WCF Distributed Authentication (Soap supported) for Nginx clusters and wcfsoap for nginx Clusters

WCF Distributed Authentication (Soap supported) for Nginx clusters and wcfsoap for nginx Clusters

Directory

1 General idea... 1

2. distributed identity authentication for Nginx clusters using WCF... 1

3 BasicHttpBinding, ws2007HttpBinding. 2

4. Generate the private key and public key for Windows certificates (X.509 Certificate)... 3

5. Compile the WCF Service and client program... 7

6 URL reserved items... 13

7. Deploy the WCF Service Program to three PCs in the LAN... 14

8 Nginx cluster configuration setup... 15

9 running result of SoapUI and WCF client... 16

10 Summary... 18

1. General idea

L distributed identity authentication for Nginx Clusters

L BasicHttpBinding and Ws2007HttpBinding

L Windows certificate generation public key and private key (x509 Certificate)

L compile the WCF Service and client programs

L URL reserved items

L deploy the WCF Service Program to three PCs in the LAN

L Nginx cluster configuration and Setup

L running results of SoapUI and WCF client programs

L Summary

2. distributed identity authentication for Nginx Clusters

Nginx is a lightweight reverse proxy. Of course, it also has SSL authentication. This document describes how to access the server from a client through a windows certificate (X.509 Certificate) using an Nginx cluster.

 

Main Types of source code in this article:

L HighlyConcurrentHosting

Use the source code of BasicHttpBinding (this article mainly uses this method for Nginx cluster)

L HighlyConcurrentHosting_Ws2007HttpBinding

Use source code of ws2007HttpBinding (this is a point-to-point Windows authentication method)

L Nginx Configuration

Nginx. conf

L Windows Certificate

Wcf_zhyongfeng.cer (certificate to be installed on the client)

Wcf_zhyongfeng.pfx (certificate to be installed on the server)

 

The main structure diagram described in this article is as follows:

The client accesses Nginx with BasicHttpBinding, then performs load balancing on Nginx, distributes messages to any backend wcf pc, and the backend WCF server to be accessed, install the Windows certificate (only the accessed server requires the wcf_zhyongfegn.pfx certificate ).

 

If ws2007HttpBinding is used for point-to-point Windows authentication, Nginx can only be used to bind an IP address to a specific server for access, and does not support Cluster load balancing. Besides the wcf_zhyongfeng.pfx server certificate installation, the client also needs to install the wcf_zhyongfeng.cer certificate, which is not emphasized here.

3 BasicHttpBinding and ws2007HttpBinding

Here, the Ningx cluster of WCF mainly uses BasicHttpBinding. The default security mode of BasicHttpBinding is None. That is, messages are transmitted in plain text without being verified on the client. However, the basicHttpBinding binding can implement secure transmission, and ensure message security through the transmission layer and message layer. BasicHttpBinding is set to Transport security mode. Transport Layer Security uses IIS security mechanisms, such as basic authentication, integration of windows authentication, SSL security channels, and so on.

. NET Framework 3.5 introduces a new binding for Web service interaction called ws2007HttpBinding binding. This binding is similar to ws2007HttpBinding. In addition to the latest WS-* messages, this binding is secure and reliable.

Ws2007HttpBinding:

WS-SecureConversation v1.3	WS-Security extension, which provides a Security context for multiple message exchanges
WS-Trust v1.3	WS-Security Extension, request and Mark problems, and manage dependency.
WS-SecurityPolicy v1.2	WS-Security assertions, WS-Security conversion, and WS-Trust expressed using WS-Policy
Web Services Reliable Messaging v1.1	Protocols that ensure that messages are transmitted, properly encoded, and not repeatedly received
Web Services Coordination v1.1	Provides a protocol platform for Distributed Platform action cooperation

 

4. Generate a private key and a public key for a Windows certificate (X.509 Certificate)

Perform C: \ Windows \ system32 as the administrator and run cmd. ext

Microsoft Windows [version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C: \ Windows \ system32> cd C: \ Program Files \ Microsoft SDKs \ Windows \ v6.0A \ BinC: \ Program Files \ Microsoft SDKs \ Windows \ v6.0A \ Bin> makecert-r-pe-n "CN = wcf_zhyongfeng"-ss My-sky exchangeSucceededC: \ Program Files \ Microsoft SDKs \ Windows \ v6.0A \ Bin>

View the Windows certificate generation, start-> run, and enter:

certmgr.msc

Windows export wcf_zhyongfeng.pfx server certificate:

Windows export wcf_zhyongfeng.cer client certificate:

5. Compile the WCF Service and client programs

L WCF Service Program

Program. cs

Using Service; using System. serviceModel; namespace HighlyConcurrentHosting {class Program {static void Main (string [] args) {using (ServiceHost host = new ServiceHost (typeof (OutputSomething) {host. opened + = delegate {Console. writeLine (host. description. endpoints [0]. address. uri + "started. Press any key to terminate the service! ") ;}; Host. open (); Console. read () ;}}/// <summary> // certificate verification account name, password /// </summary> public class UserNamePasswordValidator: System. identityModel. selectors. userNamePasswordValidator {public override void Validate (string userName, string password) {if (userName! = "Zhyongfeng" | password! = "123456") {throw new System. IdentityModel. Tokens. SecurityTokenException ("Unknown Username or Password ");}}}}

Server configuration file:

<? Xml version = "1.0" encoding = "UTF-8"?> <Configuration> <system. serviceModel> <behaviors> <serviceBehaviors> <behavior name = "metadataBehavior"> <serviceMetadata httpGetEnabled = "true"/> <! -- To receive fault exception details for debugging, set the following value to true. Set false before deployment to avoid leakage of exception information --> <serviceDebug includeExceptionDetailInFaults = "true"/> <serviceCredentials> <! -- Specify an X.509 Certificate to encrypt and decrypt the user name and password in the authentication --> <! -- C: \ Program Files \ Microsoft SDKs \ Windows \ v6.0A \ Bin, use makecert-r-pe-n "CN = Hangzhou"-ss My-sky exchange --> <serviceCertificate findValue = "Hangzhou" x509FindType = "FindBySubjectName" storeLocation = "CurrentUser" storeName = "My"/> <clientCertificate> <! -- The method for customizing client certificate authentication is None --> <authentication certificateValidationMode = "None"> </authentication> </clientCertificate> <! -- Set user name and password verification --> <userNameAuthentication userNamePasswordValidationMode = "Custom" customUserNamePasswordValidatorType = "HighlyConcurrentHosting. userNamePasswordValidator, HighlyConcurrentHosting "/> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <bindings> <basicHttpBinding> <! -- Enter the user name and password --> <binding name = "YesCertificate"> <security mode = "TransportCredentialOnly"> <transport clientCredentialType = "Basic"> </transport> <message clientCredentialType = "UserName"/> </security> </binding> </basicHttpBinding> </bindings> <services> <service name = "Service. outputSomething "behaviorConfiguration =" metadataBehavior "> 
 
L client program
Using HighlyConcurrentClient. highlyConcurrentService; using System. net; namespace HighlyConcurrentClient {class Program {static void Main (string [] args) {string AddressIP = string. empty; foreach (IPAddress _ IPAddress in Dns. getHostEntry (Dns. getHostName ()). addressList) {if (_ IPAddress. addressFamily. toString () = "InterNetwork") {AddressIP = _ IPAddress. toString () ;}} Console. writeLine (string. format ("local IP: {0}", AddressIP); using (OutputSomethingCertificateClient proxy = new OutputSomethingCertificateClient () {proxy. clientCredentials. userName. userName = "zhyongfeng"; proxy. clientCredentials. userName. password = "123456"; for (int I = 0; I <20; I ++) {Console. writeLine (proxy. getCertContentData (I) ;}} Console. read ();}}}
Client configuration file:
<?xml version="1.0" encoding="utf-8" ?><configuration>  <configSections>  </configSections>  <startup>    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />  </startup>  <system.serviceModel>    <bindings>      <basicHttpBinding>        <binding name="BasicHttpBinding_IOutputSomething">          <security mode="TransportCredentialOnly">            <transport clientCredentialType="Basic" />          </security>        </binding>        <binding name="BasicHttpBinding_IOutputSomethingCertificate">          <security mode="TransportCredentialOnly">            <transport clientCredentialType="Basic" />          </security>        </binding>      </basicHttpBinding>    </bindings>    <client>      <endpoint address="http://zhyongfeng.com/hello" binding="basicHttpBinding"        bindingConfiguration="BasicHttpBinding_IOutputSomething" contract="HighlyConcurrentService.IOutputSomething"        name="BasicHttpBinding_IOutputSomething" />      <endpoint address="http://zhyongfeng.com/hello" binding="basicHttpBinding"        bindingConfiguration="BasicHttpBinding_IOutputSomethingCertificate"        contract="HighlyConcurrentService.IOutputSomethingCertificate"        name="BasicHttpBinding_IOutputSomethingCertificate" />    </client>  </system.serviceModel></configuration>
When the client adds a reference



After the client adds a service reference, the Address may be the IP address of a PC (for example, Address = "http: // 10.92.202.56: 5600/hello"). This is the address that needs to be changed to the following Nginx Address:
Address = "http://zhyongfeng.com/hello ".
That is:
6. URL reserved items
See: http://www.cnblogs.com/yongfeng/p/7851039.html
7. Deploy the WCF Service Program to three PCs in the LAN
To remotely deploy a WCF Service Program, double-click the wcf_zhyongfeng.pfx certificate on the server, and modify the configuration files of the three servers: 10.92.202.56: 5600, 10.92.202.57: 5700, and 10.92.202.58: 5800.
Then start the remote computer's WCF Service Program. The running effect is as follows:


The Running Effect of accessing the WCF server on IE on the local machine:
8. Configure and build an Nginx Cluster
Access the Server Load balancer cluster through the self-built domain name zhyongfeng.com: 80, access C: \ Windows \ System32 \ drivers \ etc \ hosts, and add the following "Custom Domain Name of the local IP Address ":
10.93.85.66    zhyongfeng.com
Configure multiple PCs deployed in WCF (set proxy_connect_timeout to 10 s. If one machine is down, it can be forwarded to another machine) as follows:
worker_processes  1;events {    worker_connections  1024;}http {    include       mime.types;    default_type  application/octet-stream;    sendfile        on;    keepalive_timeout  65;    upstream zhyongfeng.com {        server    10.92.202.56:5600;        server    10.92.202.57:5700;         server    10.92.202.58:5800;    }    server {        listen       80;        server_name  zhyongfeng.com;        location / {            proxy_pass   http://zhyongfeng.com;            proxy_connect_timeout       10s;        }     }}
Run CMD:
D:\DTLDownLoads\nginx-1.10.2>start nginxD:\DTLDownLoads\nginx-1.10.2>nginx -s reload
Access the WCF server: http://zhyongfeng.com/hello, and run the result:
9 running results of SoapUI and WCF client programs
Soap protocol, can I use SoapUI to test and add the wsdl: http://zhyongfeng.com/hello of WCF? Wsdl:

Start the WCF client program and run the following code:

Disable one of the following PCs for Remote Desktop: 10.92.202.56: 5600:

Restart the WCF client. Because the Nginx configuration file sets proxy_connect_timeout to 10 s, the disabled PC 10.92.202.56: 5600 forwards its messages to 10.92.202.57: 5700 after 10 s, continue to be executed by the other two PCs:
10 Summary
By using BasicHttpBinding, in addition to enabling access by the WCF client, the access method of WSDL is also added. The Nginx cluster allows the WCF client to have user name and password verification, and achieves the distributed processing of load balancing.
 
Source code download:
Http://download.csdn.net/download/ruby_matlab/10126187
 
PDF download:
Nginxwcf distributed ID verification (soap).pdf supported)