ca.crt \
-CAkey ca.key -CAcreateserial -out client.crt mTLS服务端
// server/main.go
package main
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"log"
"net/http"
)
type ZeroTrustServer struct {
tlsConfig *tls.Config
}
func NewZeroTrustServer() (*ZeroTrustServer, error) {
// 加载CA证书
caCert, err := ioutil.ReadFile("certs/ca.crt")
if err != nil {
return nil, err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
// 加载服务器证书
serverCert, err := tls.LoadX509KeyPair("certs/server.crt", "certs/server.key")
if err != nil {
return nil, err
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{serverCert},
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert, // 强制客户端证书验证
MinVersion: tls.VersionTLS13,
CipherSuites: []uint16{
tls.TLS_AES_256_GCM_SHA384,
tls.TLS_CHACHA20_POLY1305_SHA256,
},
}
return &ZeroTrustServer{tlsConfig: tlsConfig}, nil
}
// 验证中间件
func (s *ZeroTrustServer) authMiddleware(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
// 验证客户端证书
if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
cert := r.TLS.PeerCertificates[0]
log.Printf("Client authenticated: %s", cert.Subject.CommonName)
// 提取身份信息
r.Header.Set("X-Client-CN", cert.Subject.CommonName)
next(w, r)
}
}
func (s *ZeroTrustServer) handleAPI(w http.ResponseWriter, r *http.Request) {
clientCN := r.Header.Get("X-Client-CN")
fmt.Fprintf(w, "Hello %s! Access granted.\n", clientCN)
}
func main() {
server, err := NewZeroTrustServer()
if err != nil {
log.Fatal(err)
}
mux := http.NewServeMux()
mux.HandleFunc("/api", server.authMiddleware(server.handleAPI))
httpServer := &http.Server{
Addr: ":8443",
Handler: mux,
TLSConfig: server.tlsConfig,
}
log.Println("Zero Trust server starting on :8443")
log.Fatal(httpServer.ListenAndServeTLS("", ""))
} mTLS客户端
// client/main.go
package main
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"log"
"net/http"
)
func main() {
// 加载CA证书
caCert, err := ioutil.ReadFile("certs/ca.crt")
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
// 加载客户端证书
clientCert, err := tls.LoadX509KeyPair("certs/client.crt", "certs/client.key")
if err != nil {
log.Fatal(err)
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{clientCert},
RootCAs: caCertPool,
MinVersion: tls.VersionTLS13,
}
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
resp, err := client.Get("https://localhost:8443/api")
if err != nil {
log.Fatal(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
fmt.Println(string(body))
} 2. JWT + 策略引擎
// auth/jwt.go
package auth
import (
"errors"
"time"
"github.com/golang-jwt/jwt/v5"
)
type Claims struct {
UserID string `json:"user_id"`
Role string `json:"role"`
Policies []string `json:"policies"`
jwt.RegisteredClaims
}
type JWTAuthenticator struct {
secretKey []byte
}
func NewJWTAuthenticator(secret string) *JWTAuthenticator {
return &JWTAuthenticator{secretKey: []byte(secret)}
}
func (j *JWTAuthenticator) GenerateToken...点击查看剩余70%
by golang
我知道答案,我要回答
私活外包
