TLS 安全配置 - Jimmy Song

TLS（Transport Layer Security）是 Envoy 中重要的安全机制，用于保护客户端与服务器之间的通信。

TLS 基础概念

TLS 提供以下安全特性：

加密：保护数据传输的机密性
身份验证：验证服务器身份
完整性：确保数据不被篡改

下游 TLS 配置

基本 TLS 配置

listeners:
- name: listener_0
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 443
  filter_chains:
  - filter_chain_match:
      server_names: ["example.com"]
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
        common_tls_context:
          tls_certificates:
          - certificate_chain:
              filename: "/etc/ssl/certs/example.com.crt"
            private_key:
              filename: "/etc/ssl/private/example.com.key"
    filters:
    - name: envoy.filters.network.http_connection_manager
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
        stat_prefix: ingress_http
        route_config:
          name: local_route
          virtual_hosts:
          - name: example_com
            domains: ["example.com"]
            routes:
            - match:
                prefix: "/"
              route:
                cluster: example_service

多证书配置

listeners:
- name: listener_0
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 443
  filter_chains:
  - filter_chain_match:
      server_names: ["example.com"]
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
        common_tls_context:
          tls_certificates:
          - certificate_chain:
              filename: "/etc/ssl/certs/example.com.crt"
            private_key:
              filename: "/etc/ssl/private/example.com.key"
          - certificate_chain:
              filename: "/etc/ssl/certs/api.example.com.crt"
            private_key:
              filename: "/etc/ssl/private/api.example.com.key"

上游 TLS 配置

基本上游 TLS

clusters:
- name: upstream_service
  connect_timeout: 0.25s
  type: STRICT_DNS
  lb_policy: ROUND_ROBIN
  transport_socket:
    name: envoy.transport_sockets.tls
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
      common_tls_context:
        tls_certificates:
        - certificate_chain:
            filename: "/etc/ssl/certs/client.crt"
          private_key:
            filename: "/etc/ssl/private/client.key"
  hosts:
  - socket_address:
      address: upstream.example.com
      port_value: 443

SNI 配置

clusters:
- name: upstream_service
  connect_timeout: 0.25s
  type: STRICT_DNS
  lb_policy: ROUND_ROBIN
  transport_socket:
    name: envoy.transport_sockets.tls
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
      sni: "upstream.example.com"
      common_tls_context:
        tls_certificates:
        - certificate_chain:
            filename: "/etc/ssl/certs/client.crt"
          private_key:
            filename: "/etc/ssl/private/client.key"
  hosts:
  - socket_address:
      address: upstream.example.com
      port_value: 443

证书管理

SDS (Secret Discovery Service)

使用 SDS 动态管理证书：

listeners:
- name: listener_0
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 443
  filter_chains:
  - filter_chain_match:
      server_names: ["example.com"]
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
        common_tls_context:
          tls_certificate_sds_secret_configs:
          - name: "example-com-cert"
            sds_config:
              api_config_source:
                api_type: GRPC
                grpc_services:
                - envoy_grpc:
                    cluster_name: sds_cluster

SDS 集群配置

static_resources:
  clusters:
  - name: sds_cluster
    connect_timeout: 0.25s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    http2_protocol_options: {}
    load_assignment:
      cluster_name: sds_cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: sds-server
                port_value: 18000

安全策略配置

加密套件配置

common_tls_context:
  tls_params:
    tls_minimum_protocol_version: TLSv1_2
    tls_maximum_protocol_version: TLSv1_3
    cipher_suites:
    - ECDHE-RSA-AES128-GCM-SHA256
    - ECDHE-RSA-AES256-GCM-SHA384
    - ECDHE-RSA-CHACHA20-POLY1305

客户端证书验证

common_tls_context:
  validation_context:
    trusted_ca:
      filename: "/etc/ssl/certs/ca.crt"
    verify_certificate_hash:
    - "sha256:1234567890abcdef..."
    verify_certificate_spki:
    - "sha256:abcdef1234567890..."

证书撤销检查

common_tls_context:
  validation_context:
    trusted_ca:
      filename: "/etc/ssl/certs/ca.crt"
    crl:
      filename: "/etc/ssl/certs/crl.pem"

最佳实践

1. 证书管理

使用 SDS 进行动态证书管理
定期轮换证书
监控证书过期时间
实施证书撤销机制

2. 安全配置

使用强加密套件
禁用不安全的 TLS 版本
启用证书验证
配置适当的密钥长度

3. 性能优化

使用 TLS 会话恢复
配置适当的缓冲区大小
监控 TLS 握手性能
优化证书链长度

监控和调试

TLS 指标

envoy_tls_handshake：TLS 握手次数
envoy_tls_handshake_failure：TLS 握手失败次数
envoy_tls_certificate_expiry：证书过期时间

调试命令

# 检查证书信息
openssl x509 -in /etc/ssl/certs/example.com.crt -text -noout

# 测试 TLS 连接
openssl s_client -connect example.com:443 -servername example.com

# 验证证书链
openssl verify -CAfile /etc/ssl/certs/ca.crt /etc/ssl/certs/example.com.crt

注意事项

TLS 会增加 CPU 开销
证书管理需要自动化
需要定期更新安全配置
监控证书和密钥的安全性

TLS 配置是 Envoy 安全的重要组成部分，合理配置可以显著提高系统的安全性。

发布于: 2024/06/10 • 最后更新: 2025/07/12 • 编辑页面