上游服务器使用https时,我们需要对上游服务器的证书受信,否则将发生如下错误:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target直接使用配置,之前没有注意看配置文档,zuul是支持禁用https服务器证书验证的,禁用之后就可以正常访问https网站。
zuul: routes: tax: path: /api/** url: https://upstream # 关键配置 ssl-hostname-validation-enabled: false使用自定义HttpClient,可以对HttpClient实现更多定制化的功能,比如代理,连接池等。
zuul: routes: tax: path: /api/** url: https://upstream #ssl-hostname-validation-enabled: falseZuul网关底层使用HttpClient实现,自定义一个HttpClient并受信所有证书则可以实现对上游服务器的https访问。zuul是支持自定义HttpClient的,只需要给定一个类型为org.apache.http.impl.client.CloseableHttpClient(或者OkHttpClient)的Bean,在启动时自动配置就会自动完成HttpClient的注入。
先出个简单版的,后面再整理。
/** * 自定义HttpClient,实现免https证书验证 * @return * @throws NoSuchAlgorithmException * @throws KeyManagementException * @throws KeyStoreException */ @Bean public CloseableHttpClient httpClient() throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException { // 信任所有服务端证书 SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, (TrustStrategy) (chain, authType) -> true).build(); SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext, SSLConnectionSocketFactory.getDefaultHostnameVerifier()); HttpClientBuilder httpClientBuilder = HttpClients.custom(); httpClientBuilder.setSSLSocketFactory(socketFactory); // 添加代理 // httpClientBuilder.setProxy() return httpClientBuilder.build(); }