Data transfer | ​How to enable HTTPS access mode of DTLE

Author: Liu An

A member of the test team of Aikesen, mainly responsible for the related testing tasks of DTLE open source projects, and good at Python automated test development.

Source of this article: original contribution

*The original content is produced by the open source community of Aikesheng, and the original content shall not be used without authorization. For reprinting, please contact the editor and indicate the source.

How to enable HTTPS access mode of DTLE

DTLE provides HTTP access mode by default, but in the process of using DTLE, it is inevitable to submit information such as database user name, password, IP, port and other information through API. If this information is obtained by a third party, it is a disaster for the users of the database. Therefore, DTLE provides an HTTPS access mode to protect our information security.

The HTTPS access mode with DLTE enabled requires an SSL certificate. If the cluster you build needs to provide trusted services to the outside world, you can apply to the certificate authority. This article uses a self-generated SSL certificate to demonstrate how to configure DTLE to enable HTTPS access mode.

1. Download and install DTLE

The dtle-ce-4.22.01.0 version is used here, be careful not to start the DTLE service first

 shell> curl -O "https://github.com/actiontech/dtle/releases/download/v4.22.01.0/dtle-ce-4.22.01.0.x86_64.rpm"
shell> rpm -ivh dtle-ce-4.22.01.0.x86_64.rpm --prefix=/opt/dtle

2. Generate certificate file and private key file

 # 需要安装openssl
shell> yum install openssl -y

shell> cd /opt/dtle/etc/dtle/

# 生成私钥文件
shell> openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
........++++++
e is 65537 (0x10001)

# 生成证书请求文件，此步骤可以全部回车,不输入任何信息
shell> openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Xuhui
Organization Name (eg, company) [Default Company Ltd]:actiontech
Organizational Unit Name (eg, section) []:qa
Common Name (eg, your name or your server's hostname) []:dtle
Email Address []:852990221@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 生成证书文件
shell> openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 365
Signature ok
subject=/C=CN/ST=Shanghai/L=Xuhui/O=actiontech/OU=qa/CN=dtle/emailAddress=852990221@qq.com
Getting Private key

shell> ls
consul.hcl  nomad.hcl  server.crt  server.csr  server.key

3. Edit nomad.hcl, configure the certificate file and private key file

 shell> vi nomad.hcl
...
    cert_file_path = "/opt/dtle/etc/dtle/server.crt"
    key_file_path = "/opt/dtle/etc/dtle/server.key"
...

4. Start DTLE

 shell> systemctl start dtle-consul dtle-nomad

5. Verify that https is enabled successfully

 # 使用http访问
shell> curl -X POST "http://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}"
Client sent an HTTP request to an HTTPS server.

# 使用https访问，但我们的证书没有通过CA认证
shell> curl -X POST "https://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}"
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

# 使用https访问，增加-k参数跳过检查服务器的SSL证书是否正确
shell> curl -s -k -X POST "https://127.0.0.1:8190/v2/loginWithoutVerifyCode" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"admin\", \"tenant\": \"platform\", \"username\": \"admin\"}" | jq
{
  "message": "ok",
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTAxMjAzNjcsImdyb3VwIjoicGxhdGZvcm0iLCJuYW1lIjoiYWRtaW4ifQ.I1XDK7Ar1JLKLWlxWEHX0vCWG07dDqBHieCBmjEVz0E"
  }
}

shell> curl -s -k -X GET "https://127.0.0.1:8190/v2/nodes" -H "accept: application/json" -H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTAxMjA0MjYsImdyb3VwIjoicGxhdGZvcm0iLCJuYW1lIjoiYWRtaW4ifQ.PoPwOWQF09uaUf6vu0rTPQVpLfF59UIhq-lLBBVhTbc" | jq
{
  "nodes": [
    {
      "node_address": "127.0.0.1",
      "node_name": "nomad0",
      "node_id": "21bd1636-0beb-e4c6-34fd-d35be32414e9",
      "node_status": "ready",
      "node_status_description": "",
      "datacenter": "dc1",
      "nomad_version": "1.1.2",
      "dtle_version": "4.22.01.0-4.22.01.x-952bb3d",
      "leader": true,
      "member": true
    }
  ],
  "message": "ok"
}

6. Capture packets to view the transmitted information

• Using https , the information submitted by logging in to DTLE is encrypted:

• Using http , the information submitted by logging in to DTLE is in plain text:

in conclusion:

If you use DTLE on your project to transmit data, be sure to enable HTTPS access mode to protect your information.