In this demo we're going to create mTLS using Go and Fiber. To create certificates that can be used for mutual authentication, what you need to have is just an OpenSSL program (or simplecert, or mkcert like in previous natsmtls1 example), create a CA (certificate authority), server certs, and client certs, something like this:
# generate CA Root
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -out ca.crt -keyout ca.key -subj "/C=SO/ST=Earth/L=MyLocation/O=MyOrganiz/OU=MyOrgUnit/CN=localhost"
# generate Server Certs
openssl genrsa -out server.key 2048
# generate server Cert Signing request
openssl req -new -key server.key -days 3650 -out server.csr -subj "/C=SO/ST=Earth/L=MyLocation/O=MyOrganiz/OU=MyOrgUnit/CN=localhost"
# sign with CA Root
openssl x509 -req -in server.csr -extfile <(printf "subjectAltName=DNS:localhost") -CA ca.crt -CAkey ca.key -days 3650 -sha256 -CAcreateserial -out server.crt
# generate Client Certs
openssl genrsa -out client.key 2048
# generate client Cert Signing request
openssl req -new -key client.key -days 3650 -out client.csr -subj "/C=SO/ST=Earth/L=MyLocation/O=$O/OU=$OU/CN=localhost"
# sign with CA Root
openssl x509 -req -in client.csr -extfile <(printf "subjectAltName=DNS:localhost") -CA ca.crt -CAkey ca.key -out client.crt -days 3650 -sha256 -CAcreateserial
You will get at least 2 files related to CA, 3 files related to server, and 3 files related to client, but what you really need is just CA public key, server private and public key (key pairs), and client private and public key (key pairs). If you need to generate another client or rollover server keys, you will still need CA's private key so don't erase it.
Next, now that you already have those 5 keys, you will need to load CA public key, and server key pair and use it on fiber, something like this:
caCertFile, _ := os.ReadFile(in.CaCrt)
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCertFile)
serverCerts, _ := tls.LoadX509KeyPair(in.ServerCrt, in.ServerKey)
tlsConfig := &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},
Certificates: []tls.Certificate{serverCerts},
}
// attach the certs to TCP socket, and start Fiber server
app := fiber.New(fiber.Config{
Immutable: true,
})
app.Get("/", func(c *fiber.Ctx) error {
return c.String(`secured string`)
})
ln, _ := tls.Listen("tcp", `:1443`, tlsConfig)
app.Listener(ln)
next on the client side, you just need to load CA public key, client key pairs, something like this:
caCertFile, _ := os.ReadFile(in.CaCrt)
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCertFile)
certificate, _ := tls.LoadX509KeyPair(in.ClientCrt, in.ClientKey)
httpClient := &http.Client{
Timeout: time.Minute * 3,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{certificate},
},
},
}
r, _ := httpClient.Get(`https://localhost:1443`)
that's it, that's how you secure client-server communication between Go client and server with mTLS, this code can be found here.
Showing posts with label fiber. Show all posts
Showing posts with label fiber. Show all posts
2023-11-24
2022-06-07
How to profile your Golang Fiber server
Usually you need to load test your webserver to measure where's the memory leak or where's the bottleneck, and Golang already provided tool to do that, called pprof. What you need to do is depends on your framework that you use, but it's all similar, most framework already have a middleware that you can import and use, for example in fiber there's pprof middleware, to use:
// import
// use
app.Use(pprof.New())
It would create a route called /debug/pprof that you can use, just start the server, then open that path. To profile or check heap you just need to click profile/heap link, it would wait for around 10 seconds, meanwhile it waits, you must hit other endpoints to generate traffic/function calls. After 10 seconds, it would show a download dialog to save your cpu profile or heap profile. From that file, you can run a command similar to gops, for example if you want to generate svg or generate web that shows your profiling:
pprof -web /tmp/profile # or
pprof -svg /tmp/profile # <-- file that you just downloaded
// import
"github.com/gofiber/fiber/v2/middleware/pprof"
// use
app.Use(pprof.New())
It would create a route called /debug/pprof that you can use, just start the server, then open that path. To profile or check heap you just need to click profile/heap link, it would wait for around 10 seconds, meanwhile it waits, you must hit other endpoints to generate traffic/function calls. After 10 seconds, it would show a download dialog to save your cpu profile or heap profile. From that file, you can run a command similar to gops, for example if you want to generate svg or generate web that shows your profiling:
pprof -web /tmp/profile # or
pprof -svg /tmp/profile # <-- file that you just downloaded
It would generate something like this:
So you can find out which function that took most of the CPU time (or if it's heap profile, which function that generates/allocate most memory usage. In my case the bottleneck is the default built-in pretty logger, it limits the number of requests it can only handle to ~9K rps for concurrency 255 on database write benchmark, that if we remove built-in logging and replace with zerolog, it can handle ~57K rps for same benchmark.
2021-08-04
Dockerfile Template (React, Express, Vue, Nest, Angular, GoFiber, Svelte, Django, Laravel, ASP.NET Core, Kotlin, Deno)
These are docker template for deploying common applications (either using Kubernetes, Nomad, or locally using docker-compose), this post are copied mostly from scalablescripts youtube channel and docker docs, the gist for nginx config are here.
The only different thing from react is the build directory not build/ but dist/.
You don't need COPY go.mod to go mod download step if you have vendor/ directory to /go/pkg/mod, you can reuse it instead of redownloading whole dependencies (this can really faster things up on the CI/CD pipeline, especially if you live on 3rd world country). The ca-certificates only needed if you need to hit https endpoints, if you don't then you can skip that step.
FROM mcr.microsoft.com/dotnet/aspnet
Deployment
For deployment you can use AWS (elastic container registry and elastic container instance or elastic container service with fargate), Azure (azure container registry and azure container instance), GoogleCloud (upload to container registry and google cloud run), or just upload it to docker registry then pull it on the server.
ReactJS
FROM node:15.4 as build1WORKDIR /app1
COPY package+.json .
RUN npm install
COPY . .
RUN npm run build
FROM nginx:1.19
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY --from=build1 /app1/build /usr/share/nginx/html
To build it, use docker build -t react1 .
To build it, use docker build -t react1 .
To run it, use docker run -p 8001:80 react1
ExpressJS
FROM node:15.4
WORKDIR /app
COPY package+.json .
RUN npm install
COPY . .
CMD node index.js
VueJS
FROM node:15.4 as build1WORKDIR /app1
COPY package+.json .
RUN npm install
COPY . .
RUN npm run build
FROM nginx:1.19
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY --from=build1 /app1/dist /usr/share/nginx/html
NestJS
FROM node:15.4 as build1WORKDIR /app1
COPY package+.json .
RUN npm install
COPY . .
RUN npm run build
FROM node:15.4
WORKDIR /app
COPY package.json .
COPY package.json .
RUN npm install --only=production
COPY --from=build1 /app1/dist ./dist
COPY --from=build1 /app1/dist ./dist
CMD npm run start:prod
AngularJS
FROM node:15.4 as build1
WORKDIR /app1
COPY package+.json .
RUN npm install
COPY . .
RUN npm run build --prod
FROM nginx:1.19
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY --from=build1 /app1/dist/PROJECT_NAME /usr/share/nginx/html
Fiber (Golang)
FROM golang:1.16-alpine as build1
WORKDIR /app1
COPY go.mod .
COPY go.sum .
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o app1.exe
FROM alpine:latest
RUN apk --no-cache add ca-certificates
WORKDIR /
COPY --from=build1 /app1/app1.exe .
CMD ./app1.exe
Svelte
FROM node:15.4 as build1
WORKDIR /app1
COPY package+.json .
RUN npm install
COPY . .
RUN npm run build
FROM nginx:1.19
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY --from=build1 /app1/public /usr/share/nginx/html
Django
FROM python:3.9-alpine as build1
ENV PYTHONUNBUFFERED 1
WORKDIR /app1
COPY requirements.txt .
CMD pip install -r requirements.txt
COPY . .
CMD python manage.py runserver 0.0.0.0:80
Laravel
FROM php:7.4-fpm
RUN apt-get update && apt-get install -y git curl libpng-dev libonig-dev libxml2-dev zip unzip
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
RUN docker-php-ext-install pdo_mysql mbstring
WORKDIR /app1
COPY composer.json .
RUN composer install --no-scripts
COPY . .
CMD php artisan serve --host=0.0.0.0 --port=80
ASP.NET Core
FROM mcr.microsoft.com/dotnet/sdk:5.0 as build1
WORKDIR app1
COPY *.csproj .
CMD dotnet restore
COPY . .
RUN dotnet publish -c Release -o out
FROM mcr.microsoft.com/dotnet/aspnet
WORKDIR /app
COPY --from=build1 /app1/out .
ENTRYPOINT ["dotnet", "PROJECT_NAME.dll"]
Kotlin
FROM gradle:7-jdk8 as build1
WORKDIR /app1
COPY . .
RUN ./gradlew build --stacktrace
FROM openjdk
WORKDIR /app
EXPOSE 80
COPY --from=build1 /app/build/libs/PROJECT_NAME-VERSION-SNAPSHOT.jar .
CMD java -jar PROJECT_NAME-VERSION-SNAPSHOT.jar
Deno
FROM denoland/deno:1.11.0
WORKDIR /app1
COPY . .
RUN ["--run","--allow-net","app.ts"]
Deployment
Subscribe to:
Posts
(
Atom
)