通过HTTPS协议访问httpbin服务,即curl发送https请求到入口网关服务IngressGateway。
查看curl命令返回内容中的Server certif icate部分,注意其中的common name:httpbin.example.com(matched)。另外输出中还包含了SSL certif icate verify ok,这说明对服务器的证书校验是成功的:
$ INGRESS_HOST={服务istio-ingressgateway的实际IP地址}
$ SECURE_INGRESS_PORT=443
$ curl -v -I -HHost:httpbin.example.com --resolve httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert httpbin.example.com/2_intermediate/certs/ca-chain.
cert.pem https://httpbin.example.com:$SECURE_INGRESS_PORT/status/200
* Added httpbin.example.com:443:112.126.68.15 to DNS cache
* Hostname httpbin.example.com was found in DNS cache
* Trying 112.126.68.15...
* TCP_NODELAY set
* Connected to httpbin.example.com (112.126.68.15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: httpbin.example.com/2_intermediate/certs/ca-chain.cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=Denial; L=Springfield; O=Dis; CN=httpbin.example.com
* start date: Jan 10 02:27:42 2019 GMT
* expire date: Jan 20 02:27:42 2020 GMT
* common name: httpbin.example.com (matched)
* issuer: C=US; ST=Denial; O=Dis; CN=httpbin.example.com
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd675002400)
> HEAD /status/200 HTTP/2
> Host:httpbin.example.com
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< server: istio-envoy
server: istio-envoy
< date: Tue, 19 Nov 2019 02:12:31 GMT
date: Tue, 19 Nov 2019 02:12:31 GMT
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< access-control-allow-origin: *
access-control-allow-origin: *
< access-control-allow-credentials: true
access-control-allow-credentials: true
< content-length: 0
content-length: 0
< x-envoy-upstream-service-time: 2
x-envoy-upstream-service-time: 2
<
* Connection #0 to host httpbin.example.com left intact
其中,注意以下参数的配置:
·--resolve:要求curl通过域名httpbin.example.com使用TLS访问Gateway地址,这样也就符合了证书的SNI要求。
·--cacert:让curl命令使用前面生成的证书来对服务器进行校验。
·INGRESS_HOST:为服务istio-ingressgateway的实际IP地址,SECURE_INGRESS_PORT为服务istio-ingressgateway的安全端口,一般为443。