From bc338570dac9051d870fc7b583894d7b7edfd7da Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 16:12:33 +0800 Subject: [PATCH 01/35] Client-to-server authentication with HTTPS client certificates --- bin/apisix | 6 +++ conf/cert/apisix_admin_ca.crt | 20 +++++++ conf/cert/apisix_admin_ssl.crt | 98 +++++++++++++++++++++++----------- conf/cert/apisix_admin_ssl.key | 74 +++++++++---------------- conf/config.yaml | 5 +- 5 files changed, 121 insertions(+), 82 deletions(-) create mode 100644 conf/cert/apisix_admin_ca.crt diff --git a/bin/apisix b/bin/apisix index 79c00ed25c14..8230d600d2b4 100755 --- a/bin/apisix +++ b/bin/apisix @@ -297,6 +297,12 @@ http { ssl_protocols {* ssl.ssl_protocols *}; ssl_ciphers {* ssl.ssl_ciphers *}; ssl_prefer_server_ciphers on; + + {%if ssl.verify_client then%} + ssl_client_certificate cert/apisix_admin_ca.crt; + ssl_verify_client on; + {%end%} + {% else %} listen {* port_admin *}; {%end%} diff --git a/conf/cert/apisix_admin_ca.crt b/conf/cert/apisix_admin_ca.crt new file mode 100644 index 000000000000..e4b06a5c26e6 --- /dev/null +++ b/conf/cert/apisix_admin_ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDTDCCAjQCCQD2CWWIQjyiuzANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJj +bjESMBAGA1UECAwJR3VhbmdEb25nMRIwEAYDVQQHDAlndWFuZ3pob3UxDDAKBgNV +BAoMA0lCTTEMMAoGA1UECwwDb3BzMRUwEwYDVQQDDAx3d3cudGVzdC5jb20wHhcN +MjAwNjE4MDk1OTM4WhcNMzAwNjE2MDk1OTM4WjBoMQswCQYDVQQGEwJjbjESMBAG +A1UECAwJR3VhbmdEb25nMRIwEAYDVQQHDAlndWFuZ3pob3UxDDAKBgNVBAoMA0lC +TTEMMAoGA1UECwwDb3BzMRUwEwYDVQQDDAx3d3cudGVzdC5jb20wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyOfhOm4HlKT2kG0uZnehM8sENxL5t6+/k +cFiyhAd3lyU90tZ2GfEfuosQDN6+ZbIeL6qwDo/eszFzPKB+kvLe/bYHexo3LJkT +JRwTjL0y4Dtd6ZK88S2cm14PDo89QU7WiAMHeeUe6nu2puelpucZhpoaCUuBeV25 +96fBi9o0AqJrSMn8QioY1P65B4HMm+FR9la01Hu6H4euS0A5H4OPWRD1t9/g7d8x +7Dp20pDXn2/k6t7ZQ53QqClxSjEzNYE6gIuXeLiW5sw+FzrNKa17j+Xi4stHvXHD +KR2PyC/1kGp4+QJzHiAv5Qly3gCS7YuOZzUH4LwW0NhOnf1KATxnAgMBAAEwDQYJ +KoZIhvcNAQEFBQADggEBALA4Kb18PGwfMESKzZwsE6gMB9psGHDfjybk3iEOeY/A +VL3Y40oMcPWFw9Ag9sPWaE5uVjq5GcuqOcAzZlyKzYvI/oqGwTCKIMfEuj2j/cK4 +I77ppUtzQ7RPeF+BnafDJsGkILZtibRcKQ6OXn+65xZkNNMGHecSIBwe3O68GlcV +RRw+vaof67AbQZy0yBrLn+9rc64nDKvreDBGPN0okXM3xQDo2reRHG14ppTRzBGb +S77dWgqFfPCgUsc6N0xlMaTKS40hwBqQDJjrq25HCEN6G0L6+sn4kSgm67f/FRLt +TGyEQxrfvkfrPGTtNk+WnAdJ4999O/uvPbKKF1shN3I= +-----END CERTIFICATE----- diff --git a/conf/cert/apisix_admin_ssl.crt b/conf/cert/apisix_admin_ssl.crt index 82d7fc3aa31a..ca149e3b1135 100644 --- a/conf/cert/apisix_admin_ssl.crt +++ b/conf/cert/apisix_admin_ssl.crt @@ -1,33 +1,69 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 64206 (0xface) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=cn, ST=GuangDong, L=guangzhou, O=IBM, OU=ops, CN=www.test.com + Validity + Not Before: Jun 18 11:48:02 2020 GMT + Not After : Jun 16 11:48:02 2030 GMT + Subject: C=cn, ST=GuangDong, O=IBM, L=guangzhou, CN=nginx.test.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c9:5c:1e:9c:9b:94:19:42:dd:95:ab:2c:fc:78: + 1f:2e:57:ec:02:e3:1a:9c:0c:35:a9:de:3e:90:9f: + 35:86:65:b2:75:a3:b9:c7:d0:55:c1:d7:79:a3:81: + 60:cb:ad:31:9a:27:3a:47:9f:f8:2c:a4:d7:4d:12: + a0:96:2d:16:1e:47:59:26:a3:85:41:9f:e1:d7:08: + 7c:73:d8:a6:b5:14:63:db:6e:9b:d3:ae:19:f3:4c: + 09:34:20:04:25:d3:ae:40:c2:1e:62:c6:f1:c8:46: + 9a:b1:4e:12:af:6a:de:b5:de:e3:64:b8:ed:75:df: + 2e:65:2a:1a:3c:05:b3:ae:c7:d5:29:16:51:62:65: + b2:4c:a5:32:18:f9:02:7d:e5:0e:9f:d4:12:d3:35: + 6a:49:ce:b4:34:52:16:26:68:dd:55:9f:b8:ae:cb: + fc:a5:db:12:eb:11:2d:6c:8f:5f:f2:2a:72:7c:31: + c3:bc:6c:f3:13:5f:ca:d1:0a:0a:d0:66:9f:24:1c: + 7d:ed:4b:5b:df:af:30:34:a2:23:59:71:83:06:d5: + 51:71:9f:62:31:94:a8:fc:72:d3:07:ff:da:48:07: + bc:1d:2c:ec:5a:88:f9:e6:65:15:0f:d5:e1:3e:7e: + 6b:d4:63:2c:2e:32:fe:c0:9c:65:df:47:87:c5:38: + c3:45 + Exponent: 65537 (0x10001) + Signature Algorithm: sha256WithRSAEncryption + 6f:99:20:43:a2:fa:51:9c:3f:71:6b:be:90:e0:4d:26:c2:b6: + 91:50:7d:7a:50:a7:32:97:89:20:45:d3:07:97:30:88:9a:d0: + 83:ff:42:95:fc:16:e9:9b:97:f4:48:a0:de:9b:e5:09:98:a6: + e8:fc:87:2b:e0:16:98:4d:78:05:bb:29:65:95:b7:d3:70:58: + 7b:75:d5:f9:67:45:7f:cf:bf:a6:87:b3:da:d0:ee:c2:c3:55: + a7:d5:f4:36:9d:2a:e5:e4:d1:08:e9:b4:2a:d5:ca:6d:55:d3: + 42:32:d8:e0:97:56:e4:99:12:30:98:46:8c:97:ac:3f:8f:d5: + 04:f9:33:3c:02:7c:ca:3d:4d:5f:2e:98:e4:98:41:f9:a2:68: + d3:77:bd:4b:f3:2a:9d:d2:fd:be:9d:84:9c:03:ea:c0:ab:33: + c3:52:14:1b:24:c5:2c:a1:bb:c0:70:0e:30:08:d6:37:54:32: + 02:3e:08:53:5f:b9:0d:ba:0c:a2:57:12:04:fe:f5:e0:29:ee: + 43:8e:da:a1:5a:25:89:55:62:90:4b:08:63:64:b2:17:40:65: + 85:14:39:76:eb:b0:db:67:bb:41:17:2f:2d:2c:7d:f3:c1:fa: + f9:4f:99:24:92:69:fd:17:f9:85:9f:3c:ff:ba:e8:34:ed:e6: + ee:66:fb:64 -----BEGIN CERTIFICATE----- -MIIFsTCCA5mgAwIBAgIUODyT8W4gAxf8uwMNmtj5M1ANoUwwDQYJKoZIhvcNAQEL -BQAwVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzEPMA0GA1UEBwwG -Wmh1SGFpMQ0wCwYDVQQKDARhcGk3MRMwEQYDVQQDDAphcGlzaXguZGV2MCAXDTIw -MDYwNDAzMzc1MFoYDzIxMjAwNTExMDMzNzUwWjBWMQswCQYDVQQGEwJDTjESMBAG -A1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoMBGFwaTcx -EzARBgNVBAMMCmFwaXNpeC5kZXYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK -AoICAQDQveSdplH49Lr+LsLWpGJbNRhf2En0V4SuFKpzGFP7mXaI7rMnpdH3BUVY -S3juMgPOdNh6ho4BeSbGZGfU3lG1NwIOXiPNA1mrTWGNGV97crJDVZeWTuDpqNHJ -4ATrnF6RnRbg0en8rjVtce6LBMrDJVyGbi9VAqBUPrCmzT/l0V1jPL6KNSN8mQog -ladrJuzUanfhWM9K9xyM+/SUt1MNUYFLNsVHasPzsi5/YDRBiwuzTtiT56O6yge2 -lvrdPFvULrCxlGteyvhtrFJwqjN//YtnQFooNR0CXBfXs0a7WGgMjawupuP1JKiY -t9KEcGHWGZDeLfsGGKgQ9G+PaP4y+gHjLr5xQvwt68otpoafGy+BpOoHZZFoLBpx -TtJKA3qnwyZg9zr7lrtqr8CISO/SEyh6xkAOUzb7yc2nHu9UpruzVIR7xI7pjc7f -2T6WyCVy6gFYQwzFLwkN/3O+ZJkioxXsnwaYWDj61k3d9ozVDkVkTuxmNJjXV8Ta -htGRAHo0/uHmpFTcaQfDf5o+iWi4z9B5kgfA/A1XWFQlCH1kl3mHKg7JNCN9qGF8 -rG+YzdiLQfo5OqJSvzGHRXbdGI2JQe/zyJHsMO7d0AhwXuPOWGTTAODOPlaBCxNB -AgjuUgt+3saqCrK4eaOo8sPt055AYJhZlaTH4EeD4sv7rJGm7wIDAQABo3UwczAd -BgNVHQ4EFgQUPS1LXZMqgQvH/zQHHzgTzrd7PIIwHwYDVR0jBBgwFoAUPS1LXZMq -gQvH/zQHHzgTzrd7PIIwDAYDVR0TBAUwAwEB/zAjBgNVHREEHDAaggphcGlzaXgu -ZGV2ggwqLmFwaXNpeC5kZXYwDQYJKoZIhvcNAQELBQADggIBAMlwNS8uo3JkkshI -rpYobdjCZfr74PBl+LhoihvzHs25/in3+CxETRA8cYo5pRotqdA63po3wiCCPs6a -mZiELQxyGHhFcqoYxnoURR4nyogRZLA6jjLGkbG4H+CA4ApmZmvGnP3X5uQW4v5q -IdqIXL3BvoUBln8GMEC7Rz5SGUjWG03JPkl6MdeziFyHkwdBCOrtK5m7icRncvq+ -iL8CMUx024LLI6A5hTBPwfVfgbWJTSv7tEu85q54ZZoYQhiD8dde4D7g5/noPvXM -ZyA9C3Sl981+pUhhazad9j9k8DCcqf9e8yH9lPY26tjiEcShv4YnwbErWzJU1F9s -ZI5Z6nj5PU66upnBWAWV7fWCOrlouB4GjNaznSNrmpn4Bb2+FinDK3t4AfWDPS5s -ljQBGQNXOd30DC7BdNAF5dQAUhVfz1EgQGqYa+frMQLiv8rNMs7h6gKQEqU+jC/1 -jbGe4/iwc0UeTtSgTPHMofqjqc99/R/ZqtJ3qFPJmoWpyu0NlNINw2KWRQaMoGLo -WgDCS0YA5/hNXVFcWnZ73jY62yrVSoj+sFbkUpGWhEFnO+uSmBv8uwY3UeCOQDih -X7Yazs3TZRqEPU+25QATf0kbxyzlWbGkwvyRD8x+n3ZHs5Ilhrc6jWHqM/S3ir7i -m9GcWiwg++EbusQsqs3w3uKAHAdT +MIIDOjCCAiICAwD6zjANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJjbjESMBAG +A1UECAwJR3VhbmdEb25nMRIwEAYDVQQHDAlndWFuZ3pob3UxDDAKBgNVBAoMA0lC +TTEMMAoGA1UECwwDb3BzMRUwEwYDVQQDDAx3d3cudGVzdC5jb20wHhcNMjAwNjE4 +MTE0ODAyWhcNMzAwNjE2MTE0ODAyWjBcMQswCQYDVQQGEwJjbjESMBAGA1UECAwJ +R3VhbmdEb25nMQwwCgYDVQQKDANJQk0xEjAQBgNVBAcMCWd1YW5nemhvdTEXMBUG +A1UEAwwObmdpbngudGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDJXB6cm5QZQt2Vqyz8eB8uV+wC4xqcDDWp3j6QnzWGZbJ1o7nH0FXB13mj +gWDLrTGaJzpHn/gspNdNEqCWLRYeR1kmo4VBn+HXCHxz2Ka1FGPbbpvTrhnzTAk0 +IAQl065Awh5ixvHIRpqxThKvat613uNkuO113y5lKho8BbOux9UpFlFiZbJMpTIY ++QJ95Q6f1BLTNWpJzrQ0UhYmaN1Vn7iuy/yl2xLrES1sj1/yKnJ8McO8bPMTX8rR +CgrQZp8kHH3tS1vfrzA0oiNZcYMG1VFxn2IxlKj8ctMH/9pIB7wdLOxaiPnmZRUP +1eE+fmvUYywuMv7AnGXfR4fFOMNFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAG+Z +IEOi+lGcP3FrvpDgTSbCtpFQfXpQpzKXiSBF0weXMIia0IP/QpX8Fumbl/RIoN6b +5QmYpuj8hyvgFphNeAW7KWWVt9NwWHt11flnRX/Pv6aHs9rQ7sLDVafV9DadKuXk +0QjptCrVym1V00Iy2OCXVuSZEjCYRoyXrD+P1QT5MzwCfMo9TV8umOSYQfmiaNN3 +vUvzKp3S/b6dhJwD6sCrM8NSFBskxSyhu8BwDjAI1jdUMgI+CFNfuQ26DKJXEgT+ +9eAp7kOO2qFaJYlVYpBLCGNkshdAZYUUOXbrsNtnu0EXLy0sffPB+vlPmSSSaf0X ++YWfPP+66DTt5u5m+2Q= -----END CERTIFICATE----- diff --git a/conf/cert/apisix_admin_ssl.key b/conf/cert/apisix_admin_ssl.key index ec889056ffb6..2c5bdb1f76a7 100644 --- a/conf/cert/apisix_admin_ssl.key +++ b/conf/cert/apisix_admin_ssl.key @@ -1,51 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEA0L3knaZR+PS6/i7C1qRiWzUYX9hJ9FeErhSqcxhT+5l2iO6z -J6XR9wVFWEt47jIDznTYeoaOAXkmxmRn1N5RtTcCDl4jzQNZq01hjRlfe3KyQ1WX -lk7g6ajRyeAE65xekZ0W4NHp/K41bXHuiwTKwyVchm4vVQKgVD6wps0/5dFdYzy+ -ijUjfJkKIJWnaybs1Gp34VjPSvccjPv0lLdTDVGBSzbFR2rD87Iuf2A0QYsLs07Y -k+ejusoHtpb63Txb1C6wsZRrXsr4baxScKozf/2LZ0BaKDUdAlwX17NGu1hoDI2s -Lqbj9SSomLfShHBh1hmQ3i37BhioEPRvj2j+MvoB4y6+cUL8LevKLaaGnxsvgaTq -B2WRaCwacU7SSgN6p8MmYPc6+5a7aq/AiEjv0hMoesZADlM2+8nNpx7vVKa7s1SE -e8SO6Y3O39k+lsglcuoBWEMMxS8JDf9zvmSZIqMV7J8GmFg4+tZN3faM1Q5FZE7s -ZjSY11fE2obRkQB6NP7h5qRU3GkHw3+aPolouM/QeZIHwPwNV1hUJQh9ZJd5hyoO -yTQjfahhfKxvmM3Yi0H6OTqiUr8xh0V23RiNiUHv88iR7DDu3dAIcF7jzlhk0wDg -zj5WgQsTQQII7lILft7GqgqyuHmjqPLD7dOeQGCYWZWkx+BHg+LL+6yRpu8CAwEA -AQKCAgBNsbBLAWHXYPfMrgj1LUAypIOLAQ0dtgl7ZdO/fRmdNxSIiRgDtNN+tuaF -o6nCNrl1+cWtbTGj2L0W8L442/rbkTrhsCZxI0MX4HhjtUL1xs4VA+GlH3zVW3Gi -SxBpxczpM+gVC+ykkQ7vyo04DzONCPX0T0Ssxop4cND9dL3Iw3GYAz8EYBzyPmAn -mqwy1M0nju1J4e1eALYOv6TcSZPPDDwsi5lIKLQAm5x06pDoqGFVfw5blsc5OgM+ -8dkzyUiApFQ99Hk2UiO/ZnlU1/TNOcjOSISGHKbMfwycy2yTRKeNrJmez51fXCKo -nRrtEotHzkI+gCzDqx+7F9ACN9kM4f4JO5ca0/My6tCY+mH8TA/nVzMnUpL7329w -NobuNTpyA6x5nmB3QqElrzQCRtTj7Nw5ytMdRbByJhXww9C5tajUysdq8oGoZdz5 -94kXr6qCC5Qm3CkgyF2RjqZyg9tHUEEdaFKouHgziiqG9P2Nk1SHk7Jd7bF4rleI -i93u/f0fdVK7aMksofgUbOmfhnS+o1NxerVcbdX+E/iv6yfkrYDb46y3//4dcpwk -TeUEMCjc7ShwvYPq350q3jmzgwxeTK8ZdXwJymdJ7MaGcnMXPqd9A43evYM6nG6f -i3l2tYhH4cp6misGChnGORR68qsRkY8ssvSFNFzjcFHhnPyoCQKCAQEA8isIC1IJ -Iq9kB4mDVh0QdiuoBneNOEHy/8fASeZsqedu0OZPyoXU96iOhXuqf8sQ33ydvPef -iRwasLLkgw8sDeWILUjS36ZzwGP2QNxWfrapCFS8VfKl7hTPMVp0Wzxh8qqpGLSh -O0W7EEAJCgzzULagfupaO0Chmb3LZqXRp8m5oubnmE+9z0b5GrCIT1S8Yay2mEw9 -jxqZJGBhV7QnupyC2DIxLXlGmQk7Qs1+1mCCFwyfugHXclWYa+fet/79SkkADK0/ -ysxfy+FdZgGT/Ba5odsEpt1zH+tw4WXioJsX9mU3zAHbpPqtcfuVU+2xyKfQYrRG -NSm9MMNmart0wwKCAQEA3Koaj/0gNxLLslLIES50KmmagzU8CkEmCa/WLoVy02xr -qp42hvj+PzBTf3rIno3KEpRhMmnAtswozbV3P4l/VSZdfY+pwWsx7/5+Cf1R9nAP -vp6YCjGcLcbASazYNOWf0FRInt3pxdgT9DWjJDi99FGKA+UbI2yxHwzE+cE8r9Od -Iy42uhzCjJBqdg+an+q63k6yrOwv18KP69LlU/4vknhw4g3WxF4yTwVmXU8WKmux -aOrJv2ED8pfA7k+zwv0rPyN+F2nOySxoChaFfeu6ntBCX7zK/nV0DsMQImOycfzO -yN8WB9lRZTJVzU2r6PaGAI359uLHEmURy0069g+yZQKCAQAbECwJ99UFh0xKe1eu -G/lm+2H/twSVMOmTJCOdHp8uLar4tYRdQa+XLcMfr75SIcN09lw6bgHqNLXW4Wcg -LmXh97DMPsMyM0vkSEeQ4A7agldJkw6pHEDm5nRxM4alW44mrGPRWv5ZvWU2X7Gi -6eeXMZGmHVKQJJzqrYc5pXZUpfqU9fET2HWB4JCeJvRUyUd0MvUE+CA5CePraMn4 -Hy4BcNQ+jP1p84+sMpfo00ZFduuS39pJ00LciCxMgtElBt4PmzDiOcpTQ5vBESJ6 -79o15eRA7lUKwNzIyGsJBXXaNPrskks2BU8ilNElV9RMWNfxcK+dGEBwWIXIGU4s -x145AoIBAQCst9R8udNaaDLaTGNe126DuA8B/kwVdrLwSBqsZTXgeO+5J4dklEZl -bU0d7hxTxoXRjySZEh+OtTSG9y/0oonxO0tYOXfU9jOrNxaueQKLk2EvgfFdoUEu -r2/Y+xpsJQO3TBFfkDEn856Cuu0MMAG214/gxpY8XxowRI11NCRtN4S6gbTCbjp1 -TaCW8lXEMDW+Rfki0ugLyLVgD74CxWW1DuLEfbKKF3TnV0GtbXbbE1pU1dm+G5C8 -dL3FissYp5MPI5fRebcqzcBNjR1F15pGLpqVVy/IhmSmHVZmpISLJicxITScRiSo -wgJY5R/XBAcVLgvmi9Dn/AY2jCfHa7flAoIBAQCbnZ6ivZg81g6/X9qdo9J61hX0 -Y7Fn7bLvcs1L0ARGTsfXMvegA806XyZThqjpY47nHpQtoz4z62kiTTsdpAZUeA3z -9HUWr0b3YEpsvZpgyMNHgwq1vRDPjw4AWz0pBoDWMxx8Ck5nP1A//c1zyu9pgYEU -R+OutDeCJ+0VAc6JSH9WMA08utGPGs3t02Zhtyt2sszE9vzz4hTi5340/AYG72p7 -YGlikUxvbyylYh9wR4YUYa/klikvKLHEML1P0BCr8Vex+wLSGS1h1F5tW1Xr2CZQ -dVxFmfGmPDmwWbCQR6Rvt6FHRwNMpMrLr011h2RBcHBpdQl7XpUENDoopIh0 +MIIEpQIBAAKCAQEAyVwenJuUGULdlass/HgfLlfsAuManAw1qd4+kJ81hmWydaO5 +x9BVwdd5o4Fgy60xmic6R5/4LKTXTRKgli0WHkdZJqOFQZ/h1wh8c9imtRRj226b +064Z80wJNCAEJdOuQMIeYsbxyEaasU4Sr2retd7jZLjtdd8uZSoaPAWzrsfVKRZR +YmWyTKUyGPkCfeUOn9QS0zVqSc60NFIWJmjdVZ+4rsv8pdsS6xEtbI9f8ipyfDHD +vGzzE1/K0QoK0GafJBx97Utb368wNKIjWXGDBtVRcZ9iMZSo/HLTB//aSAe8HSzs +Woj55mUVD9XhPn5r1GMsLjL+wJxl30eHxTjDRQIDAQABAoIBAEovPzPxeamo4dwv +WX6Wft5jFBeoNfiB4w93StObZGvkcdA3hs2f6shkq3Layp+famPhye3zeMpx3MSP +dUx+xeRX4veCTSj1T44amUdQ7XJPVc7VPGHLhdIGFGn41a5eA5fmLK21oARqRrnG +CspH9E9LE7nbC9leZUhuL4Ynj6B3ZV3R14N7bkvVqfHyoJgLwTkUh/MaHwnDGP64 +oBnKXbGFKZ8bbRU9YDR3SY77jhX+vuT922ZqM4AJpHMtgTMXYZRapUFD5wq5DW+6 +FedG86ZdbkcAufRmVby0Tfj4F4x1SMxghLU3FY34nZe8fKNyFsq3dyREeLs/G2y+ +uPDW9c0CgYEA8qcyZEbPs+DQ/UAuGHy40eQ0yH7iD2IOls/2HaqmYt5Y0H9HdcGS +ROrt8zjUsathe9J+kBGdr9hn47Lg3ZLgW0VHz6I0NHmFohnwEwVzJG8VTXGC5ga+ +xsqUuVquKAAtnxaa+4SyVxkBiwI0Zmj++sCIYN8Ew7u2vXYTkWUxrd8CgYEA1G94 +rWH0vbilL6qR3cXLY+ElwJhEMR8jFQdLKCND7l0/xRlF3Q1VNHyuZZ3sewHOZKrx +chJAvkVmWwm9nq6S7ZmNCwu/sJGp8L4hFm5tbr9vTT/Py/uAmvdPFcsneKkG1Ryc +C01f23u3Ej1ynMCfyaoXReDX5LzzEtoj8fgUq1sCgYEA43+mWyWYrkjlJ8r4bLTi +gsa2RhPP1iRVEUhAs2e/P4q/Mhti4CBwBnVMSnDJ2RmY+AJN7rzVXnxCStT2xkZi +WrAFt8GXuGsGwwgWcX72iP4stsLpusgwLSjZbz55cb9ZBoKnI5Exsz8alz2l6y4d +gPLp6git6uUfW1pM1lBN13kCgYEAmDI4yjdY6aflKO5STQoNesRukLpGeM7vCnzM +OrhxTdAfBO3jYMjRl6YQKBtptoMHxJW4H9q16du8xlKHOK2n9HRDWXuUXUMu9pyx +Beodmu+qJTUngePxMpUmYt3GrKqki4BQx8Qqfgv3kCjX+TgEAq5KuDSrWGSK3aHN +iOkMnesCgYEAiSCkkp6fNfWaGkFnNXCI8StHcixvGECsryDa5sHNWgmWmZgh56UY +ON0yjx4FYdag840FWRJqtASm6xNJintcFMTua7LlnuSQWNDjCLT/XTtqq50+M+PH +iGP5yGchfsMkIdXdr5JW0Bgn3LgsnDYy9nZTGvRWp0kObMb1trdYOg4= -----END RSA PRIVATE KEY----- diff --git a/conf/config.yaml b/conf/config.yaml index d640ef79521f..13b78bb296ab 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -53,8 +53,8 @@ apisix: allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default. # - "::/64" - # port_admin: 9180 # use a separate port - # https_admin: true # enable HTTPS when use a separate port for Admin API. + port_admin: 9180 # use a separate port + https_admin: true # enable HTTPS when use a separate port for Admin API. # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. # Default token when use API to call for Admin API. @@ -93,6 +93,7 @@ apisix: listen_port: 9443 ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" + verify_client: true key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! From 107444077383d753525aedb36ba6d08e6db346ae Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 16:28:47 +0800 Subject: [PATCH 02/35] test --- .travis/linux_openresty_runner.sh | 3 ++ conf/cert/apisix_admin_client.crt | 69 +++++++++++++++++++++++++++++++ conf/cert/apisix_admin_client.key | 27 ++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 conf/cert/apisix_admin_client.crt create mode 100644 conf/cert/apisix_admin_client.key diff --git a/.travis/linux_openresty_runner.sh b/.travis/linux_openresty_runner.sh index d56998342cda..f47b36d6d6c2 100755 --- a/.travis/linux_openresty_runner.sh +++ b/.travis/linux_openresty_runner.sh @@ -143,6 +143,9 @@ script() { sudo sh ./t/grpc-proxy-test.sh sleep 1 + echo '127.0.0.1 nginx.test.com' > /etc/hosts + curl --cacert ./conf/cert/apisix_admin_ca.crt --key ./conf/cert/apisix_admin_client.key --cert ./conf/cert/apisix_admin_client.crt https://nginx.test.com/apisix/admin/ssls + ./bin/apisix stop sleep 1 diff --git a/conf/cert/apisix_admin_client.crt b/conf/cert/apisix_admin_client.crt new file mode 100644 index 000000000000..f7657fd9f793 --- /dev/null +++ b/conf/cert/apisix_admin_client.crt @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 64207 (0xfacf) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=cn, ST=GuangDong, L=guangzhou, O=IBM, OU=ops, CN=www.test.com + Validity + Not Before: Jun 18 11:49:31 2020 GMT + Not After : Jul 6 11:49:31 2030 GMT + Subject: C=cn, ST=GuangDong, O=IBM, L=guangzhou, CN=client.test.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c7:4a:1d:d9:9b:aa:a4:aa:63:bc:88:4c:0c:97: + b0:a0:a4:4f:6e:55:9b:3a:1c:0e:d7:6a:d7:e8:ca: + 00:15:0f:3c:65:c6:1a:4e:d1:4d:23:6a:6f:23:7b: + 4d:59:66:45:ec:1f:e3:e1:47:60:c4:97:96:71:fc: + cf:36:b0:fa:de:2b:98:4d:b8:dd:92:a9:2d:63:1e: + ba:2b:af:38:2c:41:d9:6c:f9:9d:3e:f5:6d:12:c4: + 54:e2:cf:c2:b0:57:50:a0:d8:61:44:0d:6d:c7:41: + 2b:58:16:4d:3f:d6:6a:c3:1f:a6:23:b5:76:b7:6d: + 4f:19:73:80:1a:f7:3f:2a:8a:be:23:66:e8:af:4b: + dd:1f:b1:6c:c2:ed:92:1c:cb:5d:19:7f:c8:74:18: + c7:e0:02:23:42:d3:4b:a9:a0:ff:89:50:7e:65:7d: + d2:5c:a1:48:f0:a8:8c:b0:fa:13:c5:2b:00:c8:d9: + cd:71:cf:a2:fd:8f:57:5f:07:1c:95:07:e3:53:8d: + 41:c8:4c:fc:e2:eb:e0:aa:eb:00:68:82:56:ca:50: + 21:4e:c6:c9:27:9a:13:04:96:8f:63:44:f2:ee:88: + 46:a2:05:29:07:6a:e6:cf:18:b5:5c:86:62:39:a5: + a9:60:5e:64:2a:50:da:9c:17:0f:68:e6:fd:12:e2: + 85:29 + Exponent: 65537 (0x10001) + Signature Algorithm: sha256WithRSAEncryption + 3b:0a:92:a0:22:83:a4:e2:62:1f:b9:5c:b3:86:82:ad:67:03: + 6f:fb:cc:6b:7b:23:66:c7:16:1d:bb:28:67:0e:0e:73:24:d0: + bb:56:34:26:f9:0e:8d:64:34:dc:78:43:80:5f:1a:70:ca:46: + 8f:cc:ed:1d:51:3b:61:2f:a1:10:9e:d5:a2:e0:43:47:4e:5f: + 2e:93:11:42:5a:a5:dc:29:7d:ab:44:0d:3b:91:ec:e3:3d:2f: + 3f:57:9f:0f:0f:18:60:8b:d6:8a:d1:ce:9e:f2:97:17:7f:6f: + 38:42:87:a5:e0:03:1e:6f:ea:1b:13:4c:00:e8:56:0d:51:7d: + 1a:35:63:0e:6e:e7:f7:47:3c:58:50:b8:c1:5d:64:b6:43:d3: + 71:6a:96:db:d5:ca:7e:ed:74:a0:1a:59:ba:1e:03:96:dc:31: + 98:03:43:58:6d:af:8a:64:da:60:a0:03:44:09:b8:b7:10:9f: + 0c:e1:8d:a9:c5:4b:2b:b3:58:08:3f:20:02:cc:6b:e2:86:8a: + 05:89:67:0d:66:cb:a5:2c:50:96:5f:1e:55:d5:d4:a8:07:0e: + 27:21:b1:61:ad:b1:6c:57:7a:d1:6c:89:0a:6e:d9:ba:8e:fa: + c2:96:6b:3e:d1:35:63:4b:b8:fb:36:a9:8b:89:06:51:45:17: + c4:0f:19:6b +-----BEGIN CERTIFICATE----- +MIIDOzCCAiMCAwD6zzANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJjbjESMBAG +A1UECAwJR3VhbmdEb25nMRIwEAYDVQQHDAlndWFuZ3pob3UxDDAKBgNVBAoMA0lC +TTEMMAoGA1UECwwDb3BzMRUwEwYDVQQDDAx3d3cudGVzdC5jb20wHhcNMjAwNjE4 +MTE0OTMxWhcNMzAwNzA2MTE0OTMxWjBdMQswCQYDVQQGEwJjbjESMBAGA1UECAwJ +R3VhbmdEb25nMQwwCgYDVQQKDANJQk0xEjAQBgNVBAcMCWd1YW5nemhvdTEYMBYG +A1UEAwwPY2xpZW50LnRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAx0od2ZuqpKpjvIhMDJewoKRPblWbOhwO12rX6MoAFQ88ZcYaTtFNI2pv +I3tNWWZF7B/j4UdgxJeWcfzPNrD63iuYTbjdkqktYx66K684LEHZbPmdPvVtEsRU +4s/CsFdQoNhhRA1tx0ErWBZNP9Zqwx+mI7V2t21PGXOAGvc/Koq+I2bor0vdH7Fs +wu2SHMtdGX/IdBjH4AIjQtNLqaD/iVB+ZX3SXKFI8KiMsPoTxSsAyNnNcc+i/Y9X +XwcclQfjU41ByEz84uvgqusAaIJWylAhTsbJJ5oTBJaPY0Ty7ohGogUpB2rmzxi1 +XIZiOaWpYF5kKlDanBcPaOb9EuKFKQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA7 +CpKgIoOk4mIfuVyzhoKtZwNv+8xreyNmxxYduyhnDg5zJNC7VjQm+Q6NZDTceEOA +XxpwykaPzO0dUTthL6EQntWi4ENHTl8ukxFCWqXcKX2rRA07kezjPS8/V58PDxhg +i9aK0c6e8pcXf284Qoel4AMeb+obE0wA6FYNUX0aNWMObuf3RzxYULjBXWS2Q9Nx +apbb1cp+7XSgGlm6HgOW3DGYA0NYba+KZNpgoANECbi3EJ8M4Y2pxUsrs1gIPyAC +zGvihooFiWcNZsulLFCWXx5V1dSoBw4nIbFhrbFsV3rRbIkKbtm6jvrClms+0TVj +S7j7NqmLiQZRRRfEDxlr +-----END CERTIFICATE----- diff --git a/conf/cert/apisix_admin_client.key b/conf/cert/apisix_admin_client.key new file mode 100644 index 000000000000..cc7af787b2e3 --- /dev/null +++ b/conf/cert/apisix_admin_client.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAx0od2ZuqpKpjvIhMDJewoKRPblWbOhwO12rX6MoAFQ88ZcYa +TtFNI2pvI3tNWWZF7B/j4UdgxJeWcfzPNrD63iuYTbjdkqktYx66K684LEHZbPmd +PvVtEsRU4s/CsFdQoNhhRA1tx0ErWBZNP9Zqwx+mI7V2t21PGXOAGvc/Koq+I2bo +r0vdH7Fswu2SHMtdGX/IdBjH4AIjQtNLqaD/iVB+ZX3SXKFI8KiMsPoTxSsAyNnN +cc+i/Y9XXwcclQfjU41ByEz84uvgqusAaIJWylAhTsbJJ5oTBJaPY0Ty7ohGogUp +B2rmzxi1XIZiOaWpYF5kKlDanBcPaOb9EuKFKQIDAQABAoIBAQCmqTXzYLpBQPlt +lnI66bRdc2u18sOAwiwrPH/Zfuy4r+grmJMxrNmcr4rIGnqiM+Rvxm+VW1LytW6s +XuaPb0ws9jpFbT9nQjHhvbWliMAqSttgxhMZrreLxULT9zlyrWKRUMNu3OgchUSR +Qv1RUKgyC8qt/DiOx0wqFaxhYLmjga8lvnrn+4zMbqol5I5O1Ije/fXpm/H8aI7s +S2oK3XzJF6VxY8irzV3cBEYjt8ehlHX6tztZITe0u2sW78DvzW2T0bHK8kWAvmGq +J89XKAIe4uy9cKYApcXrABRrlEZsGG6lcI2/bh9QF+F0Xt83aWyvwbE2CCBAcIlq +O8BYnjmNAoGBAPKeepXOPZrCZ7I9jN7GKCyTbEX0JRo+thgy3TuP4QP53+WLReY8 +d922rzU0EbV+cF6cL4pbWkCogXDqm5BHMKjNzg65J6XdhpnRsmmf4fQnsT/gDu5/ +viMEk6c1wi50YWKtvurm2s+LmjgN13UxEw13moZo4e1CpAaUM96HTFNXAoGBANJH +3v6ZaSbp1GMmBtEYXFBsfCTTgZjhT0dT1Aws+kqlWWOtpbZiPvtB9e5lhUvL36cY +yNs8s5Z1ytTBQy2BO7xsuTCUoHyv+8D0IMr9rDX3smSRPA22WqXkXAMumvCIHTCr +lZd34JTmx5/basYysAHnKBJtJjyZOjCcEFWgvRt/AoGAMuRBTHklfPf4bm/ww64H +MUp/NLFAsx+ibLMGqv7EMWRRrcGoGOJoNk6is+NHL63k/kN+yWPeK5/s/vWHSh1U +vKPm7Dm0cltkZ5GP/g32hJNq374tA6QyCwBjxHhHUh1BbESLvpRMI6rh344vurpf +h7yl4jnP4kfPRj4CH1R8EyMCgYEAqfYzdF+1ESHQa+8xdVIWU17MHMvjpRj/hixo +aQr1pt3s2VdiaH8SXu1ahT0DN1dqx1mOBz4R/dvpfHtU+/PHv621JWIMMZvghX4M +/2V4CwrQ4t5MxtyMeieQg3Xo/99UkKEvQQVAvbmmwjuMGvSfNHqM9g/I5xQGZ4HM +5hkMoKsCgYEAiLyDZnYqavH89hW5w/XFeFly/u+s25wigZHoXRihupx4P8kik56v +GBeOFisYAtRxZpZvbhloBkivhOUZu/W3Q0wT6krGq3Lp/uUt4XFxe8+LrwAYv/z8 +kYqZdze4NJ2gq6hweKPr5+RzpaU03Z86PQXNGbTZF2GBTnRqNB6V0KE= +-----END RSA PRIVATE KEY----- From 844118cbe2f90f136ed2ce48c67efa01679c192c Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 16:48:47 +0800 Subject: [PATCH 03/35] fix: admin port --- .travis/linux_openresty_runner.sh | 2 +- t/grpc-proxy-test.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis/linux_openresty_runner.sh b/.travis/linux_openresty_runner.sh index f47b36d6d6c2..e5377364e0cd 100755 --- a/.travis/linux_openresty_runner.sh +++ b/.travis/linux_openresty_runner.sh @@ -144,7 +144,7 @@ script() { sleep 1 echo '127.0.0.1 nginx.test.com' > /etc/hosts - curl --cacert ./conf/cert/apisix_admin_ca.crt --key ./conf/cert/apisix_admin_client.key --cert ./conf/cert/apisix_admin_client.crt https://nginx.test.com/apisix/admin/ssls + curl --cacert ./conf/cert/apisix_admin_ca.crt --key ./conf/cert/apisix_admin_client.key --cert ./conf/cert/apisix_admin_client.crt https://nginx.test.com:9180/apisix/admin/ssls ./bin/apisix stop sleep 1 diff --git a/t/grpc-proxy-test.sh b/t/grpc-proxy-test.sh index 6f8f2d145ad7..60c9c13d58da 100755 --- a/t/grpc-proxy-test.sh +++ b/t/grpc-proxy-test.sh @@ -19,7 +19,7 @@ set -ex #test grpc proxy -curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +curl -k http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "methods": ["POST"], "uri": "/helloworld.Greeter/SayHello", From 0a972c86bf7d46fdc3d4797ae309d2ef966c0a32 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 17:07:59 +0800 Subject: [PATCH 04/35] fix: https --- t/grpc-proxy-test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/grpc-proxy-test.sh b/t/grpc-proxy-test.sh index 60c9c13d58da..155da9ae04c2 100755 --- a/t/grpc-proxy-test.sh +++ b/t/grpc-proxy-test.sh @@ -19,7 +19,7 @@ set -ex #test grpc proxy -curl -k http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +curl -k https://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "methods": ["POST"], "uri": "/helloworld.Greeter/SayHello", From 408df70fcf8d4188e7d461349e142410020bd944 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 17:35:05 +0800 Subject: [PATCH 05/35] test --- .travis.yml | 2 + .travis/linux_openresty_runner.sh | 3 - conf/config-for-two-side-ssl-auth.yaml | 174 +++++++++++++++++++++++++ conf/config.yaml | 5 +- t/grpc-proxy-test.sh | 2 +- 5 files changed, 179 insertions(+), 7 deletions(-) create mode 100644 conf/config-for-two-side-ssl-auth.yaml diff --git a/.travis.yml b/.travis.yml index d33d27cc2bce..ddedd5e1da8f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,6 +7,8 @@ matrix: services: - docker env: OSNAME=linux_openresty + - os: linux + env: OSNAME=linux_openresty_two_side_ssl_auth - os: osx env: OSNAME=osx_openresty cache: diff --git a/.travis/linux_openresty_runner.sh b/.travis/linux_openresty_runner.sh index e5377364e0cd..d56998342cda 100755 --- a/.travis/linux_openresty_runner.sh +++ b/.travis/linux_openresty_runner.sh @@ -143,9 +143,6 @@ script() { sudo sh ./t/grpc-proxy-test.sh sleep 1 - echo '127.0.0.1 nginx.test.com' > /etc/hosts - curl --cacert ./conf/cert/apisix_admin_ca.crt --key ./conf/cert/apisix_admin_client.key --cert ./conf/cert/apisix_admin_client.crt https://nginx.test.com:9180/apisix/admin/ssls - ./bin/apisix stop sleep 1 diff --git a/conf/config-for-two-side-ssl-auth.yaml b/conf/config-for-two-side-ssl-auth.yaml new file mode 100644 index 000000000000..13b78bb296ab --- /dev/null +++ b/conf/config-for-two-side-ssl-auth.yaml @@ -0,0 +1,174 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apisix: + node_listen: 9080 # APISIX listening port + enable_heartbeat: true + enable_admin: true + enable_admin_cors: true # Admin API support CORS response headers. + enable_debug: false + enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true + enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true. + enable_ipv6: true + config_center: etcd # etcd: use etcd to store the config value + # yaml: fetch the config value from local yaml file `/your_path/conf/apisix.yaml` + + #proxy_protocol: # Proxy Protocol configuration + # listen_http_port: 9181 # The port with proxy protocol for http, it differs from node_listen and port_admin. + # This port can only receive http request with proxy protocol, but node_listen & port_admin + # can only receive http request. If you enable proxy protocol, you must use this port to + # receive http request with proxy protocol + # listen_https_port: 9182 # The port with proxy protocol for https + # enable_tcp_pp: true # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option + # enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server + + proxy_cache: # Proxy Caching configuration + cache_ttl: 10s # The default caching time if the upstream does not specify the cache time + zones: # The parameters of a cache + - name: disk_cache_one # The name of the cache, administrator can be specify + # which cache to use by name in the admin api + memory_size: 50m # The size of shared memory, it's used to store the cache index + disk_size: 1G # The size of disk, it's used to store the cache data + disk_path: "/tmp/disk_cache_one" # The path to store the cache data + cache_levels: "1:2" # The hierarchy levels of a cache + # - name: disk_cache_two + # memory_size: 50m + # disk_size: 1G + # disk_path: "/tmp/disk_cache_two" + # cache_levels: "1:2" + + allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow + - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default. + # - "::/64" + port_admin: 9180 # use a separate port + https_admin: true # enable HTTPS when use a separate port for Admin API. + # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. + + # Default token when use API to call for Admin API. + # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. + # Disabling this configuration item means that the Admin API does not + # require any authentication. + admin_key: + - + name: "admin" + key: edd1c9f034335f136f87ad84b625c8f1 + role: admin # admin: manage all configuration data + # viewer: only can view configuration data + - + name: "viewer" + key: 4054f7cf07e344346cd3f287985e76a2 + role: viewer + router: + http: 'radixtree_uri' # radixtree_uri: match route by uri(base on radixtree) + # radixtree_host_uri: match route by host + uri(base on radixtree) + ssl: 'radixtree_sni' # radixtree_sni: match route by SNI(base on radixtree) + # stream_proxy: # TCP/UDP proxy + # tcp: # TCP proxy port list + # - 9100 + # - 9101 + # udp: # UDP proxy port list + # - 9200 + # - 9211 + # dns_resolver: # If not set, read from `/etc/resolv.conf` + # - 1.1.1.1 + # - 8.8.8.8 + dns_resolver_valid: 30 # valid time for dns result 30 seconds + resolver_timeout: 5 # resolver timeout + ssl: + enable: true + enable_http2: true + listen_port: 9443 + ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" + ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" + verify_client: true + key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. + # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC + # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! +# discovery: eureka # service discovery center +nginx_config: # config for render the template to genarate nginx.conf + error_log: "logs/error.log" + error_log_level: "warn" # warn,error + worker_rlimit_nofile: 20480 # the number of files a worker process can open, should be larger than worker_connections + event: + worker_connections: 10620 + http: + access_log: "logs/access.log" + keepalive_timeout: 60s # timeout during which a keep-alive client connection will stay open on the server side. + client_header_timeout: 60s # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client + client_body_timeout: 60s # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client + send_timeout: 10s # timeout for transmitting a response to the client.then the connection is closed + underscores_in_headers: "on" # default enables the use of underscores in client request header fields + real_ip_header: "X-Real-IP" # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header + real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from + - 127.0.0.1 + - 'unix:' + #lua_shared_dicts: # add custom shared cache to nginx.conf + # ipc_shared_dict: 100m # custom shared cache, format: `cache-key: cache-size` + +etcd: + host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. + - "http://127.0.0.1:2379" # multiple etcd address + prefix: "/apisix" # apisix configurations prefix + timeout: 3 # 3 seconds + +#eureka: +# host: # it's possible to define multiple eureka hosts addresses of the same eureka cluster. +# - "http://127.0.0.1:8761" +# prefix: "/eureka/" +# fetch_interval: 30 # default 30s +# weight: 100 # default weight for node +# timeout: +# connect: 2000 # default 2000ms +# send: 2000 # default 2000ms +# read: 5000 # default 5000ms + +plugins: # plugin list + - example-plugin + - limit-req + - limit-count + - limit-conn + - key-auth + - basic-auth + - prometheus + - node-status + - jwt-auth + - zipkin + - ip-restriction + - grpc-transcode + - serverless-pre-function + - serverless-post-function + - openid-connect + - proxy-rewrite + - redirect + - response-rewrite + - fault-injection + - udp-logger + - wolf-rbac + - proxy-cache + - tcp-logger + - proxy-mirror + - kafka-logger + - cors + - consumer-restriction + - syslog + - batch-requests + - http-logger + - skywalking + - echo + - authz-keycloak + +stream_plugins: + - mqtt-proxy diff --git a/conf/config.yaml b/conf/config.yaml index 13b78bb296ab..d640ef79521f 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -53,8 +53,8 @@ apisix: allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default. # - "::/64" - port_admin: 9180 # use a separate port - https_admin: true # enable HTTPS when use a separate port for Admin API. + # port_admin: 9180 # use a separate port + # https_admin: true # enable HTTPS when use a separate port for Admin API. # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. # Default token when use API to call for Admin API. @@ -93,7 +93,6 @@ apisix: listen_port: 9443 ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" - verify_client: true key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! diff --git a/t/grpc-proxy-test.sh b/t/grpc-proxy-test.sh index 155da9ae04c2..727d61449b78 100755 --- a/t/grpc-proxy-test.sh +++ b/t/grpc-proxy-test.sh @@ -19,7 +19,7 @@ set -ex #test grpc proxy -curl -k https://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +curl -k http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "methods": ["POST"], "uri": "/helloworld.Greeter/SayHello", From ba41a014bec0d5e2b377826737e87ab3603e76ee Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 17:38:20 +0800 Subject: [PATCH 06/35] test --- t/grpc-proxy-test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/grpc-proxy-test.sh b/t/grpc-proxy-test.sh index 727d61449b78..6f8f2d145ad7 100755 --- a/t/grpc-proxy-test.sh +++ b/t/grpc-proxy-test.sh @@ -19,7 +19,7 @@ set -ex #test grpc proxy -curl -k http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "methods": ["POST"], "uri": "/helloworld.Greeter/SayHello", From 32067b5b2e3398f38840b4908f8478a3a018e4ea Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 17:45:36 +0800 Subject: [PATCH 07/35] test --- ...inux_openresty_two_side_ssl_auth_runner.sh | 138 ++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 .travis/linux_openresty_two_side_ssl_auth_runner.sh diff --git a/.travis/linux_openresty_two_side_ssl_auth_runner.sh b/.travis/linux_openresty_two_side_ssl_auth_runner.sh new file mode 100644 index 000000000000..ba0965af8bd4 --- /dev/null +++ b/.travis/linux_openresty_two_side_ssl_auth_runner.sh @@ -0,0 +1,138 @@ +#!/usr/bin/env bash +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -ex + +export_or_prefix() { + export OPENRESTY_PREFIX="/usr/local/openresty-debug" +} + +create_lua_deps() { + echo "Create lua deps cache" + + make deps + luarocks install luacov-coveralls --tree=deps --local > build.log 2>&1 || (cat build.log && exit 1) + + sudo rm -rf build-cache/deps + sudo cp -r deps build-cache/ + sudo cp rockspec/apisix-master-0.rockspec build-cache/ +} + +before_install() { + sudo cpanm --notest Test::Nginx >build.log 2>&1 || (cat build.log && exit 1) +} + +do_install() { + export_or_prefix + + wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add - + sudo apt-get -y update --fix-missing + sudo apt-get -y install software-properties-common + sudo add-apt-repository -y "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" + sudo add-apt-repository -y ppa:longsleep/golang-backports + + sudo apt-get update + sudo apt-get install openresty-debug lua5.1 liblua5.1-0-dev + + wget https://github.com/luarocks/luarocks/archive/v2.4.4.tar.gz + tar -xf v2.4.4.tar.gz + cd luarocks-2.4.4 + ./configure --prefix=/usr > build.log 2>&1 || (cat build.log && exit 1) + make build > build.log 2>&1 || (cat build.log && exit 1) + sudo make install > build.log 2>&1 || (cat build.log && exit 1) + cd .. + rm -rf luarocks-2.4.4 + + sudo luarocks install luacheck > build.log 2>&1 || (cat build.log && exit 1) + + + if [ ! -f "build-cache/apisix-master-0.rockspec" ]; then + create_lua_deps + + else + src=`md5sum rockspec/apisix-master-0.rockspec | awk '{print $1}'` + src_cp=`md5sum build-cache/apisix-master-0.rockspec | awk '{print $1}'` + if [ "$src" = "$src_cp" ]; then + echo "Use lua deps cache" + sudo cp -r build-cache/deps ./ + else + create_lua_deps + fi + fi + + # sudo apt-get install tree -y + # tree deps + + git clone https://github.com/iresty/test-nginx.git test-nginx + make utils + + git clone https://github.com/apache/openwhisk-utilities.git .travis/openwhisk-utilities + cp .travis/ASF* .travis/openwhisk-utilities/scancode/ + + ls -l ./ +} + +script() { + export_or_prefix + export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH + openresty -V + sudo service etcd start + + mv ./conf/config-for-two-side-ssl-auth.yaml ./conf/config.yaml + + ./bin/apisix help + ./bin/apisix init + ./bin/apisix init_etcd + ./bin/apisix start + + sleep 1 + cat logs/error.log + + + echo '127.0.0.1 nginx.test.com' > /etc/hosts + curl --cacert ./conf/cert/apisix_admin_ca.crt --key ./conf/cert/apisix_admin_client.key --cert ./conf/cert/apisix_admin_client.crt https://nginx.test.com:9180/apisix/admin/ssls + + ./bin/apisix stop + sleep 1 + + + make lint && make license-check || exit 1 +} + +after_success() { + cat luacov.stats.out + luacov-coveralls +} + +case_opt=$1 +shift + +case ${case_opt} in +before_install) + before_install "$@" + ;; +do_install) + do_install "$@" + ;; +script) + script "$@" + ;; +after_success) + after_success "$@" + ;; +esac From 717f2267e097e8816090ca8a753f01e9e12d03d0 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 17:50:57 +0800 Subject: [PATCH 08/35] test --- .travis/linux_openresty_two_side_ssl_auth_runner.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 .travis/linux_openresty_two_side_ssl_auth_runner.sh diff --git a/.travis/linux_openresty_two_side_ssl_auth_runner.sh b/.travis/linux_openresty_two_side_ssl_auth_runner.sh old mode 100644 new mode 100755 From b9d2af936760818266791f8c6a6183303b9dce3e Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 17:53:22 +0800 Subject: [PATCH 09/35] fix lint error --- .travis/linux_openresty_two_side_ssl_auth_runner.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/.travis/linux_openresty_two_side_ssl_auth_runner.sh b/.travis/linux_openresty_two_side_ssl_auth_runner.sh index ba0965af8bd4..de4b5e58bc22 100755 --- a/.travis/linux_openresty_two_side_ssl_auth_runner.sh +++ b/.travis/linux_openresty_two_side_ssl_auth_runner.sh @@ -109,7 +109,6 @@ script() { ./bin/apisix stop sleep 1 - make lint && make license-check || exit 1 } From 73b311dee7f709362ffffd34478c9779a3e3ce79 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 17:58:17 +0800 Subject: [PATCH 10/35] test --- .travis/linux_openresty_two_side_ssl_auth_runner.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis/linux_openresty_two_side_ssl_auth_runner.sh b/.travis/linux_openresty_two_side_ssl_auth_runner.sh index de4b5e58bc22..0511daf5cba7 100755 --- a/.travis/linux_openresty_two_side_ssl_auth_runner.sh +++ b/.travis/linux_openresty_two_side_ssl_auth_runner.sh @@ -104,7 +104,7 @@ script() { cat logs/error.log - echo '127.0.0.1 nginx.test.com' > /etc/hosts + sudo echo '127.0.0.1 nginx.test.com' > /etc/hosts curl --cacert ./conf/cert/apisix_admin_ca.crt --key ./conf/cert/apisix_admin_client.key --cert ./conf/cert/apisix_admin_client.crt https://nginx.test.com:9180/apisix/admin/ssls ./bin/apisix stop From 22cbe7dadf52e606dd0723df074051fe8c661730 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 20:02:13 +0800 Subject: [PATCH 11/35] test --- .travis.yml | 2 ++ .travis/linux_openresty_two_side_ssl_auth_runner.sh | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index ddedd5e1da8f..1bd8e62ff455 100644 --- a/.travis.yml +++ b/.travis.yml @@ -42,6 +42,8 @@ addons: - etcd homebrew: update: true + hosts: + - nginx.test.com cache: directories: diff --git a/.travis/linux_openresty_two_side_ssl_auth_runner.sh b/.travis/linux_openresty_two_side_ssl_auth_runner.sh index 0511daf5cba7..9401f1a5766e 100755 --- a/.travis/linux_openresty_two_side_ssl_auth_runner.sh +++ b/.travis/linux_openresty_two_side_ssl_auth_runner.sh @@ -93,7 +93,7 @@ script() { openresty -V sudo service etcd start - mv ./conf/config-for-two-side-ssl-auth.yaml ./conf/config.yaml + mv -f ./conf/config-for-two-side-ssl-auth.yaml ./conf/config.yaml ./bin/apisix help ./bin/apisix init @@ -104,7 +104,6 @@ script() { cat logs/error.log - sudo echo '127.0.0.1 nginx.test.com' > /etc/hosts curl --cacert ./conf/cert/apisix_admin_ca.crt --key ./conf/cert/apisix_admin_client.key --cert ./conf/cert/apisix_admin_client.crt https://nginx.test.com:9180/apisix/admin/ssls ./bin/apisix stop From ac1c52e16f9f7709bb59dfe9de013fd00700a3cd Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 20:18:35 +0800 Subject: [PATCH 12/35] test --- .travis/linux_openresty_two_side_ssl_auth_runner.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis/linux_openresty_two_side_ssl_auth_runner.sh b/.travis/linux_openresty_two_side_ssl_auth_runner.sh index 9401f1a5766e..ab7a99374319 100755 --- a/.travis/linux_openresty_two_side_ssl_auth_runner.sh +++ b/.travis/linux_openresty_two_side_ssl_auth_runner.sh @@ -104,7 +104,7 @@ script() { cat logs/error.log - curl --cacert ./conf/cert/apisix_admin_ca.crt --key ./conf/cert/apisix_admin_client.key --cert ./conf/cert/apisix_admin_client.crt https://nginx.test.com:9180/apisix/admin/ssls + curl --cacert ./conf/cert/apisix_admin_ca.crt --key ./conf/cert/apisix_admin_client.key --cert ./conf/cert/apisix_admin_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://nginx.test.com:9180/apisix/admin/routes ./bin/apisix stop sleep 1 From c67ec407706420debd295f7514b3b536db15dfa5 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 21:59:43 +0800 Subject: [PATCH 13/35] new cert --- ...inux_openresty_two_side_ssl_auth_runner.sh | 2 +- bin/apisix | 9 +- conf/cert/apisix_admin_ca.crt | 20 ---- conf/cert/apisix_admin_client.crt | 69 ------------- conf/cert/apisix_admin_client.key | 27 ----- conf/cert/apisix_admin_ssl.crt | 98 ++++++------------- conf/cert/apisix_admin_ssl.key | 74 +++++++++----- conf/cert/two_side_ca.crt | 20 ++++ conf/cert/two_side_client.crt | 69 +++++++++++++ conf/cert/two_side_client.key | 27 +++++ conf/cert/two_side_server.crt | 69 +++++++++++++ conf/cert/two_side_server.key | 27 +++++ 12 files changed, 301 insertions(+), 210 deletions(-) delete mode 100644 conf/cert/apisix_admin_ca.crt delete mode 100644 conf/cert/apisix_admin_client.crt delete mode 100644 conf/cert/apisix_admin_client.key create mode 100644 conf/cert/two_side_ca.crt create mode 100644 conf/cert/two_side_client.crt create mode 100644 conf/cert/two_side_client.key create mode 100644 conf/cert/two_side_server.crt create mode 100644 conf/cert/two_side_server.key diff --git a/.travis/linux_openresty_two_side_ssl_auth_runner.sh b/.travis/linux_openresty_two_side_ssl_auth_runner.sh index ab7a99374319..aab9502b6a16 100755 --- a/.travis/linux_openresty_two_side_ssl_auth_runner.sh +++ b/.travis/linux_openresty_two_side_ssl_auth_runner.sh @@ -104,7 +104,7 @@ script() { cat logs/error.log - curl --cacert ./conf/cert/apisix_admin_ca.crt --key ./conf/cert/apisix_admin_client.key --cert ./conf/cert/apisix_admin_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://nginx.test.com:9180/apisix/admin/routes + curl --cacert ./conf/cert/two_side_ca.crt --key ./conf/cert/two_side_client.key --cert ./conf/cert/two_side_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://nginx.test.com:9180/apisix/admin/routes ./bin/apisix stop sleep 1 diff --git a/bin/apisix b/bin/apisix index 8230d600d2b4..662950084705 100755 --- a/bin/apisix +++ b/bin/apisix @@ -290,8 +290,15 @@ http { server { {%if https_admin then%} listen {* port_admin *} ssl; + + {%if ssl.verify_client then%} + ssl_certificate cert/two_side_server.crt; + ssl_certificate_key cert/two_side_server.key; + {% else %} ssl_certificate cert/apisix_admin_ssl.crt; ssl_certificate_key cert/apisix_admin_ssl.key; + {%end%} + ssl_session_cache shared:SSL:1m; ssl_protocols {* ssl.ssl_protocols *}; @@ -299,7 +306,7 @@ http { ssl_prefer_server_ciphers on; {%if ssl.verify_client then%} - ssl_client_certificate cert/apisix_admin_ca.crt; + ssl_client_certificate cert/two_side_ca.crt; ssl_verify_client on; {%end%} diff --git a/conf/cert/apisix_admin_ca.crt b/conf/cert/apisix_admin_ca.crt deleted file mode 100644 index e4b06a5c26e6..000000000000 --- a/conf/cert/apisix_admin_ca.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDTDCCAjQCCQD2CWWIQjyiuzANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJj -bjESMBAGA1UECAwJR3VhbmdEb25nMRIwEAYDVQQHDAlndWFuZ3pob3UxDDAKBgNV -BAoMA0lCTTEMMAoGA1UECwwDb3BzMRUwEwYDVQQDDAx3d3cudGVzdC5jb20wHhcN -MjAwNjE4MDk1OTM4WhcNMzAwNjE2MDk1OTM4WjBoMQswCQYDVQQGEwJjbjESMBAG -A1UECAwJR3VhbmdEb25nMRIwEAYDVQQHDAlndWFuZ3pob3UxDDAKBgNVBAoMA0lC -TTEMMAoGA1UECwwDb3BzMRUwEwYDVQQDDAx3d3cudGVzdC5jb20wggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyOfhOm4HlKT2kG0uZnehM8sENxL5t6+/k -cFiyhAd3lyU90tZ2GfEfuosQDN6+ZbIeL6qwDo/eszFzPKB+kvLe/bYHexo3LJkT -JRwTjL0y4Dtd6ZK88S2cm14PDo89QU7WiAMHeeUe6nu2puelpucZhpoaCUuBeV25 -96fBi9o0AqJrSMn8QioY1P65B4HMm+FR9la01Hu6H4euS0A5H4OPWRD1t9/g7d8x -7Dp20pDXn2/k6t7ZQ53QqClxSjEzNYE6gIuXeLiW5sw+FzrNKa17j+Xi4stHvXHD -KR2PyC/1kGp4+QJzHiAv5Qly3gCS7YuOZzUH4LwW0NhOnf1KATxnAgMBAAEwDQYJ -KoZIhvcNAQEFBQADggEBALA4Kb18PGwfMESKzZwsE6gMB9psGHDfjybk3iEOeY/A -VL3Y40oMcPWFw9Ag9sPWaE5uVjq5GcuqOcAzZlyKzYvI/oqGwTCKIMfEuj2j/cK4 -I77ppUtzQ7RPeF+BnafDJsGkILZtibRcKQ6OXn+65xZkNNMGHecSIBwe3O68GlcV -RRw+vaof67AbQZy0yBrLn+9rc64nDKvreDBGPN0okXM3xQDo2reRHG14ppTRzBGb -S77dWgqFfPCgUsc6N0xlMaTKS40hwBqQDJjrq25HCEN6G0L6+sn4kSgm67f/FRLt -TGyEQxrfvkfrPGTtNk+WnAdJ4999O/uvPbKKF1shN3I= ------END CERTIFICATE----- diff --git a/conf/cert/apisix_admin_client.crt b/conf/cert/apisix_admin_client.crt deleted file mode 100644 index f7657fd9f793..000000000000 --- a/conf/cert/apisix_admin_client.crt +++ /dev/null @@ -1,69 +0,0 @@ -Certificate: - Data: - Version: 1 (0x0) - Serial Number: 64207 (0xfacf) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=cn, ST=GuangDong, L=guangzhou, O=IBM, OU=ops, CN=www.test.com - Validity - Not Before: Jun 18 11:49:31 2020 GMT - Not After : Jul 6 11:49:31 2030 GMT - Subject: C=cn, ST=GuangDong, O=IBM, L=guangzhou, CN=client.test.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:c7:4a:1d:d9:9b:aa:a4:aa:63:bc:88:4c:0c:97: - b0:a0:a4:4f:6e:55:9b:3a:1c:0e:d7:6a:d7:e8:ca: - 00:15:0f:3c:65:c6:1a:4e:d1:4d:23:6a:6f:23:7b: - 4d:59:66:45:ec:1f:e3:e1:47:60:c4:97:96:71:fc: - cf:36:b0:fa:de:2b:98:4d:b8:dd:92:a9:2d:63:1e: - ba:2b:af:38:2c:41:d9:6c:f9:9d:3e:f5:6d:12:c4: - 54:e2:cf:c2:b0:57:50:a0:d8:61:44:0d:6d:c7:41: - 2b:58:16:4d:3f:d6:6a:c3:1f:a6:23:b5:76:b7:6d: - 4f:19:73:80:1a:f7:3f:2a:8a:be:23:66:e8:af:4b: - dd:1f:b1:6c:c2:ed:92:1c:cb:5d:19:7f:c8:74:18: - c7:e0:02:23:42:d3:4b:a9:a0:ff:89:50:7e:65:7d: - d2:5c:a1:48:f0:a8:8c:b0:fa:13:c5:2b:00:c8:d9: - cd:71:cf:a2:fd:8f:57:5f:07:1c:95:07:e3:53:8d: - 41:c8:4c:fc:e2:eb:e0:aa:eb:00:68:82:56:ca:50: - 21:4e:c6:c9:27:9a:13:04:96:8f:63:44:f2:ee:88: - 46:a2:05:29:07:6a:e6:cf:18:b5:5c:86:62:39:a5: - a9:60:5e:64:2a:50:da:9c:17:0f:68:e6:fd:12:e2: - 85:29 - Exponent: 65537 (0x10001) - Signature Algorithm: sha256WithRSAEncryption - 3b:0a:92:a0:22:83:a4:e2:62:1f:b9:5c:b3:86:82:ad:67:03: - 6f:fb:cc:6b:7b:23:66:c7:16:1d:bb:28:67:0e:0e:73:24:d0: - bb:56:34:26:f9:0e:8d:64:34:dc:78:43:80:5f:1a:70:ca:46: - 8f:cc:ed:1d:51:3b:61:2f:a1:10:9e:d5:a2:e0:43:47:4e:5f: - 2e:93:11:42:5a:a5:dc:29:7d:ab:44:0d:3b:91:ec:e3:3d:2f: - 3f:57:9f:0f:0f:18:60:8b:d6:8a:d1:ce:9e:f2:97:17:7f:6f: - 38:42:87:a5:e0:03:1e:6f:ea:1b:13:4c:00:e8:56:0d:51:7d: - 1a:35:63:0e:6e:e7:f7:47:3c:58:50:b8:c1:5d:64:b6:43:d3: - 71:6a:96:db:d5:ca:7e:ed:74:a0:1a:59:ba:1e:03:96:dc:31: - 98:03:43:58:6d:af:8a:64:da:60:a0:03:44:09:b8:b7:10:9f: - 0c:e1:8d:a9:c5:4b:2b:b3:58:08:3f:20:02:cc:6b:e2:86:8a: - 05:89:67:0d:66:cb:a5:2c:50:96:5f:1e:55:d5:d4:a8:07:0e: - 27:21:b1:61:ad:b1:6c:57:7a:d1:6c:89:0a:6e:d9:ba:8e:fa: - c2:96:6b:3e:d1:35:63:4b:b8:fb:36:a9:8b:89:06:51:45:17: - c4:0f:19:6b ------BEGIN CERTIFICATE----- -MIIDOzCCAiMCAwD6zzANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJjbjESMBAG -A1UECAwJR3VhbmdEb25nMRIwEAYDVQQHDAlndWFuZ3pob3UxDDAKBgNVBAoMA0lC -TTEMMAoGA1UECwwDb3BzMRUwEwYDVQQDDAx3d3cudGVzdC5jb20wHhcNMjAwNjE4 -MTE0OTMxWhcNMzAwNzA2MTE0OTMxWjBdMQswCQYDVQQGEwJjbjESMBAGA1UECAwJ -R3VhbmdEb25nMQwwCgYDVQQKDANJQk0xEjAQBgNVBAcMCWd1YW5nemhvdTEYMBYG -A1UEAwwPY2xpZW50LnRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAx0od2ZuqpKpjvIhMDJewoKRPblWbOhwO12rX6MoAFQ88ZcYaTtFNI2pv -I3tNWWZF7B/j4UdgxJeWcfzPNrD63iuYTbjdkqktYx66K684LEHZbPmdPvVtEsRU -4s/CsFdQoNhhRA1tx0ErWBZNP9Zqwx+mI7V2t21PGXOAGvc/Koq+I2bor0vdH7Fs -wu2SHMtdGX/IdBjH4AIjQtNLqaD/iVB+ZX3SXKFI8KiMsPoTxSsAyNnNcc+i/Y9X -XwcclQfjU41ByEz84uvgqusAaIJWylAhTsbJJ5oTBJaPY0Ty7ohGogUpB2rmzxi1 -XIZiOaWpYF5kKlDanBcPaOb9EuKFKQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA7 -CpKgIoOk4mIfuVyzhoKtZwNv+8xreyNmxxYduyhnDg5zJNC7VjQm+Q6NZDTceEOA -XxpwykaPzO0dUTthL6EQntWi4ENHTl8ukxFCWqXcKX2rRA07kezjPS8/V58PDxhg -i9aK0c6e8pcXf284Qoel4AMeb+obE0wA6FYNUX0aNWMObuf3RzxYULjBXWS2Q9Nx -apbb1cp+7XSgGlm6HgOW3DGYA0NYba+KZNpgoANECbi3EJ8M4Y2pxUsrs1gIPyAC -zGvihooFiWcNZsulLFCWXx5V1dSoBw4nIbFhrbFsV3rRbIkKbtm6jvrClms+0TVj -S7j7NqmLiQZRRRfEDxlr ------END CERTIFICATE----- diff --git a/conf/cert/apisix_admin_client.key b/conf/cert/apisix_admin_client.key deleted file mode 100644 index cc7af787b2e3..000000000000 --- a/conf/cert/apisix_admin_client.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAx0od2ZuqpKpjvIhMDJewoKRPblWbOhwO12rX6MoAFQ88ZcYa -TtFNI2pvI3tNWWZF7B/j4UdgxJeWcfzPNrD63iuYTbjdkqktYx66K684LEHZbPmd -PvVtEsRU4s/CsFdQoNhhRA1tx0ErWBZNP9Zqwx+mI7V2t21PGXOAGvc/Koq+I2bo -r0vdH7Fswu2SHMtdGX/IdBjH4AIjQtNLqaD/iVB+ZX3SXKFI8KiMsPoTxSsAyNnN -cc+i/Y9XXwcclQfjU41ByEz84uvgqusAaIJWylAhTsbJJ5oTBJaPY0Ty7ohGogUp -B2rmzxi1XIZiOaWpYF5kKlDanBcPaOb9EuKFKQIDAQABAoIBAQCmqTXzYLpBQPlt -lnI66bRdc2u18sOAwiwrPH/Zfuy4r+grmJMxrNmcr4rIGnqiM+Rvxm+VW1LytW6s -XuaPb0ws9jpFbT9nQjHhvbWliMAqSttgxhMZrreLxULT9zlyrWKRUMNu3OgchUSR -Qv1RUKgyC8qt/DiOx0wqFaxhYLmjga8lvnrn+4zMbqol5I5O1Ije/fXpm/H8aI7s -S2oK3XzJF6VxY8irzV3cBEYjt8ehlHX6tztZITe0u2sW78DvzW2T0bHK8kWAvmGq -J89XKAIe4uy9cKYApcXrABRrlEZsGG6lcI2/bh9QF+F0Xt83aWyvwbE2CCBAcIlq -O8BYnjmNAoGBAPKeepXOPZrCZ7I9jN7GKCyTbEX0JRo+thgy3TuP4QP53+WLReY8 -d922rzU0EbV+cF6cL4pbWkCogXDqm5BHMKjNzg65J6XdhpnRsmmf4fQnsT/gDu5/ -viMEk6c1wi50YWKtvurm2s+LmjgN13UxEw13moZo4e1CpAaUM96HTFNXAoGBANJH -3v6ZaSbp1GMmBtEYXFBsfCTTgZjhT0dT1Aws+kqlWWOtpbZiPvtB9e5lhUvL36cY -yNs8s5Z1ytTBQy2BO7xsuTCUoHyv+8D0IMr9rDX3smSRPA22WqXkXAMumvCIHTCr -lZd34JTmx5/basYysAHnKBJtJjyZOjCcEFWgvRt/AoGAMuRBTHklfPf4bm/ww64H -MUp/NLFAsx+ibLMGqv7EMWRRrcGoGOJoNk6is+NHL63k/kN+yWPeK5/s/vWHSh1U -vKPm7Dm0cltkZ5GP/g32hJNq374tA6QyCwBjxHhHUh1BbESLvpRMI6rh344vurpf -h7yl4jnP4kfPRj4CH1R8EyMCgYEAqfYzdF+1ESHQa+8xdVIWU17MHMvjpRj/hixo -aQr1pt3s2VdiaH8SXu1ahT0DN1dqx1mOBz4R/dvpfHtU+/PHv621JWIMMZvghX4M -/2V4CwrQ4t5MxtyMeieQg3Xo/99UkKEvQQVAvbmmwjuMGvSfNHqM9g/I5xQGZ4HM -5hkMoKsCgYEAiLyDZnYqavH89hW5w/XFeFly/u+s25wigZHoXRihupx4P8kik56v -GBeOFisYAtRxZpZvbhloBkivhOUZu/W3Q0wT6krGq3Lp/uUt4XFxe8+LrwAYv/z8 -kYqZdze4NJ2gq6hweKPr5+RzpaU03Z86PQXNGbTZF2GBTnRqNB6V0KE= ------END RSA PRIVATE KEY----- diff --git a/conf/cert/apisix_admin_ssl.crt b/conf/cert/apisix_admin_ssl.crt index ca149e3b1135..82d7fc3aa31a 100644 --- a/conf/cert/apisix_admin_ssl.crt +++ b/conf/cert/apisix_admin_ssl.crt @@ -1,69 +1,33 @@ -Certificate: - Data: - Version: 1 (0x0) - Serial Number: 64206 (0xface) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=cn, ST=GuangDong, L=guangzhou, O=IBM, OU=ops, CN=www.test.com - Validity - Not Before: Jun 18 11:48:02 2020 GMT - Not After : Jun 16 11:48:02 2030 GMT - Subject: C=cn, ST=GuangDong, O=IBM, L=guangzhou, CN=nginx.test.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:c9:5c:1e:9c:9b:94:19:42:dd:95:ab:2c:fc:78: - 1f:2e:57:ec:02:e3:1a:9c:0c:35:a9:de:3e:90:9f: - 35:86:65:b2:75:a3:b9:c7:d0:55:c1:d7:79:a3:81: - 60:cb:ad:31:9a:27:3a:47:9f:f8:2c:a4:d7:4d:12: - a0:96:2d:16:1e:47:59:26:a3:85:41:9f:e1:d7:08: - 7c:73:d8:a6:b5:14:63:db:6e:9b:d3:ae:19:f3:4c: - 09:34:20:04:25:d3:ae:40:c2:1e:62:c6:f1:c8:46: - 9a:b1:4e:12:af:6a:de:b5:de:e3:64:b8:ed:75:df: - 2e:65:2a:1a:3c:05:b3:ae:c7:d5:29:16:51:62:65: - b2:4c:a5:32:18:f9:02:7d:e5:0e:9f:d4:12:d3:35: - 6a:49:ce:b4:34:52:16:26:68:dd:55:9f:b8:ae:cb: - fc:a5:db:12:eb:11:2d:6c:8f:5f:f2:2a:72:7c:31: - c3:bc:6c:f3:13:5f:ca:d1:0a:0a:d0:66:9f:24:1c: - 7d:ed:4b:5b:df:af:30:34:a2:23:59:71:83:06:d5: - 51:71:9f:62:31:94:a8:fc:72:d3:07:ff:da:48:07: - bc:1d:2c:ec:5a:88:f9:e6:65:15:0f:d5:e1:3e:7e: - 6b:d4:63:2c:2e:32:fe:c0:9c:65:df:47:87:c5:38: - c3:45 - Exponent: 65537 (0x10001) - Signature Algorithm: sha256WithRSAEncryption - 6f:99:20:43:a2:fa:51:9c:3f:71:6b:be:90:e0:4d:26:c2:b6: - 91:50:7d:7a:50:a7:32:97:89:20:45:d3:07:97:30:88:9a:d0: - 83:ff:42:95:fc:16:e9:9b:97:f4:48:a0:de:9b:e5:09:98:a6: - e8:fc:87:2b:e0:16:98:4d:78:05:bb:29:65:95:b7:d3:70:58: - 7b:75:d5:f9:67:45:7f:cf:bf:a6:87:b3:da:d0:ee:c2:c3:55: - a7:d5:f4:36:9d:2a:e5:e4:d1:08:e9:b4:2a:d5:ca:6d:55:d3: - 42:32:d8:e0:97:56:e4:99:12:30:98:46:8c:97:ac:3f:8f:d5: - 04:f9:33:3c:02:7c:ca:3d:4d:5f:2e:98:e4:98:41:f9:a2:68: - d3:77:bd:4b:f3:2a:9d:d2:fd:be:9d:84:9c:03:ea:c0:ab:33: - c3:52:14:1b:24:c5:2c:a1:bb:c0:70:0e:30:08:d6:37:54:32: - 02:3e:08:53:5f:b9:0d:ba:0c:a2:57:12:04:fe:f5:e0:29:ee: - 43:8e:da:a1:5a:25:89:55:62:90:4b:08:63:64:b2:17:40:65: - 85:14:39:76:eb:b0:db:67:bb:41:17:2f:2d:2c:7d:f3:c1:fa: - f9:4f:99:24:92:69:fd:17:f9:85:9f:3c:ff:ba:e8:34:ed:e6: - ee:66:fb:64 -----BEGIN CERTIFICATE----- -MIIDOjCCAiICAwD6zjANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJjbjESMBAG -A1UECAwJR3VhbmdEb25nMRIwEAYDVQQHDAlndWFuZ3pob3UxDDAKBgNVBAoMA0lC -TTEMMAoGA1UECwwDb3BzMRUwEwYDVQQDDAx3d3cudGVzdC5jb20wHhcNMjAwNjE4 -MTE0ODAyWhcNMzAwNjE2MTE0ODAyWjBcMQswCQYDVQQGEwJjbjESMBAGA1UECAwJ -R3VhbmdEb25nMQwwCgYDVQQKDANJQk0xEjAQBgNVBAcMCWd1YW5nemhvdTEXMBUG -A1UEAwwObmdpbngudGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQDJXB6cm5QZQt2Vqyz8eB8uV+wC4xqcDDWp3j6QnzWGZbJ1o7nH0FXB13mj -gWDLrTGaJzpHn/gspNdNEqCWLRYeR1kmo4VBn+HXCHxz2Ka1FGPbbpvTrhnzTAk0 -IAQl065Awh5ixvHIRpqxThKvat613uNkuO113y5lKho8BbOux9UpFlFiZbJMpTIY -+QJ95Q6f1BLTNWpJzrQ0UhYmaN1Vn7iuy/yl2xLrES1sj1/yKnJ8McO8bPMTX8rR -CgrQZp8kHH3tS1vfrzA0oiNZcYMG1VFxn2IxlKj8ctMH/9pIB7wdLOxaiPnmZRUP -1eE+fmvUYywuMv7AnGXfR4fFOMNFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAG+Z -IEOi+lGcP3FrvpDgTSbCtpFQfXpQpzKXiSBF0weXMIia0IP/QpX8Fumbl/RIoN6b -5QmYpuj8hyvgFphNeAW7KWWVt9NwWHt11flnRX/Pv6aHs9rQ7sLDVafV9DadKuXk -0QjptCrVym1V00Iy2OCXVuSZEjCYRoyXrD+P1QT5MzwCfMo9TV8umOSYQfmiaNN3 -vUvzKp3S/b6dhJwD6sCrM8NSFBskxSyhu8BwDjAI1jdUMgI+CFNfuQ26DKJXEgT+ -9eAp7kOO2qFaJYlVYpBLCGNkshdAZYUUOXbrsNtnu0EXLy0sffPB+vlPmSSSaf0X -+YWfPP+66DTt5u5m+2Q= +MIIFsTCCA5mgAwIBAgIUODyT8W4gAxf8uwMNmtj5M1ANoUwwDQYJKoZIhvcNAQEL +BQAwVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzEPMA0GA1UEBwwG +Wmh1SGFpMQ0wCwYDVQQKDARhcGk3MRMwEQYDVQQDDAphcGlzaXguZGV2MCAXDTIw +MDYwNDAzMzc1MFoYDzIxMjAwNTExMDMzNzUwWjBWMQswCQYDVQQGEwJDTjESMBAG +A1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoMBGFwaTcx +EzARBgNVBAMMCmFwaXNpeC5kZXYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQDQveSdplH49Lr+LsLWpGJbNRhf2En0V4SuFKpzGFP7mXaI7rMnpdH3BUVY +S3juMgPOdNh6ho4BeSbGZGfU3lG1NwIOXiPNA1mrTWGNGV97crJDVZeWTuDpqNHJ +4ATrnF6RnRbg0en8rjVtce6LBMrDJVyGbi9VAqBUPrCmzT/l0V1jPL6KNSN8mQog +ladrJuzUanfhWM9K9xyM+/SUt1MNUYFLNsVHasPzsi5/YDRBiwuzTtiT56O6yge2 +lvrdPFvULrCxlGteyvhtrFJwqjN//YtnQFooNR0CXBfXs0a7WGgMjawupuP1JKiY +t9KEcGHWGZDeLfsGGKgQ9G+PaP4y+gHjLr5xQvwt68otpoafGy+BpOoHZZFoLBpx +TtJKA3qnwyZg9zr7lrtqr8CISO/SEyh6xkAOUzb7yc2nHu9UpruzVIR7xI7pjc7f +2T6WyCVy6gFYQwzFLwkN/3O+ZJkioxXsnwaYWDj61k3d9ozVDkVkTuxmNJjXV8Ta +htGRAHo0/uHmpFTcaQfDf5o+iWi4z9B5kgfA/A1XWFQlCH1kl3mHKg7JNCN9qGF8 +rG+YzdiLQfo5OqJSvzGHRXbdGI2JQe/zyJHsMO7d0AhwXuPOWGTTAODOPlaBCxNB +AgjuUgt+3saqCrK4eaOo8sPt055AYJhZlaTH4EeD4sv7rJGm7wIDAQABo3UwczAd +BgNVHQ4EFgQUPS1LXZMqgQvH/zQHHzgTzrd7PIIwHwYDVR0jBBgwFoAUPS1LXZMq +gQvH/zQHHzgTzrd7PIIwDAYDVR0TBAUwAwEB/zAjBgNVHREEHDAaggphcGlzaXgu +ZGV2ggwqLmFwaXNpeC5kZXYwDQYJKoZIhvcNAQELBQADggIBAMlwNS8uo3JkkshI +rpYobdjCZfr74PBl+LhoihvzHs25/in3+CxETRA8cYo5pRotqdA63po3wiCCPs6a +mZiELQxyGHhFcqoYxnoURR4nyogRZLA6jjLGkbG4H+CA4ApmZmvGnP3X5uQW4v5q +IdqIXL3BvoUBln8GMEC7Rz5SGUjWG03JPkl6MdeziFyHkwdBCOrtK5m7icRncvq+ +iL8CMUx024LLI6A5hTBPwfVfgbWJTSv7tEu85q54ZZoYQhiD8dde4D7g5/noPvXM +ZyA9C3Sl981+pUhhazad9j9k8DCcqf9e8yH9lPY26tjiEcShv4YnwbErWzJU1F9s +ZI5Z6nj5PU66upnBWAWV7fWCOrlouB4GjNaznSNrmpn4Bb2+FinDK3t4AfWDPS5s +ljQBGQNXOd30DC7BdNAF5dQAUhVfz1EgQGqYa+frMQLiv8rNMs7h6gKQEqU+jC/1 +jbGe4/iwc0UeTtSgTPHMofqjqc99/R/ZqtJ3qFPJmoWpyu0NlNINw2KWRQaMoGLo +WgDCS0YA5/hNXVFcWnZ73jY62yrVSoj+sFbkUpGWhEFnO+uSmBv8uwY3UeCOQDih +X7Yazs3TZRqEPU+25QATf0kbxyzlWbGkwvyRD8x+n3ZHs5Ilhrc6jWHqM/S3ir7i +m9GcWiwg++EbusQsqs3w3uKAHAdT -----END CERTIFICATE----- diff --git a/conf/cert/apisix_admin_ssl.key b/conf/cert/apisix_admin_ssl.key index 2c5bdb1f76a7..ec889056ffb6 100644 --- a/conf/cert/apisix_admin_ssl.key +++ b/conf/cert/apisix_admin_ssl.key @@ -1,27 +1,51 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAyVwenJuUGULdlass/HgfLlfsAuManAw1qd4+kJ81hmWydaO5 -x9BVwdd5o4Fgy60xmic6R5/4LKTXTRKgli0WHkdZJqOFQZ/h1wh8c9imtRRj226b -064Z80wJNCAEJdOuQMIeYsbxyEaasU4Sr2retd7jZLjtdd8uZSoaPAWzrsfVKRZR -YmWyTKUyGPkCfeUOn9QS0zVqSc60NFIWJmjdVZ+4rsv8pdsS6xEtbI9f8ipyfDHD -vGzzE1/K0QoK0GafJBx97Utb368wNKIjWXGDBtVRcZ9iMZSo/HLTB//aSAe8HSzs -Woj55mUVD9XhPn5r1GMsLjL+wJxl30eHxTjDRQIDAQABAoIBAEovPzPxeamo4dwv -WX6Wft5jFBeoNfiB4w93StObZGvkcdA3hs2f6shkq3Layp+famPhye3zeMpx3MSP -dUx+xeRX4veCTSj1T44amUdQ7XJPVc7VPGHLhdIGFGn41a5eA5fmLK21oARqRrnG -CspH9E9LE7nbC9leZUhuL4Ynj6B3ZV3R14N7bkvVqfHyoJgLwTkUh/MaHwnDGP64 -oBnKXbGFKZ8bbRU9YDR3SY77jhX+vuT922ZqM4AJpHMtgTMXYZRapUFD5wq5DW+6 -FedG86ZdbkcAufRmVby0Tfj4F4x1SMxghLU3FY34nZe8fKNyFsq3dyREeLs/G2y+ -uPDW9c0CgYEA8qcyZEbPs+DQ/UAuGHy40eQ0yH7iD2IOls/2HaqmYt5Y0H9HdcGS -ROrt8zjUsathe9J+kBGdr9hn47Lg3ZLgW0VHz6I0NHmFohnwEwVzJG8VTXGC5ga+ -xsqUuVquKAAtnxaa+4SyVxkBiwI0Zmj++sCIYN8Ew7u2vXYTkWUxrd8CgYEA1G94 -rWH0vbilL6qR3cXLY+ElwJhEMR8jFQdLKCND7l0/xRlF3Q1VNHyuZZ3sewHOZKrx -chJAvkVmWwm9nq6S7ZmNCwu/sJGp8L4hFm5tbr9vTT/Py/uAmvdPFcsneKkG1Ryc -C01f23u3Ej1ynMCfyaoXReDX5LzzEtoj8fgUq1sCgYEA43+mWyWYrkjlJ8r4bLTi -gsa2RhPP1iRVEUhAs2e/P4q/Mhti4CBwBnVMSnDJ2RmY+AJN7rzVXnxCStT2xkZi -WrAFt8GXuGsGwwgWcX72iP4stsLpusgwLSjZbz55cb9ZBoKnI5Exsz8alz2l6y4d -gPLp6git6uUfW1pM1lBN13kCgYEAmDI4yjdY6aflKO5STQoNesRukLpGeM7vCnzM -OrhxTdAfBO3jYMjRl6YQKBtptoMHxJW4H9q16du8xlKHOK2n9HRDWXuUXUMu9pyx -Beodmu+qJTUngePxMpUmYt3GrKqki4BQx8Qqfgv3kCjX+TgEAq5KuDSrWGSK3aHN -iOkMnesCgYEAiSCkkp6fNfWaGkFnNXCI8StHcixvGECsryDa5sHNWgmWmZgh56UY -ON0yjx4FYdag840FWRJqtASm6xNJintcFMTua7LlnuSQWNDjCLT/XTtqq50+M+PH -iGP5yGchfsMkIdXdr5JW0Bgn3LgsnDYy9nZTGvRWp0kObMb1trdYOg4= +MIIJKQIBAAKCAgEA0L3knaZR+PS6/i7C1qRiWzUYX9hJ9FeErhSqcxhT+5l2iO6z +J6XR9wVFWEt47jIDznTYeoaOAXkmxmRn1N5RtTcCDl4jzQNZq01hjRlfe3KyQ1WX +lk7g6ajRyeAE65xekZ0W4NHp/K41bXHuiwTKwyVchm4vVQKgVD6wps0/5dFdYzy+ +ijUjfJkKIJWnaybs1Gp34VjPSvccjPv0lLdTDVGBSzbFR2rD87Iuf2A0QYsLs07Y +k+ejusoHtpb63Txb1C6wsZRrXsr4baxScKozf/2LZ0BaKDUdAlwX17NGu1hoDI2s +Lqbj9SSomLfShHBh1hmQ3i37BhioEPRvj2j+MvoB4y6+cUL8LevKLaaGnxsvgaTq +B2WRaCwacU7SSgN6p8MmYPc6+5a7aq/AiEjv0hMoesZADlM2+8nNpx7vVKa7s1SE +e8SO6Y3O39k+lsglcuoBWEMMxS8JDf9zvmSZIqMV7J8GmFg4+tZN3faM1Q5FZE7s +ZjSY11fE2obRkQB6NP7h5qRU3GkHw3+aPolouM/QeZIHwPwNV1hUJQh9ZJd5hyoO +yTQjfahhfKxvmM3Yi0H6OTqiUr8xh0V23RiNiUHv88iR7DDu3dAIcF7jzlhk0wDg +zj5WgQsTQQII7lILft7GqgqyuHmjqPLD7dOeQGCYWZWkx+BHg+LL+6yRpu8CAwEA +AQKCAgBNsbBLAWHXYPfMrgj1LUAypIOLAQ0dtgl7ZdO/fRmdNxSIiRgDtNN+tuaF +o6nCNrl1+cWtbTGj2L0W8L442/rbkTrhsCZxI0MX4HhjtUL1xs4VA+GlH3zVW3Gi +SxBpxczpM+gVC+ykkQ7vyo04DzONCPX0T0Ssxop4cND9dL3Iw3GYAz8EYBzyPmAn +mqwy1M0nju1J4e1eALYOv6TcSZPPDDwsi5lIKLQAm5x06pDoqGFVfw5blsc5OgM+ +8dkzyUiApFQ99Hk2UiO/ZnlU1/TNOcjOSISGHKbMfwycy2yTRKeNrJmez51fXCKo +nRrtEotHzkI+gCzDqx+7F9ACN9kM4f4JO5ca0/My6tCY+mH8TA/nVzMnUpL7329w +NobuNTpyA6x5nmB3QqElrzQCRtTj7Nw5ytMdRbByJhXww9C5tajUysdq8oGoZdz5 +94kXr6qCC5Qm3CkgyF2RjqZyg9tHUEEdaFKouHgziiqG9P2Nk1SHk7Jd7bF4rleI +i93u/f0fdVK7aMksofgUbOmfhnS+o1NxerVcbdX+E/iv6yfkrYDb46y3//4dcpwk +TeUEMCjc7ShwvYPq350q3jmzgwxeTK8ZdXwJymdJ7MaGcnMXPqd9A43evYM6nG6f +i3l2tYhH4cp6misGChnGORR68qsRkY8ssvSFNFzjcFHhnPyoCQKCAQEA8isIC1IJ +Iq9kB4mDVh0QdiuoBneNOEHy/8fASeZsqedu0OZPyoXU96iOhXuqf8sQ33ydvPef +iRwasLLkgw8sDeWILUjS36ZzwGP2QNxWfrapCFS8VfKl7hTPMVp0Wzxh8qqpGLSh +O0W7EEAJCgzzULagfupaO0Chmb3LZqXRp8m5oubnmE+9z0b5GrCIT1S8Yay2mEw9 +jxqZJGBhV7QnupyC2DIxLXlGmQk7Qs1+1mCCFwyfugHXclWYa+fet/79SkkADK0/ +ysxfy+FdZgGT/Ba5odsEpt1zH+tw4WXioJsX9mU3zAHbpPqtcfuVU+2xyKfQYrRG +NSm9MMNmart0wwKCAQEA3Koaj/0gNxLLslLIES50KmmagzU8CkEmCa/WLoVy02xr +qp42hvj+PzBTf3rIno3KEpRhMmnAtswozbV3P4l/VSZdfY+pwWsx7/5+Cf1R9nAP +vp6YCjGcLcbASazYNOWf0FRInt3pxdgT9DWjJDi99FGKA+UbI2yxHwzE+cE8r9Od +Iy42uhzCjJBqdg+an+q63k6yrOwv18KP69LlU/4vknhw4g3WxF4yTwVmXU8WKmux +aOrJv2ED8pfA7k+zwv0rPyN+F2nOySxoChaFfeu6ntBCX7zK/nV0DsMQImOycfzO +yN8WB9lRZTJVzU2r6PaGAI359uLHEmURy0069g+yZQKCAQAbECwJ99UFh0xKe1eu +G/lm+2H/twSVMOmTJCOdHp8uLar4tYRdQa+XLcMfr75SIcN09lw6bgHqNLXW4Wcg +LmXh97DMPsMyM0vkSEeQ4A7agldJkw6pHEDm5nRxM4alW44mrGPRWv5ZvWU2X7Gi +6eeXMZGmHVKQJJzqrYc5pXZUpfqU9fET2HWB4JCeJvRUyUd0MvUE+CA5CePraMn4 +Hy4BcNQ+jP1p84+sMpfo00ZFduuS39pJ00LciCxMgtElBt4PmzDiOcpTQ5vBESJ6 +79o15eRA7lUKwNzIyGsJBXXaNPrskks2BU8ilNElV9RMWNfxcK+dGEBwWIXIGU4s +x145AoIBAQCst9R8udNaaDLaTGNe126DuA8B/kwVdrLwSBqsZTXgeO+5J4dklEZl +bU0d7hxTxoXRjySZEh+OtTSG9y/0oonxO0tYOXfU9jOrNxaueQKLk2EvgfFdoUEu +r2/Y+xpsJQO3TBFfkDEn856Cuu0MMAG214/gxpY8XxowRI11NCRtN4S6gbTCbjp1 +TaCW8lXEMDW+Rfki0ugLyLVgD74CxWW1DuLEfbKKF3TnV0GtbXbbE1pU1dm+G5C8 +dL3FissYp5MPI5fRebcqzcBNjR1F15pGLpqVVy/IhmSmHVZmpISLJicxITScRiSo +wgJY5R/XBAcVLgvmi9Dn/AY2jCfHa7flAoIBAQCbnZ6ivZg81g6/X9qdo9J61hX0 +Y7Fn7bLvcs1L0ARGTsfXMvegA806XyZThqjpY47nHpQtoz4z62kiTTsdpAZUeA3z +9HUWr0b3YEpsvZpgyMNHgwq1vRDPjw4AWz0pBoDWMxx8Ck5nP1A//c1zyu9pgYEU +R+OutDeCJ+0VAc6JSH9WMA08utGPGs3t02Zhtyt2sszE9vzz4hTi5340/AYG72p7 +YGlikUxvbyylYh9wR4YUYa/klikvKLHEML1P0BCr8Vex+wLSGS1h1F5tW1Xr2CZQ +dVxFmfGmPDmwWbCQR6Rvt6FHRwNMpMrLr011h2RBcHBpdQl7XpUENDoopIh0 -----END RSA PRIVATE KEY----- diff --git a/conf/cert/two_side_ca.crt b/conf/cert/two_side_ca.crt new file mode 100644 index 000000000000..b57e390849ca --- /dev/null +++ b/conf/cert/two_side_ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSjCCAjICCQDmBdlKmGaJITANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJj +bjESMBAGA1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoM +BGFwaTcxDDAKBgNVBAsMA29wczEWMBQGA1UEAwwNY2EuYXBpc2l4LmRldjAeFw0y +MDA2MjAxMzEzNDFaFw0zMDA2MTgxMzEzNDFaMGcxCzAJBgNVBAYTAmNuMRIwEAYD +VQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTENMAsGA1UECgwEYXBpNzEM +MAoGA1UECwwDb3BzMRYwFAYDVQQDDA1jYS5hcGlzaXguZGV2MIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAun+Gq/bp7CcZ9i5ZdjuCvyZVXsiAaBELVi/Q +QQtC90z5aQyWudTPB1Lcpk5HosbT73eHh03hFCRMFv6Miase1T59KJ4zGSFKoFEr +j2cbNmWFJEhTGce1pn52zMzZrXERYhKBA0n4bwHK/IND0XeEZ2RQPtGnGBqj3vKL +3px+mOzIeMy4VMSkIkL2jlgo5jN0IjQIsvHRSrhIWzFhr6qtIJhuh0oI6gs+/yvA +vspGeVFtIg/1PY3bOgFfhJg08/Aw7vgMjmADypEbBabLaWOZ8RZ3Ci2is6cL/1wX +Sr8OIIBXTmTGmXEuSsMsBgC7BFwEY4XEsGx8QQJsrh1dSf2t0QIDAQABMA0GCSqG +SIb3DQEBBQUAA4IBAQCKC98wWieC66NHAYb9ICOwr+XTmoFABpFNaM4bPXMD4IUq +BaMGfBh92e4ANz2bm1D3J0ZNH3TVC7OhF2ymi6wSMde/Ygkh5xu2HgTEX2QTDQVd +J27jwEIe45VLdvuu33jvE/iNNQHI6J6zP45gs/FS+CwMoYRnNcC+428YUf9XMcgM +UkeMOnnkhw1OUzmoACY705hAEAPFbb7KkQ109lgbh6cucMy7Nw/N1t6Pyuxlqteg +d8Wy6VFYPRRK43dYoA9B0yvsZCERvxgR1IrDjo0B2wIDzM4eM6ldLfnr8pPnBFfS +g/Pdo6VZsXeSv3o00lBEY/25Vqxn3sPBK4E7a+mX +-----END CERTIFICATE----- diff --git a/conf/cert/two_side_client.crt b/conf/cert/two_side_client.crt new file mode 100644 index 000000000000..847a544ed391 --- /dev/null +++ b/conf/cert/two_side_client.crt @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 64207 (0xfacf) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=cn, ST=GuangDong, L=ZhuHai, O=api7, OU=ops, CN=ca.apisix.dev + Validity + Not Before: Jun 20 13:15:00 2020 GMT + Not After : Jul 8 13:15:00 2030 GMT + Subject: C=cn, ST=GuangDong, O=api7, L=ZhuHai, CN=client.apisix.dev + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9f:28:8f:2e:88:41:ff:89:f6:62:91:29:d1:6b: + 7f:c4:d8:1e:28:85:55:91:c2:3a:3f:23:1c:83:11: + 6a:26:81:1e:2d:2e:4d:69:48:98:4f:ff:84:82:2d: + 6b:8c:41:31:56:4d:b4:aa:b7:52:05:63:2e:19:6d: + 54:87:1f:21:a8:34:f9:89:1a:b1:d1:24:21:84:fa: + c8:29:7f:39:f4:1a:35:78:95:74:0f:24:3d:24:e8: + 64:75:09:7d:8c:a3:54:d6:74:5a:92:27:f1:dc:e4: + 04:30:71:01:67:3d:fa:0b:03:0b:01:cb:8c:aa:ae: + 59:9f:f7:a6:40:53:2b:65:ff:b6:64:8d:fe:0f:ee: + 62:64:24:7b:4c:fd:68:12:47:4a:46:86:36:53:00: + 64:5f:e4:32:56:a0:ee:75:92:2d:e2:dc:92:3e:d7: + 99:8e:86:69:e7:0a:99:e4:b2:71:95:3d:f9:7d:da: + af:76:1f:3f:f8:bf:78:aa:13:e5:13:84:f6:11:a5: + c1:9b:9d:d7:73:32:f3:da:09:78:9a:be:0f:01:fe: + ed:8b:55:b9:f8:97:46:9d:6a:6a:90:19:ea:4e:02: + 30:ff:d7:1a:da:39:53:f6:5b:6d:96:d0:fc:ed:0d: + 72:78:ac:b7:be:71:aa:4d:4b:8a:06:b9:25:1f:90: + 81:0d + Exponent: 65537 (0x10001) + Signature Algorithm: sha256WithRSAEncryption + 72:a7:1f:15:21:ba:4f:e7:2f:64:a0:e5:40:7c:e0:ea:09:7b: + 95:cf:80:d0:6f:54:c2:8d:d1:cf:cd:00:f2:95:20:f9:e2:9e: + f5:1c:1b:f9:87:78:a7:b1:3f:31:34:b0:c8:1a:44:da:2c:ef: + 93:76:d7:df:44:5f:27:6a:51:cb:09:f2:32:f4:70:db:50:da: + 4e:49:41:75:e0:d2:7b:4d:0b:8b:6e:0a:02:0a:00:e9:ce:f3: + bf:72:e6:14:86:df:a7:b9:ef:09:80:a1:52:a7:69:b8:23:7a: + 3d:3d:cc:6d:64:91:7b:c0:9a:98:2a:a3:17:95:0a:ee:e1:ed: + f2:be:02:ea:cb:6e:c1:82:4d:a1:e8:03:9a:46:d6:d7:07:0f: + 12:50:7e:95:5c:6c:17:f0:40:34:81:5b:74:90:8e:24:6a:5f: + 8e:77:ff:4d:67:c3:a9:1b:39:e2:ca:62:b6:89:ca:c6:86:f1: + 95:36:2b:cf:96:a5:6e:89:0e:e6:dc:88:78:f0:7d:09:e9:53: + 65:35:e9:72:a2:be:1c:5e:b8:a6:2b:57:f2:0d:2f:4b:31:8f: + f7:d9:ad:a3:58:12:bb:c9:5b:38:79:96:5b:c8:74:d2:e6:79: + 23:e6:bd:be:74:25:42:2c:fa:50:ea:9f:53:28:6d:35:f3:0e: + 9b:82:15:70 +-----BEGIN CERTIFICATE----- +MIIDOjCCAiICAwD6zzANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJjbjESMBAG +A1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoMBGFwaTcx +DDAKBgNVBAsMA29wczEWMBQGA1UEAwwNY2EuYXBpc2l4LmRldjAeFw0yMDA2MjAx +MzE1MDBaFw0zMDA3MDgxMzE1MDBaMF0xCzAJBgNVBAYTAmNuMRIwEAYDVQQIDAlH +dWFuZ0RvbmcxDTALBgNVBAoMBGFwaTcxDzANBgNVBAcMBlpodUhhaTEaMBgGA1UE +AwwRY2xpZW50LmFwaXNpeC5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCfKI8uiEH/ifZikSnRa3/E2B4ohVWRwjo/IxyDEWomgR4tLk1pSJhP/4SC +LWuMQTFWTbSqt1IFYy4ZbVSHHyGoNPmJGrHRJCGE+sgpfzn0GjV4lXQPJD0k6GR1 +CX2Mo1TWdFqSJ/Hc5AQwcQFnPfoLAwsBy4yqrlmf96ZAUytl/7Zkjf4P7mJkJHtM +/WgSR0pGhjZTAGRf5DJWoO51ki3i3JI+15mOhmnnCpnksnGVPfl92q92Hz/4v3iq +E+UThPYRpcGbnddzMvPaCXiavg8B/u2LVbn4l0adamqQGepOAjD/1xraOVP2W22W +0PztDXJ4rLe+capNS4oGuSUfkIENAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHKn +HxUhuk/nL2Sg5UB84OoJe5XPgNBvVMKN0c/NAPKVIPninvUcG/mHeKexPzE0sMga +RNos75N2199EXydqUcsJ8jL0cNtQ2k5JQXXg0ntNC4tuCgIKAOnO879y5hSG36e5 +7wmAoVKnabgjej09zG1kkXvAmpgqoxeVCu7h7fK+AurLbsGCTaHoA5pG1tcHDxJQ +fpVcbBfwQDSBW3SQjiRqX453/01nw6kbOeLKYraJysaG8ZU2K8+WpW6JDubciHjw +fQnpU2U16XKivhxeuKYrV/INL0sxj/fZraNYErvJWzh5llvIdNLmeSPmvb50JUIs ++lDqn1MobTXzDpuCFXA= +-----END CERTIFICATE----- diff --git a/conf/cert/two_side_client.key b/conf/cert/two_side_client.key new file mode 100644 index 000000000000..d939c62b159b --- /dev/null +++ b/conf/cert/two_side_client.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAnyiPLohB/4n2YpEp0Wt/xNgeKIVVkcI6PyMcgxFqJoEeLS5N +aUiYT/+Egi1rjEExVk20qrdSBWMuGW1Uhx8hqDT5iRqx0SQhhPrIKX859Bo1eJV0 +DyQ9JOhkdQl9jKNU1nRakifx3OQEMHEBZz36CwMLAcuMqq5Zn/emQFMrZf+2ZI3+ +D+5iZCR7TP1oEkdKRoY2UwBkX+QyVqDudZIt4tySPteZjoZp5wqZ5LJxlT35fdqv +dh8/+L94qhPlE4T2EaXBm53XczLz2gl4mr4PAf7ti1W5+JdGnWpqkBnqTgIw/9ca +2jlT9lttltD87Q1yeKy3vnGqTUuKBrklH5CBDQIDAQABAoIBAHDe5bPdQ9jCcW3z +fpGax/DER5b6//UvpfkSoGy/E+Wcmdb2yEVLC2FoVwOuzF+Z+DA5SU/sVAmoDZBQ +vapZxJeygejeeo5ULkVNSFhNdr8LOzJ54uW+EHK1MFDj2xq61jaEK5sNIvRA7Eui +SJl8FXBrxwmN3gNJRBwzF770fImHUfZt0YU3rWKw5Qin7QnlUzW2KPUltnSEq/xB +kIzyWpuj7iAm9wTjH9Vy06sWCmxj1lzTTXlanjPb1jOTaOhbQMpyaAzRgQN8PZiE +YKCarzVj7BJr7/vZYpnQtQDY12UL5n33BEqMP0VNHVqv+ZO3bktfvlwBru5ZJ7Cf +URLsSc0CgYEAyz7FzV7cZYgjfUFD67MIS1HtVk7SX0UiYCsrGy8zA19tkhe3XVpc +CZSwkjzjdEk0zEwiNAtawrDlR1m2kverbhhCHqXUOHwEpujMBjeJCNUVEh3OABr8 +vf2WJ6D1IRh8FA5CYLZP7aZ41fcxAnvIPAEThemLQL3C4H5H5NG2WFsCgYEAyHhP +onpS/Eo/OXKYFLR/mvjizRVSomz1lVVL+GWMUYQsmgsPyBJgyAOX3Pqt9catgxhM +DbEr7EWTxth3YeVzamiJPNVK0HvCax9gQ0KkOmtbrfN54zBHOJ+ieYhsieZLMgjx +iu7Ieo6LDGV39HkvekzutZpypiCpKlMaFlCFiLcCgYEAmAgRsEj4Nh665VPvuZzH +ZIgZMAlwBgHR7/v6l7AbybcVYEXLTNJtrGEEH6/aOL8V9ogwwZuIvb/TEidCkfcf +zg/pTcGf2My0MiJLk47xO6EgzNdso9mMG5ZYPraBBsuo7NupvWxCp7NyCiOJDqGH +K5NmhjInjzsjTghIQRq5+qcCgYEAxnm/NjjvslL8F69p/I3cDJ2/RpaG0sMXvbrO +VWaMryQyWGz9OfNgGIbeMu2Jj90dar6ChcfUmb8lGOi2AZl/VGmc/jqaMKFnElHl +J5JyMFicUzPMiG8DBH+gB71W4Iy+BBKwugHBQP2hkytewQ++PtKuP+RjADEz6vCN +0mv0WS8CgYBnbMRP8wIOLJPRMw/iL9BdMf606X4xbmNn9HWVp2mH9D3D51kDFvls +7y2vEaYkFv3XoYgVN9ZHDUbM/YTUozKjcAcvz0syLQb8wRwKeo+XSmo09+360r18 +zRugoE7bPl39WdGWaW3td0qf1r9z3sE2iWUTJPRQ3DYpsLOYIgyKmw== +-----END RSA PRIVATE KEY----- diff --git a/conf/cert/two_side_server.crt b/conf/cert/two_side_server.crt new file mode 100644 index 000000000000..14f48ef7ecaf --- /dev/null +++ b/conf/cert/two_side_server.crt @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 64206 (0xface) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=cn, ST=GuangDong, L=ZhuHai, O=api7, OU=ops, CN=ca.apisix.dev + Validity + Not Before: Jun 20 13:14:34 2020 GMT + Not After : Jun 18 13:14:34 2030 GMT + Subject: C=cn, ST=GuangDong, O=api7, L=ZhuHai, CN=admin.apisix.dev + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9b:45:2a:e1:c9:6e:a7:af:af:bd:46:5c:5e:5f: + 72:66:02:78:69:16:fd:f9:69:8e:47:68:0f:8d:35: + 92:c4:14:40:5c:cf:57:3d:41:ea:13:7b:f4:de:c8: + ab:e8:62:56:1e:60:61:f6:38:65:5f:30:b5:91:25: + 79:07:12:45:ce:24:31:86:1f:2c:a6:cb:1d:8b:4b: + 9e:5f:1f:c7:b6:f3:e8:98:ee:b3:70:c7:9e:5d:10: + ce:29:e4:22:68:69:9e:df:ae:f6:bb:11:e8:b8:f1: + 07:bf:2d:d5:57:f2:e4:07:8a:da:d2:7b:8a:53:d1: + b4:f4:42:19:9a:14:98:01:3e:23:27:3a:0f:ad:d0: + 1d:c5:31:9a:ee:ae:df:7f:fb:2e:34:0b:51:ca:b4: + 8c:59:ae:86:5f:95:69:2b:4a:c6:2d:a5:ae:04:46: + 7a:93:09:15:72:0a:78:ef:98:7d:00:b5:b4:b2:f2: + e2:a9:2e:04:fb:de:84:ad:da:8e:a3:31:53:3a:d5: + 91:cd:77:f5:b8:ea:eb:14:aa:d9:62:d1:12:79:87: + 08:27:6d:c1:b9:e3:7d:f1:07:52:3c:a3:34:6a:c1: + 96:cf:a2:84:cc:14:50:49:40:0b:38:3c:3b:1e:df: + 57:6f:f2:05:35:92:9b:4f:b1:21:0b:f7:62:3a:2d: + 83:c7 + Exponent: 65537 (0x10001) + Signature Algorithm: sha256WithRSAEncryption + 7a:1c:a3:d8:d4:97:5d:91:d2:c8:31:c4:40:ef:f1:38:ac:5c: + b9:74:66:81:94:4f:71:02:38:49:5a:0d:7b:10:17:73:a5:96: + 3e:de:0e:a4:75:8c:1b:c7:51:f9:f6:eb:9d:f4:bd:4c:1c:92: + 41:d0:16:c6:73:c1:f9:7c:b6:71:7d:16:53:13:fa:70:90:c0: + 95:e3:a3:51:30:96:02:f2:32:32:fe:a9:d1:ef:c5:7e:04:58: + ca:20:ef:d0:43:8c:52:8d:52:3a:71:ed:0f:87:4e:8b:c6:28: + 51:56:13:fd:71:81:10:cc:2f:2c:aa:8d:6a:93:d7:52:34:08: + 23:7b:2b:a7:a4:3e:6b:8f:c3:af:59:b9:1c:b8:d8:6c:a3:88: + c7:bd:b5:e1:eb:6b:6a:f2:7d:a3:89:c6:b0:21:f8:1b:9a:dc: + bf:ef:d6:21:91:7f:65:99:4d:f4:49:24:ab:46:09:a0:c9:a1: + 64:14:f4:56:73:ce:1b:22:dd:b7:1f:58:0f:29:ae:6a:6e:41: + 6e:b4:5c:90:97:4e:59:4e:cf:e3:a1:89:d1:5a:65:a3:68:2f: + b9:97:82:6f:4c:21:cb:f6:9b:7d:fd:d8:07:70:14:cd:10:fb: + bf:03:70:fa:51:7c:56:4c:1b:a5:87:d3:1b:18:5c:22:87:6f: + 04:08:59:53 +-----BEGIN CERTIFICATE----- +MIIDOTCCAiECAwD6zjANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJjbjESMBAG +A1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoMBGFwaTcx +DDAKBgNVBAsMA29wczEWMBQGA1UEAwwNY2EuYXBpc2l4LmRldjAeFw0yMDA2MjAx +MzE0MzRaFw0zMDA2MTgxMzE0MzRaMFwxCzAJBgNVBAYTAmNuMRIwEAYDVQQIDAlH +dWFuZ0RvbmcxDTALBgNVBAoMBGFwaTcxDzANBgNVBAcMBlpodUhhaTEZMBcGA1UE +AwwQYWRtaW4uYXBpc2l4LmRldjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAJtFKuHJbqevr71GXF5fcmYCeGkW/flpjkdoD401ksQUQFzPVz1B6hN79N7I +q+hiVh5gYfY4ZV8wtZEleQcSRc4kMYYfLKbLHYtLnl8fx7bz6Jjus3DHnl0Qzink +Imhpnt+u9rsR6LjxB78t1Vfy5AeK2tJ7ilPRtPRCGZoUmAE+Iyc6D63QHcUxmu6u +33/7LjQLUcq0jFmuhl+VaStKxi2lrgRGepMJFXIKeO+YfQC1tLLy4qkuBPvehK3a +jqMxUzrVkc139bjq6xSq2WLREnmHCCdtwbnjffEHUjyjNGrBls+ihMwUUElACzg8 +Ox7fV2/yBTWSm0+xIQv3Yjotg8cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAehyj +2NSXXZHSyDHEQO/xOKxcuXRmgZRPcQI4SVoNexAXc6WWPt4OpHWMG8dR+fbrnfS9 +TBySQdAWxnPB+Xy2cX0WUxP6cJDAleOjUTCWAvIyMv6p0e/FfgRYyiDv0EOMUo1S +OnHtD4dOi8YoUVYT/XGBEMwvLKqNapPXUjQII3srp6Q+a4/Dr1m5HLjYbKOIx721 +4etravJ9o4nGsCH4G5rcv+/WIZF/ZZlN9Ekkq0YJoMmhZBT0VnPOGyLdtx9YDymu +am5BbrRckJdOWU7P46GJ0Vplo2gvuZeCb0why/abff3YB3AUzRD7vwNw+lF8Vkwb +pYfTGxhcIodvBAhZUw== +-----END CERTIFICATE----- diff --git a/conf/cert/two_side_server.key b/conf/cert/two_side_server.key new file mode 100644 index 000000000000..5f2c75b98873 --- /dev/null +++ b/conf/cert/two_side_server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAm0Uq4clup6+vvUZcXl9yZgJ4aRb9+WmOR2gPjTWSxBRAXM9X +PUHqE3v03sir6GJWHmBh9jhlXzC1kSV5BxJFziQxhh8spssdi0ueXx/HtvPomO6z +cMeeXRDOKeQiaGme3672uxHouPEHvy3VV/LkB4ra0nuKU9G09EIZmhSYAT4jJzoP +rdAdxTGa7q7ff/suNAtRyrSMWa6GX5VpK0rGLaWuBEZ6kwkVcgp475h9ALW0svLi +qS4E+96ErdqOozFTOtWRzXf1uOrrFKrZYtESeYcIJ23BueN98QdSPKM0asGWz6KE +zBRQSUALODw7Ht9Xb/IFNZKbT7EhC/diOi2DxwIDAQABAoIBAC3NJW0dAissw+ZN +Twn3lcNJj0NQqPJdlL6zj4LT/ssgPiwibVWAkA/XTNA62ZrfBxBG1h7PW/fMYoLC +TwUq+rRoMMOjhoRc/gYM9FaTBVKOeFpEb2IhQDGrt2TcCtpJ7beF4PolukRztRlL +59bdqy4eY5YbIx6+iWZT6UFuObiDqi7i4SLWEgK+/P4Uk8/SmhVqIWcj1m3SPK6I +YbzsgXiT64fNd7/O06ISKia1UzvUCtH7tbxWxCvsqw+PqQT+YuEmNY1pOQGYp0dU +4ndzvrP0Ajuu3xH7aYP/Kilkz69PPMLygwNey4HRIAuUqw/HBfTR0/ccRSuhrYxb +9QaOP0ECgYEAyuqLo/tjWrFiJnDbhK3z2qcydktFS58da2QitSRYlQ6AQXjZ3+v7 +buL1QV59aXzIGTZz3gjO+omdpfIagBI47YnWIUtj+NylNROWv+aZXQwgC7ayQWTg +eBu8L2YXBvAR9TgHhqj3Fl4YcuipVE3XFVjjvLjrbE1nssMmaJqi95kCgYEAw+O7 +Zdj/NedbI2GtnZv31YlLmrMdtmeAmU2x8eC5v30Kx3GCU9DdZzImsaYxxjfSL+6c +eP/DF8JHWIGo9GQPcMSijHsaNMIwgv6+5rx+Lp/zsjwRApJsVQeoff2ZdWjnFsi3 +rRHE8QZfWMqcnOsr4io7xfVd3t4tV22BBrnt8l8CgYEAncU3xcxUN9PryI+/Xq4S +CFQvvCJSQrX4neNByS31Yg/gUQex/5Tv7guxPZ5GTJqkylW4SU73/3y4gqp3SFTi +xm6Be2mu1XRZT6dnctXNMLeYwwLOHmJc1YZbD0+FX/ORQuTJlT4Sv+VxhQa5gb70 +GLkAeWAeTBrzId7yIir5wyECgYAw2iJqC+vZrZD1Ce8aV0M/ZbYNJo5KZxWTJeUy +xTCNqMl/Y7d036nXipJLy36uSE2K1p7/LgmhazoPwIY6LJoNLXy8PBcVATjH8m/5 +axis2AcWdBRp58pMilRi11PmC/tVm0jzSHMtCMHOivjzyVJwXMf7Xm3CnvX/z7dV +zhihUQKBgHWtWfNk/svgLp6w8T6aMgyAb9ud5pX/CbNZhGNRqhPhJkss1tFr6/Mv +bJiZoEP3C0sDdA1JRuMkXm5EE60xyhzCNmv5H0cQ3C2Y9Q9ly89ggwIXNiNfKWpP +VrdvXQ3NkP/RaDy83B9dN2Jb6lUpcNQnB5Q5yAlsYaYgsGBedcvc +-----END RSA PRIVATE KEY----- From 9ce5960e0f55fe97360ccd3cc8174c49bfc84c12 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 22:53:44 +0800 Subject: [PATCH 14/35] fix: domain --- .travis/linux_openresty_two_side_ssl_auth_runner.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis/linux_openresty_two_side_ssl_auth_runner.sh b/.travis/linux_openresty_two_side_ssl_auth_runner.sh index aab9502b6a16..118c1eafdc8b 100755 --- a/.travis/linux_openresty_two_side_ssl_auth_runner.sh +++ b/.travis/linux_openresty_two_side_ssl_auth_runner.sh @@ -104,7 +104,7 @@ script() { cat logs/error.log - curl --cacert ./conf/cert/two_side_ca.crt --key ./conf/cert/two_side_client.key --cert ./conf/cert/two_side_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://nginx.test.com:9180/apisix/admin/routes + curl --cacert ./conf/cert/two_side_ca.crt --key ./conf/cert/two_side_client.key --cert ./conf/cert/two_side_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes ./bin/apisix stop sleep 1 From d349020538869864374f8037d599828f210138e7 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sat, 20 Jun 2020 23:15:06 +0800 Subject: [PATCH 15/35] fix: domain --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 1bd8e62ff455..4351b08d77b9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -43,7 +43,7 @@ addons: homebrew: update: true hosts: - - nginx.test.com + - admin.apisix.dev cache: directories: From 5addff353345a3f1be37e7daf89a54758830b05d Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sun, 21 Jun 2020 21:29:53 +0800 Subject: [PATCH 16/35] config option --- conf/config.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/config.yaml b/conf/config.yaml index d640ef79521f..f13102c42ded 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -93,6 +93,9 @@ apisix: listen_port: 9443 ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" + verify_client: false # Enable or disable client-to-server authentication with HTTPS client certificates + # It depends on `port_admin` and `https_admin`, they need to be enable if you want to enable `verify_client`. + # And you need to replace your real certs to `cert/two_side_ca.crt`, `cert/two_side_server.crt` and `cert/two_side_server.key`. key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! From 3421255e1125db201fa6586ff2a8c3f4a3c2f4a7 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Sun, 21 Jun 2020 22:40:46 +0800 Subject: [PATCH 17/35] doc --- doc/two-side-auth-with-ssl.md | 41 +++++++++++++++++++++++++++++ doc/zh-cn/two-side-auth-with-ssl.md | 41 +++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 doc/two-side-auth-with-ssl.md create mode 100644 doc/zh-cn/two-side-auth-with-ssl.md diff --git a/doc/two-side-auth-with-ssl.md b/doc/two-side-auth-with-ssl.md new file mode 100644 index 000000000000..0309078719d9 --- /dev/null +++ b/doc/two-side-auth-with-ssl.md @@ -0,0 +1,41 @@ + + +[Chinese](zh-cn/two-side-auth-with-ssl.md) + +## Enable client-to-server authentication with ssl certificates + +1. Generate self-signed key pairs, including ca, server, client key pairs. + +2. Replace `cert/two-side-ca.crt` with the ca cert just generated. And replace `cert/two-side-client.crt` and `cert/two-side-client.key` in the same way. + +3. Modify configuration items in `conf/config.yaml`: +```yaml + port_admin: 9180 + https_admin: true + + ssl: + verify_client: true +``` + +4. Run command: +```shell +apisix init +apisix reload +``` \ No newline at end of file diff --git a/doc/zh-cn/two-side-auth-with-ssl.md b/doc/zh-cn/two-side-auth-with-ssl.md new file mode 100644 index 000000000000..c6a169deb6f6 --- /dev/null +++ b/doc/zh-cn/two-side-auth-with-ssl.md @@ -0,0 +1,41 @@ + + +[English](../two-side-auth-with-ssl.md) + +## 开启双向认证 + +1. 生成自签证书对,包括 ca、server、client 证书对。 + +2. 用刚刚生成的证书相应的替换 `cert/two-side-ca.crt`、`cert/two-side-client.crt` 和 `cert/two-side-client.key`。 + +3. 修改 `conf/config.yaml` 中的配置项: +```yaml + port_admin: 9180 + https_admin: true + + ssl: + verify_client: true +``` + +4. 执行命令: +```shell +apisix init +apisix reload +``` \ No newline at end of file From 03487a64a66b9208e32fa92869ee583e3cc4459e Mon Sep 17 00:00:00 2001 From: nic-chen Date: Mon, 22 Jun 2020 16:39:24 +0800 Subject: [PATCH 18/35] optimize --- .travis.yml | 2 +- ...runner.sh => linux_openresty_mtls_runner.sh} | 0 bin/apisix | 13 +++++-------- ...-two-side-ssl-auth.yaml => config-mtls.yaml} | 8 ++++++-- conf/config.yaml | 8 +++++--- doc/{two-side-auth-with-ssl.md => mtls.md} | 17 +++++++++-------- .../{two-side-auth-with-ssl.md => mtls.md} | 15 ++++++++------- .../cert/two_side_ca.crt => t/certs/mtls_ca.crt | 0 .../certs/mtls_client.crt | 0 .../certs/mtls_client.key | 0 .../certs/mtls_server.crt | 0 .../certs/mtls_server.key | 0 12 files changed, 34 insertions(+), 29 deletions(-) rename .travis/{linux_openresty_two_side_ssl_auth_runner.sh => linux_openresty_mtls_runner.sh} (100%) rename conf/{config-for-two-side-ssl-auth.yaml => config-mtls.yaml} (94%) rename doc/{two-side-auth-with-ssl.md => mtls.md} (64%) rename doc/zh-cn/{two-side-auth-with-ssl.md => mtls.md} (66%) rename conf/cert/two_side_ca.crt => t/certs/mtls_ca.crt (100%) rename conf/cert/two_side_client.crt => t/certs/mtls_client.crt (100%) rename conf/cert/two_side_client.key => t/certs/mtls_client.key (100%) rename conf/cert/two_side_server.crt => t/certs/mtls_server.crt (100%) rename conf/cert/two_side_server.key => t/certs/mtls_server.key (100%) diff --git a/.travis.yml b/.travis.yml index 4351b08d77b9..0be6c527b3d3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,7 +8,7 @@ matrix: - docker env: OSNAME=linux_openresty - os: linux - env: OSNAME=linux_openresty_two_side_ssl_auth + env: OSNAME=linux_openresty_mtls - os: osx env: OSNAME=osx_openresty cache: diff --git a/.travis/linux_openresty_two_side_ssl_auth_runner.sh b/.travis/linux_openresty_mtls_runner.sh similarity index 100% rename from .travis/linux_openresty_two_side_ssl_auth_runner.sh rename to .travis/linux_openresty_mtls_runner.sh diff --git a/bin/apisix b/bin/apisix index 662950084705..6acf8888e18b 100755 --- a/bin/apisix +++ b/bin/apisix @@ -291,9 +291,11 @@ http { {%if https_admin then%} listen {* port_admin *} ssl; - {%if ssl.verify_client then%} - ssl_certificate cert/two_side_server.crt; - ssl_certificate_key cert/two_side_server.key; + {%if mtls and mtls.enable then%} + ssl_verify_client on; + ssl_certificate {* mtls.server_cert *}; + ssl_certificate_key {* mtls.server_key *}; + ssl_client_certificate {* mtls.ca_cert *}; {% else %} ssl_certificate cert/apisix_admin_ssl.crt; ssl_certificate_key cert/apisix_admin_ssl.key; @@ -305,11 +307,6 @@ http { ssl_ciphers {* ssl.ssl_ciphers *}; ssl_prefer_server_ciphers on; - {%if ssl.verify_client then%} - ssl_client_certificate cert/two_side_ca.crt; - ssl_verify_client on; - {%end%} - {% else %} listen {* port_admin *}; {%end%} diff --git a/conf/config-for-two-side-ssl-auth.yaml b/conf/config-mtls.yaml similarity index 94% rename from conf/config-for-two-side-ssl-auth.yaml rename to conf/config-mtls.yaml index 13b78bb296ab..05782be11a50 100644 --- a/conf/config-for-two-side-ssl-auth.yaml +++ b/conf/config-mtls.yaml @@ -55,7 +55,12 @@ apisix: # - "::/64" port_admin: 9180 # use a separate port https_admin: true # enable HTTPS when use a separate port for Admin API. - # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. + # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. + mtls: + enable: true # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. + ca_cert: "../t/certs/mtls_ca.crt" # Path of your self-signed ca cert. + server_key: "../t/certs/mtls_server.key" # Path of your self-signed server side cert. + server_cert: "../t/certs/mtls_server.crt" # Path of your self-signed server side key. # Default token when use API to call for Admin API. # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. @@ -93,7 +98,6 @@ apisix: listen_port: 9443 ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" - verify_client: true key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! diff --git a/conf/config.yaml b/conf/config.yaml index f13102c42ded..c6768aca5143 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -56,6 +56,11 @@ apisix: # port_admin: 9180 # use a separate port # https_admin: true # enable HTTPS when use a separate port for Admin API. # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. + mtls: + enable: false # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. + ca_cert: "" # Path of your self-signed ca cert. + server_key: "" # Path of your self-signed server side cert. + server_cert: "" # Path of your self-signed server side key. # Default token when use API to call for Admin API. # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. @@ -93,9 +98,6 @@ apisix: listen_port: 9443 ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" - verify_client: false # Enable or disable client-to-server authentication with HTTPS client certificates - # It depends on `port_admin` and `https_admin`, they need to be enable if you want to enable `verify_client`. - # And you need to replace your real certs to `cert/two_side_ca.crt`, `cert/two_side_server.crt` and `cert/two_side_server.key`. key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! diff --git a/doc/two-side-auth-with-ssl.md b/doc/mtls.md similarity index 64% rename from doc/two-side-auth-with-ssl.md rename to doc/mtls.md index 0309078719d9..18d5c714b948 100644 --- a/doc/two-side-auth-with-ssl.md +++ b/doc/mtls.md @@ -17,24 +17,25 @@ # --> -[Chinese](zh-cn/two-side-auth-with-ssl.md) +[Chinese](zh-cn/mtls.md) -## Enable client-to-server authentication with ssl certificates +## Enable mutual TLS authentication 1. Generate self-signed key pairs, including ca, server, client key pairs. -2. Replace `cert/two-side-ca.crt` with the ca cert just generated. And replace `cert/two-side-client.crt` and `cert/two-side-client.key` in the same way. - -3. Modify configuration items in `conf/config.yaml`: +2. Modify configuration items in `conf/config.yaml`: ```yaml port_admin: 9180 https_admin: true - ssl: - verify_client: true + mtls: + enable: true # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. + ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed ca cert. + server_key: "/data/certs/mtls_server.key" # Path of your self-signed server side cert. + server_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side key. ``` -4. Run command: +3. Run command: ```shell apisix init apisix reload diff --git a/doc/zh-cn/two-side-auth-with-ssl.md b/doc/zh-cn/mtls.md similarity index 66% rename from doc/zh-cn/two-side-auth-with-ssl.md rename to doc/zh-cn/mtls.md index c6a169deb6f6..e001e36e2675 100644 --- a/doc/zh-cn/two-side-auth-with-ssl.md +++ b/doc/zh-cn/mtls.md @@ -17,24 +17,25 @@ # --> -[English](../two-side-auth-with-ssl.md) +[English](../mtls.md) ## 开启双向认证 1. 生成自签证书对,包括 ca、server、client 证书对。 -2. 用刚刚生成的证书相应的替换 `cert/two-side-ca.crt`、`cert/two-side-client.crt` 和 `cert/two-side-client.key`。 - -3. 修改 `conf/config.yaml` 中的配置项: +2. 修改 `conf/config.yaml` 中的配置项: ```yaml port_admin: 9180 https_admin: true - ssl: - verify_client: true + mtls: + enable: true # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. + ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed ca cert. + server_key: "/data/certs/mtls_server.key" # Path of your self-signed server side cert. + server_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side key. ``` -4. 执行命令: +3. 执行命令: ```shell apisix init apisix reload diff --git a/conf/cert/two_side_ca.crt b/t/certs/mtls_ca.crt similarity index 100% rename from conf/cert/two_side_ca.crt rename to t/certs/mtls_ca.crt diff --git a/conf/cert/two_side_client.crt b/t/certs/mtls_client.crt similarity index 100% rename from conf/cert/two_side_client.crt rename to t/certs/mtls_client.crt diff --git a/conf/cert/two_side_client.key b/t/certs/mtls_client.key similarity index 100% rename from conf/cert/two_side_client.key rename to t/certs/mtls_client.key diff --git a/conf/cert/two_side_server.crt b/t/certs/mtls_server.crt similarity index 100% rename from conf/cert/two_side_server.crt rename to t/certs/mtls_server.crt diff --git a/conf/cert/two_side_server.key b/t/certs/mtls_server.key similarity index 100% rename from conf/cert/two_side_server.key rename to t/certs/mtls_server.key From a71cd516ca0ad30d76529fa31ddbe9bda79390be Mon Sep 17 00:00:00 2001 From: nic-chen Date: Mon, 22 Jun 2020 16:41:08 +0800 Subject: [PATCH 19/35] optimize --- .travis/linux_openresty_mtls_runner.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index 118c1eafdc8b..c1cea0ceef9d 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -93,7 +93,7 @@ script() { openresty -V sudo service etcd start - mv -f ./conf/config-for-two-side-ssl-auth.yaml ./conf/config.yaml + mv -f ./conf/config-mtls.yaml ./conf/config.yaml ./bin/apisix help ./bin/apisix init From e57b026262232d2dd65ae557c167349ab0d74655 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Mon, 22 Jun 2020 18:13:53 +0800 Subject: [PATCH 20/35] optimize --- .travis/linux_openresty_mtls_runner.sh | 8 +++++++- bin/apisix | 2 +- conf/config.yaml | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index c1cea0ceef9d..d7563865bebe 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -93,7 +93,13 @@ script() { openresty -V sudo service etcd start - mv -f ./conf/config-mtls.yaml ./conf/config.yaml + # enable mtls + sed -i 's/\# port_admin: 9180/port_admin: 9180/' conf/config.yaml + sed -i 's/\# https_admin: true/https_admin: true/' conf/config.yaml + sed -i 's/mtls_enable: false/mtls_enable: true/' conf/config.yaml + sed -i 's/ca_cert: ""/ca_cert: "../t/certs/mtls_ca.crt"/' conf/config.yaml + sed -i 's/server_key: ""/server_key: "../t/certs/mtls_server.key"/' conf/config.yaml + sed -i 's/server_cert: ""/server_cert: "../t/certs/mtls_server.crt"/' conf/config.yaml ./bin/apisix help ./bin/apisix init diff --git a/bin/apisix b/bin/apisix index 6acf8888e18b..c754a46bde4e 100755 --- a/bin/apisix +++ b/bin/apisix @@ -291,7 +291,7 @@ http { {%if https_admin then%} listen {* port_admin *} ssl; - {%if mtls and mtls.enable then%} + {%if mtls and mtls.mtls_enable then%} ssl_verify_client on; ssl_certificate {* mtls.server_cert *}; ssl_certificate_key {* mtls.server_key *}; diff --git a/conf/config.yaml b/conf/config.yaml index c6768aca5143..4be696764108 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -57,7 +57,7 @@ apisix: # https_admin: true # enable HTTPS when use a separate port for Admin API. # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. mtls: - enable: false # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. + mtls_enable: false # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. ca_cert: "" # Path of your self-signed ca cert. server_key: "" # Path of your self-signed server side cert. server_cert: "" # Path of your self-signed server side key. From f0c21b17fccf032ea6b7cfdfa0b7210ad981b369 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Mon, 22 Jun 2020 21:49:20 +0800 Subject: [PATCH 21/35] fix error --- .travis/linux_openresty_mtls_runner.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index d7563865bebe..c0a9bfe2b237 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -97,9 +97,9 @@ script() { sed -i 's/\# port_admin: 9180/port_admin: 9180/' conf/config.yaml sed -i 's/\# https_admin: true/https_admin: true/' conf/config.yaml sed -i 's/mtls_enable: false/mtls_enable: true/' conf/config.yaml - sed -i 's/ca_cert: ""/ca_cert: "../t/certs/mtls_ca.crt"/' conf/config.yaml - sed -i 's/server_key: ""/server_key: "../t/certs/mtls_server.key"/' conf/config.yaml - sed -i 's/server_cert: ""/server_cert: "../t/certs/mtls_server.crt"/' conf/config.yaml + sed -i 's#ca_cert: ""#ca_cert: "../t/certs/mtls_ca.crt"#' conf/config.yaml + sed -i 's#server_key: ""#server_key: "../t/certs/mtls_server.key"#' conf/config.yaml + sed -i 's#server_cert: ""#server_cert: "../t/certs/mtls_server.crt"#' conf/config.yaml ./bin/apisix help ./bin/apisix init From 9104603874682dba725b6cc1819b4392dd326880 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Mon, 22 Jun 2020 21:57:21 +0800 Subject: [PATCH 22/35] fix path error --- .travis/linux_openresty_mtls_runner.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index c0a9bfe2b237..ec85ee354e84 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -110,7 +110,7 @@ script() { cat logs/error.log - curl --cacert ./conf/cert/two_side_ca.crt --key ./conf/cert/two_side_client.key --cert ./conf/cert/two_side_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes + curl --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes ./bin/apisix stop sleep 1 From beb4d3ea0ebd422162e38c0ecf2feb5133263d06 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Mon, 22 Jun 2020 22:08:51 +0800 Subject: [PATCH 23/35] check http status after call mtls admin api --- .travis/linux_openresty_mtls_runner.sh | 6 +++++- doc/mtls.md | 4 ++-- doc/zh-cn/mtls.md | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index ec85ee354e84..7752c74d4311 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -110,7 +110,11 @@ script() { cat logs/error.log - curl --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes + code=$(curl -i -o /dev/null -s -w %{http_code} --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) + if [ ! $code -eq 200 ]; then + echo "failed: failed to enabled mtls for admin" + exit 1 + fi ./bin/apisix stop sleep 1 diff --git a/doc/mtls.md b/doc/mtls.md index 18d5c714b948..9743b51ad582 100644 --- a/doc/mtls.md +++ b/doc/mtls.md @@ -32,11 +32,11 @@ enable: true # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed ca cert. server_key: "/data/certs/mtls_server.key" # Path of your self-signed server side cert. - server_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side key. + server_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side key. ``` 3. Run command: ```shell apisix init apisix reload -``` \ No newline at end of file +``` diff --git a/doc/zh-cn/mtls.md b/doc/zh-cn/mtls.md index e001e36e2675..42f0fb307638 100644 --- a/doc/zh-cn/mtls.md +++ b/doc/zh-cn/mtls.md @@ -39,4 +39,4 @@ ```shell apisix init apisix reload -``` \ No newline at end of file +``` From 1ba44f13da554ec8a7d234d6ee698d4f9a13b02b Mon Sep 17 00:00:00 2001 From: nic-chen Date: Mon, 22 Jun 2020 22:14:11 +0800 Subject: [PATCH 24/35] remove useless config file --- .travis/linux_openresty_mtls_runner.sh | 4 +- conf/config-mtls.yaml | 178 ------------------------- conf/config.yaml | 2 +- doc/mtls.md | 2 +- doc/zh-cn/mtls.md | 2 +- 5 files changed, 5 insertions(+), 183 deletions(-) delete mode 100644 conf/config-mtls.yaml diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index 7752c74d4311..f5774f3a6ef0 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -93,7 +93,7 @@ script() { openresty -V sudo service etcd start - # enable mtls + # enable mTLS sed -i 's/\# port_admin: 9180/port_admin: 9180/' conf/config.yaml sed -i 's/\# https_admin: true/https_admin: true/' conf/config.yaml sed -i 's/mtls_enable: false/mtls_enable: true/' conf/config.yaml @@ -112,7 +112,7 @@ script() { code=$(curl -i -o /dev/null -s -w %{http_code} --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) if [ ! $code -eq 200 ]; then - echo "failed: failed to enabled mtls for admin" + echo "failed: failed to enabled mTLS for admin" exit 1 fi diff --git a/conf/config-mtls.yaml b/conf/config-mtls.yaml deleted file mode 100644 index 05782be11a50..000000000000 --- a/conf/config-mtls.yaml +++ /dev/null @@ -1,178 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -apisix: - node_listen: 9080 # APISIX listening port - enable_heartbeat: true - enable_admin: true - enable_admin_cors: true # Admin API support CORS response headers. - enable_debug: false - enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true - enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true. - enable_ipv6: true - config_center: etcd # etcd: use etcd to store the config value - # yaml: fetch the config value from local yaml file `/your_path/conf/apisix.yaml` - - #proxy_protocol: # Proxy Protocol configuration - # listen_http_port: 9181 # The port with proxy protocol for http, it differs from node_listen and port_admin. - # This port can only receive http request with proxy protocol, but node_listen & port_admin - # can only receive http request. If you enable proxy protocol, you must use this port to - # receive http request with proxy protocol - # listen_https_port: 9182 # The port with proxy protocol for https - # enable_tcp_pp: true # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option - # enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server - - proxy_cache: # Proxy Caching configuration - cache_ttl: 10s # The default caching time if the upstream does not specify the cache time - zones: # The parameters of a cache - - name: disk_cache_one # The name of the cache, administrator can be specify - # which cache to use by name in the admin api - memory_size: 50m # The size of shared memory, it's used to store the cache index - disk_size: 1G # The size of disk, it's used to store the cache data - disk_path: "/tmp/disk_cache_one" # The path to store the cache data - cache_levels: "1:2" # The hierarchy levels of a cache - # - name: disk_cache_two - # memory_size: 50m - # disk_size: 1G - # disk_path: "/tmp/disk_cache_two" - # cache_levels: "1:2" - - allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow - - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default. - # - "::/64" - port_admin: 9180 # use a separate port - https_admin: true # enable HTTPS when use a separate port for Admin API. - # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. - mtls: - enable: true # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. - ca_cert: "../t/certs/mtls_ca.crt" # Path of your self-signed ca cert. - server_key: "../t/certs/mtls_server.key" # Path of your self-signed server side cert. - server_cert: "../t/certs/mtls_server.crt" # Path of your self-signed server side key. - - # Default token when use API to call for Admin API. - # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. - # Disabling this configuration item means that the Admin API does not - # require any authentication. - admin_key: - - - name: "admin" - key: edd1c9f034335f136f87ad84b625c8f1 - role: admin # admin: manage all configuration data - # viewer: only can view configuration data - - - name: "viewer" - key: 4054f7cf07e344346cd3f287985e76a2 - role: viewer - router: - http: 'radixtree_uri' # radixtree_uri: match route by uri(base on radixtree) - # radixtree_host_uri: match route by host + uri(base on radixtree) - ssl: 'radixtree_sni' # radixtree_sni: match route by SNI(base on radixtree) - # stream_proxy: # TCP/UDP proxy - # tcp: # TCP proxy port list - # - 9100 - # - 9101 - # udp: # UDP proxy port list - # - 9200 - # - 9211 - # dns_resolver: # If not set, read from `/etc/resolv.conf` - # - 1.1.1.1 - # - 8.8.8.8 - dns_resolver_valid: 30 # valid time for dns result 30 seconds - resolver_timeout: 5 # resolver timeout - ssl: - enable: true - enable_http2: true - listen_port: 9443 - ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" - ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" - key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. - # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC - # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! -# discovery: eureka # service discovery center -nginx_config: # config for render the template to genarate nginx.conf - error_log: "logs/error.log" - error_log_level: "warn" # warn,error - worker_rlimit_nofile: 20480 # the number of files a worker process can open, should be larger than worker_connections - event: - worker_connections: 10620 - http: - access_log: "logs/access.log" - keepalive_timeout: 60s # timeout during which a keep-alive client connection will stay open on the server side. - client_header_timeout: 60s # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client - client_body_timeout: 60s # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client - send_timeout: 10s # timeout for transmitting a response to the client.then the connection is closed - underscores_in_headers: "on" # default enables the use of underscores in client request header fields - real_ip_header: "X-Real-IP" # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header - real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from - - 127.0.0.1 - - 'unix:' - #lua_shared_dicts: # add custom shared cache to nginx.conf - # ipc_shared_dict: 100m # custom shared cache, format: `cache-key: cache-size` - -etcd: - host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. - - "http://127.0.0.1:2379" # multiple etcd address - prefix: "/apisix" # apisix configurations prefix - timeout: 3 # 3 seconds - -#eureka: -# host: # it's possible to define multiple eureka hosts addresses of the same eureka cluster. -# - "http://127.0.0.1:8761" -# prefix: "/eureka/" -# fetch_interval: 30 # default 30s -# weight: 100 # default weight for node -# timeout: -# connect: 2000 # default 2000ms -# send: 2000 # default 2000ms -# read: 5000 # default 5000ms - -plugins: # plugin list - - example-plugin - - limit-req - - limit-count - - limit-conn - - key-auth - - basic-auth - - prometheus - - node-status - - jwt-auth - - zipkin - - ip-restriction - - grpc-transcode - - serverless-pre-function - - serverless-post-function - - openid-connect - - proxy-rewrite - - redirect - - response-rewrite - - fault-injection - - udp-logger - - wolf-rbac - - proxy-cache - - tcp-logger - - proxy-mirror - - kafka-logger - - cors - - consumer-restriction - - syslog - - batch-requests - - http-logger - - skywalking - - echo - - authz-keycloak - -stream_plugins: - - mqtt-proxy diff --git a/conf/config.yaml b/conf/config.yaml index 4be696764108..c5c8b3d294c8 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -57,7 +57,7 @@ apisix: # https_admin: true # enable HTTPS when use a separate port for Admin API. # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. mtls: - mtls_enable: false # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. + mtls_enable: false # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`. ca_cert: "" # Path of your self-signed ca cert. server_key: "" # Path of your self-signed server side cert. server_cert: "" # Path of your self-signed server side key. diff --git a/doc/mtls.md b/doc/mtls.md index 9743b51ad582..518afad7c51f 100644 --- a/doc/mtls.md +++ b/doc/mtls.md @@ -29,7 +29,7 @@ https_admin: true mtls: - enable: true # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. + enable: true # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`. ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed ca cert. server_key: "/data/certs/mtls_server.key" # Path of your self-signed server side cert. server_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side key. diff --git a/doc/zh-cn/mtls.md b/doc/zh-cn/mtls.md index 42f0fb307638..bb062751d946 100644 --- a/doc/zh-cn/mtls.md +++ b/doc/zh-cn/mtls.md @@ -29,7 +29,7 @@ https_admin: true mtls: - enable: true # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`. + enable: true # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`. ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed ca cert. server_key: "/data/certs/mtls_server.key" # Path of your self-signed server side cert. server_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side key. From 62b916fab037ed6f37b0ef6f13cd9c7d28d5f817 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Mon, 22 Jun 2020 22:26:01 +0800 Subject: [PATCH 25/35] set default path for mTLS certs --- conf/config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/config.yaml b/conf/config.yaml index c5c8b3d294c8..e4790064dd9c 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -58,9 +58,9 @@ apisix: # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. mtls: mtls_enable: false # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`. - ca_cert: "" # Path of your self-signed ca cert. - server_key: "" # Path of your self-signed server side cert. - server_cert: "" # Path of your self-signed server side key. + ca_cert: "../t/certs/mtls_ca.crt" # Path of your self-signed ca cert. + server_key: "../t/certs/mtls_server.key" # Path of your self-signed server side cert. + server_cert: "../t/certs/mtls_server.crt" # Path of your self-signed server side key. # Default token when use API to call for Admin API. # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. From 3219d85edcf5f259c93a088be2761517649ddcb3 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Wed, 24 Jun 2020 09:23:50 +0800 Subject: [PATCH 26/35] fix text style --- doc/mtls.md | 2 ++ doc/zh-cn/mtls.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/doc/mtls.md b/doc/mtls.md index 518afad7c51f..92b3f8194f50 100644 --- a/doc/mtls.md +++ b/doc/mtls.md @@ -24,6 +24,7 @@ 1. Generate self-signed key pairs, including ca, server, client key pairs. 2. Modify configuration items in `conf/config.yaml`: + ```yaml port_admin: 9180 https_admin: true @@ -36,6 +37,7 @@ ``` 3. Run command: + ```shell apisix init apisix reload diff --git a/doc/zh-cn/mtls.md b/doc/zh-cn/mtls.md index bb062751d946..d7b1b8f5e649 100644 --- a/doc/zh-cn/mtls.md +++ b/doc/zh-cn/mtls.md @@ -24,6 +24,7 @@ 1. 生成自签证书对,包括 ca、server、client 证书对。 2. 修改 `conf/config.yaml` 中的配置项: + ```yaml port_admin: 9180 https_admin: true @@ -36,6 +37,7 @@ ``` 3. 执行命令: + ```shell apisix init apisix reload From ac826911a797e67030a2247c6e5f16ad03a8f8bb Mon Sep 17 00:00:00 2001 From: nic-chen Date: Wed, 24 Jun 2020 11:38:15 +0800 Subject: [PATCH 27/35] fix: naming --- .travis/linux_openresty_mtls_runner.sh | 6 +++--- bin/apisix | 8 ++++---- conf/config.yaml | 14 +++++++------- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index f5774f3a6ef0..e18e6f237e75 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -97,9 +97,9 @@ script() { sed -i 's/\# port_admin: 9180/port_admin: 9180/' conf/config.yaml sed -i 's/\# https_admin: true/https_admin: true/' conf/config.yaml sed -i 's/mtls_enable: false/mtls_enable: true/' conf/config.yaml - sed -i 's#ca_cert: ""#ca_cert: "../t/certs/mtls_ca.crt"#' conf/config.yaml - sed -i 's#server_key: ""#server_key: "../t/certs/mtls_server.key"#' conf/config.yaml - sed -i 's#server_cert: ""#server_cert: "../t/certs/mtls_server.crt"#' conf/config.yaml + sed -i 's#admin_api_ca_cert: ""#admin_api_ca_cert: "../t/certs/mtls_ca.crt"#' conf/config.yaml + sed -i 's#admin_ssl_cert_key: ""#admin_ssl_cert_key: "../t/certs/mtls_server.key"#' conf/config.yaml + sed -i 's#admin_ssl_cert: ""#admin_ssl_cert: "../t/certs/mtls_server.crt"#' conf/config.yaml ./bin/apisix help ./bin/apisix init diff --git a/bin/apisix b/bin/apisix index c754a46bde4e..c4b2c9bbf13a 100755 --- a/bin/apisix +++ b/bin/apisix @@ -291,11 +291,11 @@ http { {%if https_admin then%} listen {* port_admin *} ssl; - {%if mtls and mtls.mtls_enable then%} + {%if admin_api_mtls and admin_api_mtls.mtls_enable then%} ssl_verify_client on; - ssl_certificate {* mtls.server_cert *}; - ssl_certificate_key {* mtls.server_key *}; - ssl_client_certificate {* mtls.ca_cert *}; + ssl_certificate {* admin_api_mtls.admin_ssl_cert *}; + ssl_certificate_key {* admin_api_mtls.admin_ssl_cert_key *}; + ssl_client_certificate {* admin_api_mtls.admin_ssl_ca_cert *}; {% else %} ssl_certificate cert/apisix_admin_ssl.crt; ssl_certificate_key cert/apisix_admin_ssl.key; diff --git a/conf/config.yaml b/conf/config.yaml index e4790064dd9c..759da05a85da 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -53,14 +53,14 @@ apisix: allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default. # - "::/64" - # port_admin: 9180 # use a separate port - # https_admin: true # enable HTTPS when use a separate port for Admin API. + port_admin: 9180 # use a separate port + https_admin: true # enable HTTPS when use a separate port for Admin API. # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. - mtls: - mtls_enable: false # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`. - ca_cert: "../t/certs/mtls_ca.crt" # Path of your self-signed ca cert. - server_key: "../t/certs/mtls_server.key" # Path of your self-signed server side cert. - server_cert: "../t/certs/mtls_server.crt" # Path of your self-signed server side key. + admin_api_mtls: + mtls_enable: true # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`. + admin_ssl_cert: "../t/certs/mtls_server.crt" # Path of your self-signed server side cert. + admin_ssl_cert_key: "../t/certs/mtls_server.key" # Path of your self-signed server side key. + admin_ssl_ca_cert: "../t/certs/mtls_ca.crt" # Path of your self-signed ca cert. # Default token when use API to call for Admin API. # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. From 586c1bc547f00723c8887e8c23817e3f4f7abe63 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Wed, 24 Jun 2020 13:06:44 +0800 Subject: [PATCH 28/35] more test cases --- .travis/linux_openresty_mtls_runner.sh | 23 ++++++++++++++++++++++- bin/apisix | 5 ++++- conf/config.yaml | 15 +++++++-------- 3 files changed, 33 insertions(+), 10 deletions(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index e18e6f237e75..fae89ee88449 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -109,13 +109,34 @@ script() { sleep 1 cat logs/error.log - + # correct certs code=$(curl -i -o /dev/null -s -w %{http_code} --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) if [ ! $code -eq 200 ]; then echo "failed: failed to enabled mTLS for admin" exit 1 fi + # no certs + code=$(curl -i -o /dev/null -s -w %{http_code} -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) + if [ ! $code -eq 000 ]; then + echo "failed: failed to enabled mTLS for admin" + exit 1 + fi + + # no ca cert + code=$(curl -i -o /dev/null -s -w %{http_code} --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) + if [ ! $code -eq 000 ]; then + echo "failed: failed to enabled mTLS for admin" + exit 1 + fi + + # error key + code=$(curl -i -o /dev/null -s -w %{http_code} --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_server.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) + if [ ! $code -eq 000 ]; then + echo "failed: failed to enabled mTLS for admin" + exit 1 + fi + ./bin/apisix stop sleep 1 diff --git a/bin/apisix b/bin/apisix index c4b2c9bbf13a..f23410090c7b 100755 --- a/bin/apisix +++ b/bin/apisix @@ -291,7 +291,10 @@ http { {%if https_admin then%} listen {* port_admin *} ssl; - {%if admin_api_mtls and admin_api_mtls.mtls_enable then%} + {%if admin_api_mtls and admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and + admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" and + admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= "" + then%} ssl_verify_client on; ssl_certificate {* admin_api_mtls.admin_ssl_cert *}; ssl_certificate_key {* admin_api_mtls.admin_ssl_cert_key *}; diff --git a/conf/config.yaml b/conf/config.yaml index 759da05a85da..0baea596c8b1 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -53,14 +53,13 @@ apisix: allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default. # - "::/64" - port_admin: 9180 # use a separate port - https_admin: true # enable HTTPS when use a separate port for Admin API. - # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. - admin_api_mtls: - mtls_enable: true # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`. - admin_ssl_cert: "../t/certs/mtls_server.crt" # Path of your self-signed server side cert. - admin_ssl_cert_key: "../t/certs/mtls_server.key" # Path of your self-signed server side key. - admin_ssl_ca_cert: "../t/certs/mtls_ca.crt" # Path of your self-signed ca cert. + # port_admin: 9180 # use a separate port + # https_admin: true # enable HTTPS when use a separate port for Admin API. + # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. + admin_api_mtls: # Depends on `port_admin` and `https_admin`. + admin_ssl_cert: "" # Path of your self-signed server side cert. + admin_ssl_cert_key: "" # Path of your self-signed server side key. + admin_ssl_ca_cert: "" # Path of your self-signed ca cert. # Default token when use API to call for Admin API. # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. From b9591f054dff1e188fe533c502d7a582f2f2d693 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Wed, 24 Jun 2020 14:03:57 +0800 Subject: [PATCH 29/35] fix lint check --- .travis/linux_openresty_mtls_runner.sh | 11 +++++++++-- bin/apisix | 6 +++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index fae89ee88449..48348e4c2912 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -109,7 +109,7 @@ script() { sleep 1 cat logs/error.log - # correct certs + # correct certs code=$(curl -i -o /dev/null -s -w %{http_code} --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) if [ ! $code -eq 200 ]; then echo "failed: failed to enabled mTLS for admin" @@ -123,7 +123,7 @@ script() { exit 1 fi - # no ca cert + # no ca cert code=$(curl -i -o /dev/null -s -w %{http_code} --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) if [ ! $code -eq 000 ]; then echo "failed: failed to enabled mTLS for admin" @@ -137,6 +137,13 @@ script() { exit 1 fi + # skip + code=$(curl -i -o /dev/null -s -w %{http_code} -k -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) + if [ ! $code -eq 400 ]; then + echo "failed: failed to enabled mTLS for admin" + exit 1 + fi + ./bin/apisix stop sleep 1 diff --git a/bin/apisix b/bin/apisix index f23410090c7b..358568cef416 100755 --- a/bin/apisix +++ b/bin/apisix @@ -291,9 +291,9 @@ http { {%if https_admin then%} listen {* port_admin *} ssl; - {%if admin_api_mtls and admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and - admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" and - admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= "" + {%if admin_api_mtls and admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and + admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" and + admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= "" then%} ssl_verify_client on; ssl_certificate {* admin_api_mtls.admin_ssl_cert *}; From d4793706b6c81cac87f42287eefa9d87ab051d10 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Wed, 24 Jun 2020 14:53:26 +0800 Subject: [PATCH 30/35] fix error --- .travis/linux_openresty_mtls_runner.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index 48348e4c2912..98a9d53856cd 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -97,7 +97,7 @@ script() { sed -i 's/\# port_admin: 9180/port_admin: 9180/' conf/config.yaml sed -i 's/\# https_admin: true/https_admin: true/' conf/config.yaml sed -i 's/mtls_enable: false/mtls_enable: true/' conf/config.yaml - sed -i 's#admin_api_ca_cert: ""#admin_api_ca_cert: "../t/certs/mtls_ca.crt"#' conf/config.yaml + sed -i 's#admin_ssl_ca_cert: ""#admin_ssl_ca_cert: "../t/certs/mtls_ca.crt"#' conf/config.yaml sed -i 's#admin_ssl_cert_key: ""#admin_ssl_cert_key: "../t/certs/mtls_server.key"#' conf/config.yaml sed -i 's#admin_ssl_cert: ""#admin_ssl_cert: "../t/certs/mtls_server.crt"#' conf/config.yaml From 450e92666c19ed3757224a89bda00c2c75df152d Mon Sep 17 00:00:00 2001 From: nic-chen Date: Wed, 24 Jun 2020 15:10:54 +0800 Subject: [PATCH 31/35] test --- .travis/linux_openresty_mtls_runner.sh | 40 +++++++++++++------------- conf/config.yaml | 4 +-- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index 98a9d53856cd..4bc4de0ff2e7 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -116,26 +116,26 @@ script() { exit 1 fi - # no certs - code=$(curl -i -o /dev/null -s -w %{http_code} -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) - if [ ! $code -eq 000 ]; then - echo "failed: failed to enabled mTLS for admin" - exit 1 - fi - - # no ca cert - code=$(curl -i -o /dev/null -s -w %{http_code} --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) - if [ ! $code -eq 000 ]; then - echo "failed: failed to enabled mTLS for admin" - exit 1 - fi - - # error key - code=$(curl -i -o /dev/null -s -w %{http_code} --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_server.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) - if [ ! $code -eq 000 ]; then - echo "failed: failed to enabled mTLS for admin" - exit 1 - fi + # # no certs + # code=$(curl -i -o /dev/null -s -w %{http_code} -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) + # if [ ! $code -eq 000 ]; then + # echo "failed: failed to enabled mTLS for admin" + # exit 1 + # fi + + # # no ca cert + # code=$(curl -i -o /dev/null -s -w %{http_code} --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) + # if [ ! $code -eq 000 ]; then + # echo "failed: failed to enabled mTLS for admin" + # exit 1 + # fi + + # # error key + # code=$(curl -i -o /dev/null -s -w %{http_code} --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_server.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) + # if [ ! $code -eq 000 ]; then + # echo "failed: failed to enabled mTLS for admin" + # exit 1 + # fi # skip code=$(curl -i -o /dev/null -s -w %{http_code} -k -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) diff --git a/conf/config.yaml b/conf/config.yaml index 0baea596c8b1..a1f52d21f5c6 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -58,8 +58,8 @@ apisix: # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. admin_api_mtls: # Depends on `port_admin` and `https_admin`. admin_ssl_cert: "" # Path of your self-signed server side cert. - admin_ssl_cert_key: "" # Path of your self-signed server side key. - admin_ssl_ca_cert: "" # Path of your self-signed ca cert. + admin_ssl_cert_key: "" # Path of your self-signed server side key. + admin_ssl_ca_cert: "" # Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates. # Default token when use API to call for Admin API. # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. From 988253c1f901b26760a3ceb80d3e847c20d1a635 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Wed, 24 Jun 2020 16:20:51 +0800 Subject: [PATCH 32/35] update doc for admin api mTLS --- doc/mtls.md | 20 +++++++++++++++++++- doc/zh-cn/mtls.md | 20 ++++++++++++++++++-- 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/doc/mtls.md b/doc/mtls.md index 92b3f8194f50..dca4dbc19409 100644 --- a/doc/mtls.md +++ b/doc/mtls.md @@ -19,7 +19,15 @@ [Chinese](zh-cn/mtls.md) -## Enable mutual TLS authentication +## Mutual TLS authentication + +### Why use it + +Mutual TLS authentication provides a better way to prevent unauthorized access to APISIX. + +The clients will provide their certificates to the server and the server will check whether the cert is signed by the supplied CA and decide whether to serve the request. + +### How to enable 1. Generate self-signed key pairs, including ca, server, client key pairs. @@ -42,3 +50,13 @@ apisix init apisix reload ``` + +### How client calls + +Please replace the following certificate paths and domain name with your real ones. + +* Note: The same CA certificate as the server needs to be used * + +```shell +curl --cacert /data/certs/mtls_ca.crt --key /data/certs/mtls_client.key --cert /data/certs/mtls_client.crt https://admin.apisix.dev:9180/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' +``` diff --git a/doc/zh-cn/mtls.md b/doc/zh-cn/mtls.md index d7b1b8f5e649..8654d5994626 100644 --- a/doc/zh-cn/mtls.md +++ b/doc/zh-cn/mtls.md @@ -19,7 +19,13 @@ [English](../mtls.md) -## 开启双向认证 +## 双向认证 + +### 为什么使用 + +双向认证可以更好的防止未经授权访问 APISIX ,客户端将向服务器提供其证书,服务器将检查证书是否由提供的 CA 签名并决定是否响应请求。 + +### 如何开启 1. 生成自签证书对,包括 ca、server、client 证书对。 @@ -31,7 +37,7 @@ mtls: enable: true # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`. - ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed ca cert. + ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed CA cert. server_key: "/data/certs/mtls_server.key" # Path of your self-signed server side cert. server_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side key. ``` @@ -42,3 +48,13 @@ apisix init apisix reload ``` + +### 客户端如何调用 + +请将以下证书及域名替换为您的真实内容。 + +* 注意:需要和服务器使用相同的 CA 证书 * + +```shell +curl --cacert /data/certs/mtls_ca.crt --key /data/certs/mtls_client.key --cert /data/certs/mtls_client.crt https://admin.apisix.dev:9180/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' +``` From 473a59b23275a1defb938b4151390135462037ac Mon Sep 17 00:00:00 2001 From: nic-chen Date: Thu, 16 Jul 2020 11:33:13 +0800 Subject: [PATCH 33/35] fix lint --- bin/apisix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/apisix b/bin/apisix index 58bcfb5c9b2e..3a2ee6c9ce87 100755 --- a/bin/apisix +++ b/bin/apisix @@ -302,7 +302,7 @@ http { ssl_certificate cert/apisix_admin_ssl.crt; ssl_certificate_key cert/apisix_admin_ssl.key; {%end%} - + ssl_session_cache shared:SSL:20m; ssl_protocols {* ssl.ssl_protocols *}; ssl_ciphers {* ssl.ssl_ciphers *}; From a68913208222ad7f74637791c6206795bcf0d980 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Thu, 16 Jul 2020 20:26:34 +0800 Subject: [PATCH 34/35] fix etcd version --- .travis/linux_openresty_mtls_runner.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index 4bc4de0ff2e7..bb922b95af61 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -91,7 +91,12 @@ script() { export_or_prefix export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH openresty -V - sudo service etcd start + sudo service etcd stop + mkdir -p ~/etcd-data + /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379' --advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data > /dev/null 2>&1 & + etcd --version + sleep 5 + # enable mTLS sed -i 's/\# port_admin: 9180/port_admin: 9180/' conf/config.yaml From b0838e87468ad42ed09ac1bba9bd8536685246f3 Mon Sep 17 00:00:00 2001 From: nic-chen Date: Fri, 17 Jul 2020 16:30:05 +0800 Subject: [PATCH 35/35] run mTLS test cases with github ations --- .github/workflows/build.yml | 2 +- .travis.yml | 4 ---- .travis/linux_openresty_mtls_runner.sh | 3 +++ 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5d9712bb7b98..c46c97f95aa0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,7 +12,7 @@ jobs: fail-fast: false matrix: platform: [ubuntu-18.04] - os_name: [linux_openresty, linux_tengine, linux_apisix_master_luarocks, linux_apisix_current_luarocks] + os_name: [linux_openresty, linux_tengine, linux_apisix_master_luarocks, linux_apisix_current_luarocks, linux_openresty_mtls] include: - platform: macos-latest os_name: osx_openresty diff --git a/.travis.yml b/.travis.yml index e03d3c87ef61..ebb3e6929969 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,8 +5,6 @@ matrix: allow_failures: - os: osx include: - - os: linux - env: OSNAME=linux_openresty_mtls - os: osx env: OSNAME=osx_openresty cache: @@ -28,8 +26,6 @@ addons: - etcd homebrew: update: true - hosts: - - admin.apisix.dev cache: diff --git a/.travis/linux_openresty_mtls_runner.sh b/.travis/linux_openresty_mtls_runner.sh index bb922b95af61..8b7e035e73b2 100755 --- a/.travis/linux_openresty_mtls_runner.sh +++ b/.travis/linux_openresty_mtls_runner.sh @@ -114,6 +114,9 @@ script() { sleep 1 cat logs/error.log + + echo "127.0.0.1 admin.apisix.dev" | sudo tee -a /etc/hosts + # correct certs code=$(curl -i -o /dev/null -s -w %{http_code} --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes) if [ ! $code -eq 200 ]; then