是否可以使用 net/http 在 golang 中托管多个域 TLS?
Is it possible to host multiple domain TLS in golang with net/http?
我有多个域(比如 abc.com 和 xyz.org),证书不同。是否可以使用基于主机名的密钥和证书而不深入底层和 net.Listen 等。只需使用简单的 http.ListenAndServeTLS(...) 或类似的?
基本上就像nginx所做的那样。
BuildNameToCertificate() 将从证书中嗅探主机名。如果 none 匹配 SNI 信息,它会提供 [0]。
https://golang.org/src/crypto/tls/common.go?s=18204:18245#L947
Go 1.14 更新 - 请参阅 https://github.com/golang/go/commit/eb93c684d40de4924fc0664d7d9e98a84d5a100b
package main
import (
"crypto/tls"
"net/http"
"time"
"log"
)
func myHandler(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("tls"))
}
func main() {
t := log.Logger{}
var err error
tlsConfig := &tls.Config{}
tlsConfig.Certificates = make([]tls.Certificate, 3)
// go http server treats the 0'th key as a default fallback key
tlsConfig.Certificates[0], err = tls.LoadX509KeyPair("test0.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
tlsConfig.Certificates[1], err = tls.LoadX509KeyPair("test1.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
tlsConfig.Certificates[2], err = tls.LoadX509KeyPair("test2.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
// as of go 1.14 this line is no longer needed
// load the certs as above and skip BuildNameToCertificate()
tlsConfig.BuildNameToCertificate()
http.HandleFunc("/", myHandler)
server := &http.Server{
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
TLSConfig: tlsConfig,
}
listener, err := tls.Listen("tcp", ":8443", tlsConfig)
if err != nil {
t.Fatal(err)
}
log.Fatal(server.Serve(listener))
}
我有多个域(比如 abc.com 和 xyz.org),证书不同。是否可以使用基于主机名的密钥和证书而不深入底层和 net.Listen 等。只需使用简单的 http.ListenAndServeTLS(...) 或类似的? 基本上就像nginx所做的那样。
BuildNameToCertificate() 将从证书中嗅探主机名。如果 none 匹配 SNI 信息,它会提供 [0]。 https://golang.org/src/crypto/tls/common.go?s=18204:18245#L947
Go 1.14 更新 - 请参阅 https://github.com/golang/go/commit/eb93c684d40de4924fc0664d7d9e98a84d5a100b
package main
import (
"crypto/tls"
"net/http"
"time"
"log"
)
func myHandler(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("tls"))
}
func main() {
t := log.Logger{}
var err error
tlsConfig := &tls.Config{}
tlsConfig.Certificates = make([]tls.Certificate, 3)
// go http server treats the 0'th key as a default fallback key
tlsConfig.Certificates[0], err = tls.LoadX509KeyPair("test0.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
tlsConfig.Certificates[1], err = tls.LoadX509KeyPair("test1.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
tlsConfig.Certificates[2], err = tls.LoadX509KeyPair("test2.pem", "key.pem")
if err != nil {
t.Fatal(err)
}
// as of go 1.14 this line is no longer needed
// load the certs as above and skip BuildNameToCertificate()
tlsConfig.BuildNameToCertificate()
http.HandleFunc("/", myHandler)
server := &http.Server{
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
TLSConfig: tlsConfig,
}
listener, err := tls.Listen("tcp", ":8443", tlsConfig)
if err != nil {
t.Fatal(err)
}
log.Fatal(server.Serve(listener))
}