This project realize two goals:
- Build an HTTP2 service and a client with SSL/TLS mutual authentication over HTTP2 between them.
- Be able to distribute workload across multiple services with a layer 4 (TPC) load balancer.
The services are implemented in Go language
For SSL/TLS mutual authentication:
- Golang SDK. Tested with version 1.5.1
For load balancing:
- Docker. Tested with version 1.9.1
- Docker compose. Tested with version 1.5.1
Mutual authentication refers to two parties authenticating each other at the same time. That is a client authenticating itself to a server and that server authenticating itself to the client in such a way that both parties are assured of the others' identity. In adition to SSL, muutual authentication provides authentication and non-repudiation of the client, using using digital signatures.
This process it performed with certificates interchange. That is both client and server send its own certificates in connection handshaking, the client validate if the server certificate is valid and then the server validates the client certificate validation. If all it's ok the connection is stablished. After this, the server can read client centificate information to perform client identification.
Because we are realizing client authentication and identification in the service process, we cannot put an HTTP/S (layer 7) reverse proxy/load balancer in front of a service instances. This is why we configure a TCP (layer 4) reverse proxy/load balancer.
The project have three main components:
- The server.
- The client.
- A certificate generation tool.
To build all components
make clean all There are make targets for each component.
make [cert] [serverd] [tlsclient]Generate certificate:
./cert [-org <"Organization name">] [-name <"subject name">] [-duration <duration>] [-cert <certificate filename>] [-key <private key filename>] [-client [<true|false>]] [ip|servers....]Example: generate a server certificate for 127.0.0.1 and localhost.localdomain
./cert -cert server.crt -key server.key 127.0.0.1 localhost.localdomainExample: generate a client certificate with client_1 name
./cert -client -cert client.crt -key client.key -name=client_1./serverd./tlsclient
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent