Dialogflow 针对网络钩子请求发起的网络流量通过公共网络发送。为了确保每个方向的流量都安全可靠又可信任,Dialogflow 还可视需要支持双向 TLS 身份验证 (mTLS)。在 Dialogflow 的标准 TLS 握手期间,网络钩子服务器会提供可由 Dialogflow 验证的证书,具体方法是遵循证书授权机构链或将该证书与自定义 CA 证书进行比较。通过在 webhook 服务器上启用 mTLS,它能够对 Dialogflow 向 webhook 服务器提供的 Google 证书进行身份验证以进行验证,从而完成相互信任的建立。
请求 mTLS
如需请求 mTLS,请执行以下操作:
- 对您的 webhook HTTPS 服务器进行准备,以在 TLS 握手期间请求客户端证书。
- 网络钩子服务器应在收到客户端证书时对其进行验证。
为您的 webhook 服务器安装证书链,客户端和服务器共同信任该证书链。连接到 Google 服务的应用应信任 Google Trust Services 列出的所有证书授权机构。您可以从以下网址下载根证书:https://pki.goog/。
使用 mTLS 对网络钩子服务器进行示例调用
此示例将快速入门中显示的代理与运行 openssl 的 webhook 服务器结合使用。
- 示例设置
- 一个 Dialogflow CX 代理,用于接收衬衫订单,并将其发送到指向独立 Web 服务器的 webhook。
- 名为
key.pem的文件中用于 TLS 通信的私钥。 - 由广受信任的 CA(证书授权机构)在名为
fullchain.pem的文件中签名的证书链。
-
在服务器机器上执行
openssl s_server程序。sudo openssl s_server -key key.pem -cert fullchain.pem -accept 443 -verify 1
- 请求从客户端机器发送给代理。在此示例中,请求为“I want to purchase a size red shirt”。此请求可以使用 Dialogflow 控制台发送,也可以通过 API 调用发送。
-
服务器机器中
openssl s_server的输出。verify depth is 1 Using default temp DH parameters ACCEPT depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1 verify return:1 depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1D4 verify return:1 depth=0 CN = *.dialogflow.com verify return:1 -----BEGIN SSL SESSION PARAMETERS----- MII... -----END SSL SESSION PARAMETERS----- Client certificate -----BEGIN CERTIFICATE----- MII... -----END CERTIFICATE----- subject=CN = *.dialogflow.com issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1D4 Shared ciphers:TLS_AES_128_GCM_SHA256:... Signature Algorithms: ECDSA+SHA256:... Shared Signature Algorithms: ECDSA+SHA256:... Peer signing digest: SHA256 Peer signature type: RSA-PSS Supported Elliptic Groups: 0xEAEA:... Shared Elliptic groups: X25519:... CIPHER is TLS_AES_128_GCM_SHA256 Secure Renegotiation IS NOT supported POST /shirts-agent-webhook HTTP/1.1 authorization: Bearer ey... content-type: application/json Host: www.example.com Content-Length: 1595 Connection: keep-alive Accept: */* User-Agent: Google-Dialogflow Accept-Encoding: gzip, deflate, br { "detectIntentResponseId": "a7951ce2-2f00-4af5-a508-4c2cb45698b0", "intentInfo": { "lastMatchedIntent": "projects/PROJECT_ID/locations/REGION/agents/AGENT_ID/intents/0adebb70-a727-4687-b8bc-fbbc2ac0b665", "parameters": { "color": { "originalValue": "red", "resolvedValue": "red" }, "size": { "originalValue": "large", "resolvedValue": "large" } }, "displayName": "order.new", "confidence": 0.9978873 }, "pageInfo": { "currentPage": "projects/PROJECT_ID/locations/REGION/agents/AGENT_ID/flows/00000000-0000-0000-0000-000000000000/pages/06e6fc4d-c2f2-4830-ab57-7a318f20fd90", "displayName": "Order Confirmation" }, "sessionInfo": { "session": "projects/PROJECT_ID/locations/REGION/agents/AGENT_ID/sessions/session-test-001", "parameters": { "color": "red", "size": "large" } }, "fulfillmentInfo": { "tag": "confirm" }, "messages": [{ "text": { "text": ["Ok, let\u0027s start a new order."], "redactedText": ["Ok, let\u0027s start a new order."] }, "responseType": "ENTRY_PROMPT", "source": "VIRTUAL_AGENT" }, { "text": { "text": ["You have selected a large, red shirt."], "redactedText": ["You have selected a large, red shirt."] }, "responseType": "HANDLER_PROMPT", "source": "VIRTUAL_AGENT" }], "text": "I want to buy a large red shirt", "languageCode": "en" }ERROR shutting down SSL CONNECTION CLOSED
最佳做法
为确保 webhook 请求是从您自己的 Dialogflow 代理启动的,您应该从请求的 Authorization 标头中验证 Bearer 服务身份令牌。或者,您也可以验证您端的身份验证服务器之前提供的会话参数。
错误
如果客户端证书验证失败(例如,网络钩子服务器不信任客户端证书),则 TLS 握手失败,会话终止。
常见的错误消息:
| 错误消息 | 说明 |
|---|---|
| Failed to verify client's certificate: x509: certificate signed by unknown authority(未能验证客户端的证书:x509:证书由未知授权机构签署) | Dialogflow 将其客户端证书发送到了外部网络钩子,但外部网络钩子无法对其进行验证。这可能是因为外部网络钩子未正确安装 CA 链。系统应信任 Google 的所有根 CA。 |