Swoole v4.6 版本新特性之 SNI 支持
我们非常重视原创文章,为尊重知识产权并避免潜在的版权问题,我们在此提供文章的摘要供您初步了解。如果您想要查阅更为详尽的内容,访问作者的公众号页面获取完整文章。
Introduction to SNI Protocol
Swoole version 4.6.0 introduced support for Server Name Identification (SNI), a TLS networking protocol extension that allows a server to present multiple certificates over the same IP address and TCP port number. This enables hosting multiple secure HTTPS websites or other TLS-based services on the same IP without needing the same certificate for all sites.
Solving Multiple Virtual Hosts Issue
Similar to how HTTP uses the Host header to specify the domain name, TLS adds the Host during the Client Hello phase of the SSL request. This allows the server to switch to the correct domain and return the corresponding certificate.
Swoole's SNI Support Implementation
An issue was raised on Swoole's GitHub requesting the ability to configure SSL information through Hostname. This feature was already added in a previous release but was not yet documented in English.
Setting Up SNI in Swoole
To demonstrate Swoole's SNI setup, a Swoole HTTP Server is created, and the 'ssl_sni_certs' option is used. This option takes a multidimensional array with the Hostname as the key and the certificate configuration as the value.
Example Swoole HTTP Server with SNI
use Swoole\Http\Request;
use Swoole\Http\Response;
use Swoole\Http\Server;
define('SSL_FILE_DIR', __DIR__ . '/ssl_certs');
$http = new Server('127.0.0.1', 9501, SWOOLE_BASE, SWOOLE_SOCK_TCP | SWOOLE_SSL);
$http->set([
'log_file' => '/dev/null',
'ssl_cert_file' => SSL_FILE_DIR . '/server.crt',
'ssl_key_file' => SSL_FILE_DIR . '/server.key',
'ssl_protocols' => SWOOLE_SSL_TLSv1_2 | SWOOLE_SSL_TLSv1_3 | SWOOLE_SSL_TLSv1_1 | SWOOLE_SSL_SSLv2,
'ssl_sni_certs' => [
'cs.php.net' => [
'ssl_cert_file' => SSL_FILE_DIR . '/sni_server_cs_cert.pem',
'ssl_key_file' => SSL_FILE_DIR . '/sni_server_cs_key.pem'
],
'uk.php.net' => [
'ssl_cert_file' => SSL_FILE_DIR . '/sni_server_uk_cert.pem',
'ssl_key_file' => SSL_FILE_DIR . '/sni_server_uk_key.pem'
],
'us.php.net' => [
'ssl_cert_file' => SSL_FILE_DIR . '/sni_server_us_cert.pem',
'ssl_key_file' => SSL_FILE_DIR . '/sni_server_us_key.pem',
],
]
]);
$http->on('request', function (Request $request, Response $response) {
$response->end('Hello Swoole');
});
$http->start();
Client Testing and Packet Analysis
A client test script is used to connect to the server and var_dump the Common Names from the certificates. The tcpdump tool is utilized to capture packets which are then analyzed by Wireshark. The analysis confirms that the server_name extension field exists only in the Client Hello process, demonstrating how SNI allows for proper establishment of TLS connections on a server with multiple domain names.
想要了解更多内容?