feat: Support admin API authentication with SSL certificates

.travis.yml

@@ -7,6 +7,8 @@ matrix:
       services:
         - docker
       env: OSNAME=linux_openresty
+    - os: linux
+      env: OSNAME=linux_openresty_mtls
     - os: osx
       env: OSNAME=osx_openresty
       cache:
@@ -40,6 +42,8 @@ addons:
       - etcd
   homebrew:
     update: true
+  hosts:
+    - admin.apisix.dev
 
 cache:
   directories:

.travis/linux_openresty_mtls_runner.sh

@@ -0,0 +1,167 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -ex
+
+export_or_prefix() {
+    export OPENRESTY_PREFIX="/usr/local/openresty-debug"
+}
+
+create_lua_deps() {
+    echo "Create lua deps cache"
+
+    make deps
+    luarocks install luacov-coveralls --tree=deps --local > build.log 2>&1 || (cat build.log && exit 1)
+
+    sudo rm -rf build-cache/deps
+    sudo cp -r deps build-cache/
+    sudo cp rockspec/apisix-master-0.rockspec build-cache/
+}
+
+before_install() {
+    sudo cpanm --notest Test::Nginx >build.log 2>&1 || (cat build.log && exit 1)
+}
+
+do_install() {
+    export_or_prefix
+
+    wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
+    sudo apt-get -y update --fix-missing
+    sudo apt-get -y install software-properties-common
+    sudo add-apt-repository -y "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main"
+    sudo add-apt-repository -y ppa:longsleep/golang-backports
+
+    sudo apt-get update
+    sudo apt-get install openresty-debug lua5.1 liblua5.1-0-dev
+
+    wget https://github.com/luarocks/luarocks/archive/v2.4.4.tar.gz
+    tar -xf v2.4.4.tar.gz
+    cd luarocks-2.4.4
+    ./configure --prefix=/usr > build.log 2>&1 || (cat build.log && exit 1)
+    make build > build.log 2>&1 || (cat build.log && exit 1)
+    sudo make install > build.log 2>&1 || (cat build.log && exit 1)
+    cd ..
+    rm -rf luarocks-2.4.4
+
+    sudo luarocks install luacheck > build.log 2>&1 || (cat build.log && exit 1)
+
+
+    if [ ! -f "build-cache/apisix-master-0.rockspec" ]; then
+        create_lua_deps
+
+    else
+        src=`md5sum rockspec/apisix-master-0.rockspec | awk '{print $1}'`
+        src_cp=`md5sum build-cache/apisix-master-0.rockspec | awk '{print $1}'`
+        if [ "$src" = "$src_cp" ]; then
+            echo "Use lua deps cache"
+            sudo cp -r build-cache/deps ./
+        else
+            create_lua_deps
+        fi
+    fi
+
+    # sudo apt-get install tree -y
+    # tree deps
+
+    git clone https://github.com/iresty/test-nginx.git test-nginx
+    make utils
+
+    git clone https://github.com/apache/openwhisk-utilities.git .travis/openwhisk-utilities
+    cp .travis/ASF* .travis/openwhisk-utilities/scancode/
+
+    ls -l ./
+}
+
+script() {
+    export_or_prefix
+    export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
+    openresty -V
+    sudo service etcd start
+
+    # enable mTLS
+    sed  -i 's/\# port_admin: 9180/port_admin: 9180/'  conf/config.yaml
+    sed  -i 's/\# https_admin: true/https_admin: true/'  conf/config.yaml
+    sed  -i 's/mtls_enable: false/mtls_enable: true/'  conf/config.yaml
+    sed  -i 's#admin_api_ca_cert: ""#admin_api_ca_cert: "../t/certs/mtls_ca.crt"#'  conf/config.yaml
+    sed  -i 's#admin_ssl_cert_key: ""#admin_ssl_cert_key: "../t/certs/mtls_server.key"#'  conf/config.yaml
+    sed  -i 's#admin_ssl_cert: ""#admin_ssl_cert: "../t/certs/mtls_server.crt"#'  conf/config.yaml
+
+    ./bin/apisix help
+    ./bin/apisix init
+    ./bin/apisix init_etcd
+    ./bin/apisix start
+
+    sleep 1
+    cat logs/error.log
+
+    # correct certs 
+    code=$(curl -i -o /dev/null -s -w %{http_code}  --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes)
+    if [ ! $code -eq 200 ]; then
+        echo "failed: failed to enabled mTLS for admin"
+        exit 1
+    fi
+
+    # no certs
+    code=$(curl -i -o /dev/null -s -w %{http_code} -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes)
+    if [ ! $code -eq 000 ]; then
+        echo "failed: failed to enabled mTLS for admin"
+        exit 1
+    fi
+
+    # no ca cert 
+    code=$(curl -i -o /dev/null -s -w %{http_code} --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes)
+    if [ ! $code -eq 000 ]; then
+        echo "failed: failed to enabled mTLS for admin"
+        exit 1
+    fi
+
+    # error key
+    code=$(curl -i -o /dev/null -s -w %{http_code}  --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_server.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes)
+    if [ ! $code -eq 000 ]; then
+        echo "failed: failed to enabled mTLS for admin"
+        exit 1
+    fi
+
+    ./bin/apisix stop
+    sleep 1
+
+    make lint && make license-check || exit 1
+}
+
+after_success() {
+    cat luacov.stats.out
+    luacov-coveralls
+}
+
+case_opt=$1
+shift
+
+case ${case_opt} in
+before_install)
+    before_install "$@"
+    ;;
+do_install)
+    do_install "$@"
+    ;;
+script)
+    script "$@"
+    ;;
+after_success)
+    after_success "$@"
+    ;;
+esac

bin/apisix

@@ -290,13 +290,26 @@ http {
     server {
         {%if https_admin then%}
         listen {* port_admin *} ssl;
+
+        {%if admin_api_mtls and admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and 
+         admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" and 
+         admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= "" 
+        then%}
+        ssl_verify_client on;
+        ssl_certificate      {* admin_api_mtls.admin_ssl_cert *};
+        ssl_certificate_key  {* admin_api_mtls.admin_ssl_cert_key *};
+        ssl_client_certificate {* admin_api_mtls.admin_ssl_ca_cert *};
+        {% else %}
         ssl_certificate      cert/apisix_admin_ssl.crt;
         ssl_certificate_key  cert/apisix_admin_ssl.key;
+        {%end%}
+
         ssl_session_cache    shared:SSL:1m;
 
         ssl_protocols {* ssl.ssl_protocols *};
         ssl_ciphers {* ssl.ssl_ciphers *};
         ssl_prefer_server_ciphers on;
+
         {% else %}
         listen {* port_admin *};
         {%end%}

conf/config.yaml

@@ -55,7 +55,11 @@ apisix:
   #   - "::/64"
   # port_admin: 9180              # use a separate port
   # https_admin: true             # enable HTTPS when use a separate port for Admin API.
-                                  # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
+                                # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
+  admin_api_mtls:               # Depends on `port_admin` and `https_admin`.
+    admin_ssl_cert: ""             # Path of your self-signed server side cert.
+    admin_ssl_cert_key: ""              # Path of your self-signed server side key.
+    admin_ssl_ca_cert: ""                     # Path of your self-signed ca cert.
 
   # Default token when use API to call for Admin API.
   # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.

doc/mtls.md

@@ -0,0 +1,44 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+[Chinese](zh-cn/mtls.md)
+
+## Enable mutual TLS authentication
+
+1. Generate self-signed key pairs, including ca, server, client key pairs.
+
+2. Modify configuration items in `conf/config.yaml`:
+
+```yaml
+  port_admin: 9180
+  https_admin: true
+
+  mtls:
+    enable: true               # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`.
+    ca_cert: "/data/certs/mtls_ca.crt"                 # Path of your self-signed ca cert.
+    server_key: "/data/certs/mtls_server.key"          # Path of your self-signed server side cert.
+    server_cert: "/data/certs/mtls_server.crt"         # Path of your self-signed server side key.
+```
+
+3. Run command:
+
+```shell
+apisix init
+apisix reload
+```

doc/zh-cn/mtls.md

@@ -0,0 +1,44 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+[English](../mtls.md)
+
+## 开启双向认证
+
+1. 生成自签证书对，包括 ca、server、client 证书对。
+
+2. 修改 `conf/config.yaml` 中的配置项:
+
+```yaml
+  port_admin: 9180
+  https_admin: true
+
+  mtls:
+    enable: true               # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`.
+    ca_cert: "/data/certs/mtls_ca.crt"                 # Path of your self-signed ca cert.
+    server_key: "/data/certs/mtls_server.key"          # Path of your self-signed server side cert.
+    server_cert: "/data/certs/mtls_server.crt"         # Path of your self-signed server side key.
+```
+
+3. 执行命令:
+
+```shell
+apisix init
+apisix reload
+```

t/certs/mtls_ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjICCQDmBdlKmGaJITANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJj
+bjESMBAGA1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoM
+BGFwaTcxDDAKBgNVBAsMA29wczEWMBQGA1UEAwwNY2EuYXBpc2l4LmRldjAeFw0y
+MDA2MjAxMzEzNDFaFw0zMDA2MTgxMzEzNDFaMGcxCzAJBgNVBAYTAmNuMRIwEAYD
+VQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTENMAsGA1UECgwEYXBpNzEM
+MAoGA1UECwwDb3BzMRYwFAYDVQQDDA1jYS5hcGlzaXguZGV2MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAun+Gq/bp7CcZ9i5ZdjuCvyZVXsiAaBELVi/Q
+QQtC90z5aQyWudTPB1Lcpk5HosbT73eHh03hFCRMFv6Miase1T59KJ4zGSFKoFEr
+j2cbNmWFJEhTGce1pn52zMzZrXERYhKBA0n4bwHK/IND0XeEZ2RQPtGnGBqj3vKL
+3px+mOzIeMy4VMSkIkL2jlgo5jN0IjQIsvHRSrhIWzFhr6qtIJhuh0oI6gs+/yvA
+vspGeVFtIg/1PY3bOgFfhJg08/Aw7vgMjmADypEbBabLaWOZ8RZ3Ci2is6cL/1wX
+Sr8OIIBXTmTGmXEuSsMsBgC7BFwEY4XEsGx8QQJsrh1dSf2t0QIDAQABMA0GCSqG
+SIb3DQEBBQUAA4IBAQCKC98wWieC66NHAYb9ICOwr+XTmoFABpFNaM4bPXMD4IUq
+BaMGfBh92e4ANz2bm1D3J0ZNH3TVC7OhF2ymi6wSMde/Ygkh5xu2HgTEX2QTDQVd
+J27jwEIe45VLdvuu33jvE/iNNQHI6J6zP45gs/FS+CwMoYRnNcC+428YUf9XMcgM
+UkeMOnnkhw1OUzmoACY705hAEAPFbb7KkQ109lgbh6cucMy7Nw/N1t6Pyuxlqteg
+d8Wy6VFYPRRK43dYoA9B0yvsZCERvxgR1IrDjo0B2wIDzM4eM6ldLfnr8pPnBFfS
+g/Pdo6VZsXeSv3o00lBEY/25Vqxn3sPBK4E7a+mX
+-----END CERTIFICATE-----