TLS and SSL
网关可以通过遵循通常的 Spring 服务器配置来侦听 HTTPS 上的请求。以下示例演示如何执行此操作:
The gateway can listen for requests on HTTPS by following the usual Spring server configuration. The following example shows how to do so:
server:
ssl:
enabled: true
key-alias: scg
key-store-password: scg1234
key-store: classpath:scg-keystore.p12
key-store-type: PKCS12你可以将网关路由路由到 HTTP 和 HTTPS 后端。如果你正在路由到 HTTPS 后端,则可以配置网关信任所有下游证书,具体配置如下:
You can route gateway routes to both HTTP and HTTPS backends. If you are routing to an HTTPS backend, you can configure the gateway to trust all downstream certificates with the following configuration:
spring:
cloud:
gateway:
httpclient:
ssl:
useInsecureTrustManager: true使用不安全的信任管理器不适用于生产环境。对于生产部署,你可以使用网关信任的一组已知证书配置网关,具体配置如下:
Using an insecure trust manager is not suitable for production. For a production deployment, you can configure the gateway with a set of known certificates that it can trust with the following configuration:
spring:
cloud:
gateway:
httpclient:
ssl:
trustedX509Certificates:
- cert1.pem
- cert2.pem如果 Spring Cloud Gateway 没有指定受信任证书,则使用默认信任库(你可以通过设置 javax.net.ssl.trustStore 系统属性来覆盖)。
If the Spring Cloud Gateway is not provisioned with trusted certificates, the default trust store is used (which you can override by setting the javax.net.ssl.trustStore system property).
TLS Handshake
网关会维护一个供它用于路由到后端的客户端池。通过 HTTPS 通信时,客户端会发起 TLS 握手。与这个握手关联了许多超时。你可以配置这些超时(显示默认值)如下:
The gateway maintains a client pool that it uses to route to backends. When communicating over HTTPS, the client initiates a TLS handshake. A number of timeouts are associated with this handshake. You can configure these timeouts can be configured (defaults shown) as follows:
spring:
cloud:
gateway:
httpclient:
ssl:
handshake-timeout-millis: 10000
close-notify-flush-timeout-millis: 3000
close-notify-read-timeout-millis: 0