From d5b12fb122bbce9bafd918d709726b4718cb4b41 Mon Sep 17 00:00:00 2001 From: Traky Deng Date: Tue, 6 Jun 2023 16:55:53 +0800 Subject: [PATCH 01/23] Update config-default.yaml --- conf/config-default.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index d41df397b9e5..3d9e7f41fde8 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -14,22 +14,21 @@ # See the License for the specific language governing permissions and # limitations under the License. # -# PLEASE DO NOT UPDATE THIS FILE! -# If you want to set the specified configuration value, you can set the new -# value in the conf/config.yaml file. +# CAUTION: DO NOT MODIFY DEFAULT CONFIGURATIONS IN THIS FILE +# You should keep custom configurations in conf/config.yaml. # apisix: - # node_listen: 9080 # APISIX listening port - node_listen: # This style support multiple ports + # node_listen: 9080 # APISIX listening port (single) + node_listen: # APISIX listening ports (multiple) - 9080 # - port: 9081 - # enable_http2: true # If not set, the default value is `false`. - # - ip: 127.0.0.2 # Specific IP, If not set, the default value is `0.0.0.0`. + # enable_http2: true # If not set, default to `false` + # - ip: 127.0.0.2 # If not set, default to `0.0.0.0` # port: 9082 # enable_http2: true enable_admin: true - enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true + enable_dev_mode: false # Set nginx worker_processes to 1 if set to true enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true. show_upstream_status_in_response_header: false # when true all upstream status write to `X-APISIX-Upstream-Status` otherwise only 5xx code enable_ipv6: true From 136a54af911776faee246791b7b8791786ca10ce Mon Sep 17 00:00:00 2001 From: Traky Deng Date: Wed, 7 Jun 2023 11:43:25 +0800 Subject: [PATCH 02/23] Update config-default.yaml --- conf/config-default.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 3d9e7f41fde8..5d4624e95685 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -19,8 +19,8 @@ # apisix: - # node_listen: 9080 # APISIX listening port (single) - node_listen: # APISIX listening ports (multiple) + # node_listen: 9080 # APISIX listening port, if single + node_listen: # APISIX listening ports, if multiple - 9080 # - port: 9081 # enable_http2: true # If not set, default to `false` @@ -28,7 +28,7 @@ apisix: # port: 9082 # enable_http2: true enable_admin: true - enable_dev_mode: false # Set nginx worker_processes to 1 if set to true + enable_dev_mode: false # Set nginx worker_processes to 1 if true enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true. show_upstream_status_in_response_header: false # when true all upstream status write to `X-APISIX-Upstream-Status` otherwise only 5xx code enable_ipv6: true From 0ef5fbbb4db2bf42fb6a1d446285a048fd46338b Mon Sep 17 00:00:00 2001 From: Traky Deng Date: Wed, 7 Jun 2023 16:10:49 +0800 Subject: [PATCH 03/23] Update config-default.yaml --- conf/config-default.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 5d4624e95685..d56a20254da5 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -19,8 +19,8 @@ # apisix: - # node_listen: 9080 # APISIX listening port, if single - node_listen: # APISIX listening ports, if multiple + # node_listen: 9080 # Single APISIX listening port + node_listen: # Multiple APISIX listening ports - 9080 # - port: 9081 # enable_http2: true # If not set, default to `false` @@ -28,9 +28,9 @@ apisix: # port: 9082 # enable_http2: true enable_admin: true - enable_dev_mode: false # Set nginx worker_processes to 1 if true - enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true. - show_upstream_status_in_response_header: false # when true all upstream status write to `X-APISIX-Upstream-Status` otherwise only 5xx code + enable_dev_mode: false # If true, nginx worker_processes will be set to 1 + enable_reuseport: true # If true, nginx SO_REUSEPORT option will be enabled + show_upstream_status_in_response_header: false # If true, show upstream HTTP status code in the response header `X-APISIX-Upstream-Status` enable_ipv6: true #proxy_protocol: # Proxy Protocol configuration @@ -40,9 +40,9 @@ apisix: # receive http request with proxy protocol # listen_https_port: 9182 # The port with proxy protocol for https # enable_tcp_pp: true # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option - # enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server + # enable_tcp_pp_to_upstream: true # Enable the proxy protocol to the upstream server enable_server_tokens: true # Whether the APISIX version number should be shown in Server header. - # It's enabled by default. + # True by default. # configurations to load third party code and/or override the builtin one. extra_lua_path: "" # extend lua_package_path to load third party code @@ -213,18 +213,18 @@ nginx_config: # config for render the template to generate n #custom_lua_shared_dict: # add custom shared cache to nginx.conf # ipc_shared_dict: 100m # custom shared cache, format: `cache-key: cache-size` - # Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) + # Enable or disable passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) # when establishing a connection with the proxied HTTPS server. proxy_ssl_server_name: true upstream: - keepalive: 320 # Sets the maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process. + keepalive: 320 # Set the maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process. # When this number is exceeded, the least recently used connections are closed. - keepalive_requests: 1000 # Sets the maximum number of requests that can be served through one keepalive connection. + keepalive_requests: 1000 # Set the maximum number of requests that can be served through one keepalive connection. # After the maximum number of requests is made, the connection is closed. - keepalive_timeout: 60s # Sets a timeout during which an idle keepalive connection to an upstream server will stay open. + keepalive_timeout: 60s # Set a timeout during which an idle keepalive connection to an upstream server will stay open. charset: utf-8 # Adds the specified charset to the "Content-Type" response header field, see # http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset - variables_hash_max_size: 2048 # Sets the maximum size of the variables hash table. + variables_hash_max_size: 2048 # Set the maximum size of the variables hash table. lua_shared_dict: internal-status: 10m From 27e5688720812b3d95dfdf4e305d3626efdfe3c2 Mon Sep 17 00:00:00 2001 From: Traky Deng Date: Thu, 8 Jun 2023 16:07:29 +0800 Subject: [PATCH 04/23] Update PROXY Protocol Configuration and X-APISIX-Upstream-Status --- conf/config-default.yaml | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index d56a20254da5..551f5c8622fb 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -19,30 +19,29 @@ # apisix: - # node_listen: 9080 # Single APISIX listening port - node_listen: # Multiple APISIX listening ports + # node_listen: 9080 # Use this if APISIX listens on a single port. + node_listen: # Use this if APISIX listens on multiple ports. - 9080 # - port: 9081 - # enable_http2: true # If not set, default to `false` - # - ip: 127.0.0.2 # If not set, default to `0.0.0.0` + # enable_http2: true # If not set, default to `false`. + # - ip: 127.0.0.2 # If not set, default to `0.0.0.0`/ # port: 9082 # enable_http2: true enable_admin: true - enable_dev_mode: false # If true, nginx worker_processes will be set to 1 - enable_reuseport: true # If true, nginx SO_REUSEPORT option will be enabled - show_upstream_status_in_response_header: false # If true, show upstream HTTP status code in the response header `X-APISIX-Upstream-Status` + enable_dev_mode: false # If true, nginx worker_processes will be set to 1. + enable_reuseport: true # If true, nginx SO_REUSEPORT option will be enabled. + show_upstream_status_in_response_header: false # If true, include the upstream HTTP status code in + # the response header `X-APISIX-Upstream-Status`. + # If false, show `X-APISIX-Upstream-Status` only if + # the upstream response code is 5xx. enable_ipv6: true - - #proxy_protocol: # Proxy Protocol configuration - # listen_http_port: 9181 # The port with proxy protocol for http, it differs from node_listen and admin_listen. - # This port can only receive http request with proxy protocol, but node_listen & admin_listen - # can only receive http request. If you enable proxy protocol, you must use this port to - # receive http request with proxy protocol - # listen_https_port: 9182 # The port with proxy protocol for https - # enable_tcp_pp: true # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option - # enable_tcp_pp_to_upstream: true # Enable the proxy protocol to the upstream server - enable_server_tokens: true # Whether the APISIX version number should be shown in Server header. - # True by default. + + #proxy_protocol: # PROXY Protocol Configuration + # listen_http_port: 9181 # APISIX listening port for HTTP traffic with PROXY protocol. + # listen_https_port: 9182 # APISIX listening port for HTTPS traffic with PROXY protocol. + # enable_tcp_pp: true # Enable the PROXY protocol for TCP proxy when stream_proxy.tcp is set. + # enable_tcp_pp_to_upstream: true # Enable the PROXY protocol. + enable_server_tokens: true # If ture, show APISIX version in the `Server` response header. # configurations to load third party code and/or override the builtin one. extra_lua_path: "" # extend lua_package_path to load third party code From 341a42d09adc831b1a68f66b2e4e2267216723cf Mon Sep 17 00:00:00 2001 From: Traky Date: Thu, 8 Jun 2023 19:58:28 +0800 Subject: [PATCH 05/23] updated up till proxy_cache block --- conf/config-default.yaml | 61 +++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 32 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 551f5c8622fb..248e60852565 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -19,46 +19,43 @@ # apisix: - # node_listen: 9080 # Use this if APISIX listens on a single port. - node_listen: # Use this if APISIX listens on multiple ports. + # node_listen: 9080 # Use this if APISIX listens on a single port. + node_listen: # Use this if APISIX listens on multiple ports. - 9080 - # - port: 9081 - # enable_http2: true # If not set, default to `false`. - # - ip: 127.0.0.2 # If not set, default to `0.0.0.0`/ - # port: 9082 - # enable_http2: true + # - port: 9081 + # enable_http2: true # If not set, default to `false`. + # - ip: 127.0.0.2 # If not set, default to `0.0.0.0`/ + # port: 9082 + # enable_http2: true enable_admin: true - enable_dev_mode: false # If true, nginx worker_processes will be set to 1. - enable_reuseport: true # If true, nginx SO_REUSEPORT option will be enabled. + enable_dev_mode: false # If true, nginx worker_processes will be set to 1. + enable_reuseport: true # If true, nginx SO_REUSEPORT option will be enabled. show_upstream_status_in_response_header: false # If true, include the upstream HTTP status code in # the response header `X-APISIX-Upstream-Status`. # If false, show `X-APISIX-Upstream-Status` only if # the upstream response code is 5xx. enable_ipv6: true + + # proxy_protocol: # PROXY Protocol configuration + # listen_http_port: 9181 # APISIX listening port for HTTP traffic with PROXY protocol. + # listen_https_port: 9182 # APISIX listening port for HTTPS traffic with PROXY protocol. + # enable_tcp_pp: true # Enable the PROXY protocol when stream_proxy.tcp is set. + # enable_tcp_pp_to_upstream: true # Enable the PROXY protocol. - #proxy_protocol: # PROXY Protocol Configuration - # listen_http_port: 9181 # APISIX listening port for HTTP traffic with PROXY protocol. - # listen_https_port: 9182 # APISIX listening port for HTTPS traffic with PROXY protocol. - # enable_tcp_pp: true # Enable the PROXY protocol for TCP proxy when stream_proxy.tcp is set. - # enable_tcp_pp_to_upstream: true # Enable the PROXY protocol. - enable_server_tokens: true # If ture, show APISIX version in the `Server` response header. - - # configurations to load third party code and/or override the builtin one. - extra_lua_path: "" # extend lua_package_path to load third party code - extra_lua_cpath: "" # extend lua_package_cpath to load third party code - #lua_module_hook: "my_project.my_hook" # the hook module which will be used to inject third party code into APISIX - - proxy_cache: # Proxy Caching configuration - cache_ttl: 10s # The default caching time in disk if the upstream does not specify the cache time - zones: # The parameters of a cache - - name: disk_cache_one # The name of the cache, administrator can specify - # which cache to use by name in the admin api (disk|memory) - memory_size: 50m # The size of shared memory, it's used to store the cache index for - # disk strategy, store cache content for memory strategy (disk|memory) - disk_size: 1G # The size of disk, it's used to store the cache data (disk) - disk_path: /tmp/disk_cache_one # The path to store the cache data (disk) - cache_levels: 1:2 # The hierarchy levels of a cache (disk) - #- name: disk_cache_two + enable_server_tokens: true # If ture, show APISIX version in the `Server` response header. + extra_lua_path: "" # Extend lua_package_path to load third-party code. + extra_lua_cpath: "" # Extend lua_package_cpath to load third-party code. + # lua_module_hook: "my_project.my_hook" # Hook module used to inject third-party code into APISIX. + + proxy_cache: # Proxy Caching configuration + cache_ttl: 10s # The default caching time on disk if the upstream does not specify a caching time. + zones: + - name: disk_cache_one # Name of the cache. + memory_size: 50m # Size of the memory to store the cache index. + disk_size: 1G # Size of the disk to store the cache data. + disk_path: /tmp/disk_cache_one # Path to the cache file for disk cache. + cache_levels: 1:2 # Cache hierarchy levels of disk cache. + # - name: disk_cache_two # memory_size: 50m # disk_size: 1G # disk_path: "/tmp/disk_cache_two" From 583b1332a84da577fde4d9b749d125a7e8fe288c Mon Sep 17 00:00:00 2001 From: Traky Date: Thu, 8 Jun 2023 20:30:51 +0800 Subject: [PATCH 06/23] updated until dns_resolver --- conf/config-default.yaml | 63 ++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 248e60852565..4b66d487cb1c 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -63,34 +63,33 @@ apisix: - name: memory_cache memory_size: 50m - delete_uri_tail_slash: false # delete the '/' at the end of the URI - # The URI normalization in servlet is a little different from the RFC's. - # See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization, - # which is used under Tomcat. - # Turn this option on if you want to be compatible with servlet when matching URI path. - normalize_uri_like_servlet: false + delete_uri_tail_slash: false # Delete the '/' at the end of the URI + normalize_uri_like_servlet: false # If true, use the same path normalization rules as the Java + # servlet specification. See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization, which is used in Tomcat. + router: - http: radixtree_host_uri # radixtree_uri: match route by uri(base on radixtree) - # radixtree_host_uri: match route by host + uri(base on radixtree) - # radixtree_uri_with_parameter: like radixtree_uri but match uri with parameters, - # see https://github.com/api7/lua-resty-radixtree/#parameters-in-path for - # more details. - ssl: radixtree_sni # radixtree_sni: match route by SNI(base on radixtree) - #stream_proxy: # TCP/UDP proxy - # only: true # use stream proxy only, don't enable HTTP stuff - # tcp: # TCP proxy port list - # - addr: 9100 - # tls: true - # - addr: "127.0.0.1:9101" - # udp: # UDP proxy port list - # - 9200 - # - "127.0.0.1:9201" - #dns_resolver: # If not set, read from `/etc/resolv.conf` - # - 1.1.1.1 - # - 8.8.8.8 - #dns_resolver_valid: 30 # if given, override the TTL of the valid records. The unit is second. - resolver_timeout: 5 # resolver timeout - enable_resolv_search_opt: true # enable search option in resolv.conf + http: radixtree_host_uri # radixtree_host_uri: match route by host and URI + # radixtree_uri: match route by URI + # radixtree_uri_with_parameter: similar to radixtree_uri but match URI with parameters. See https://github.com/api7/lua-resty-radixtree/#parameters-in-path for more details. + ssl: radixtree_sni # radixtree_sni: match route by SNI + + # stream_proxy: # TCP/UDP L4 proxy + # only: true # Enable L4 proxy only without L7 proxy. + # tcp: + # - addr: 9100 # TCP proxy listening ports + # tls: true + # - addr: "127.0.0.1:9101" + # udp: # UDP proxy listening ports + # - 9200 + # - "127.0.0.1:9201" + # dns_resolver: # If not set, read from `/etc/resolv.conf` + # - 1.1.1.1 + # - 8.8.8.8 + # dns_resolver_valid: 30 # Override the default TTL of the DNS records. + resolver_timeout: 5 # Time that the server will wait for a response from the DNS resolver + # before timing out. + enable_resolv_search_opt: true # If true, use search option in the resolv.conf file in DNS lookups. + ssl: enable: true listen: # APISIX listening port in https. @@ -209,18 +208,18 @@ nginx_config: # config for render the template to generate n #custom_lua_shared_dict: # add custom shared cache to nginx.conf # ipc_shared_dict: 100m # custom shared cache, format: `cache-key: cache-size` - # Enable or disable passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) + # Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) # when establishing a connection with the proxied HTTPS server. proxy_ssl_server_name: true upstream: - keepalive: 320 # Set the maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process. + keepalive: 320 # Sets the maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process. # When this number is exceeded, the least recently used connections are closed. - keepalive_requests: 1000 # Set the maximum number of requests that can be served through one keepalive connection. + keepalive_requests: 1000 # Sets the maximum number of requests that can be served through one keepalive connection. # After the maximum number of requests is made, the connection is closed. - keepalive_timeout: 60s # Set a timeout during which an idle keepalive connection to an upstream server will stay open. + keepalive_timeout: 60s # Sets a timeout during which an idle keepalive connection to an upstream server will stay open. charset: utf-8 # Adds the specified charset to the "Content-Type" response header field, see # http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset - variables_hash_max_size: 2048 # Set the maximum size of the variables hash table. + variables_hash_max_size: 2048 # Sets the maximum size of the variables hash table. lua_shared_dict: internal-status: 10m From 92623afa35d0e532fa8e98dddef9e81422dbab3d Mon Sep 17 00:00:00 2001 From: Traky Date: Thu, 8 Jun 2023 21:02:20 +0800 Subject: [PATCH 07/23] updated SSL --- conf/config-default.yaml | 47 ++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 4b66d487cb1c..b49b85e9e863 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -19,8 +19,8 @@ # apisix: - # node_listen: 9080 # Use this if APISIX listens on a single port. - node_listen: # Use this if APISIX listens on multiple ports. + # node_listen: 9080 # APISIX listening port. + node_listen: # APISIX listening ports. - 9080 # - port: 9081 # enable_http2: true # If not set, default to `false`. @@ -82,6 +82,7 @@ apisix: # udp: # UDP proxy listening ports # - 9200 # - "127.0.0.1:9201" + # dns_resolver: # If not set, read from `/etc/resolv.conf` # - 1.1.1.1 # - 8.8.8.8 @@ -92,28 +93,32 @@ apisix: ssl: enable: true - listen: # APISIX listening port in https. + listen: # APISIX listening port for HTTPS traffic. - port: 9443 enable_http2: true - # - ip: 127.0.0.3 # Specific IP, If not set, the default value is `0.0.0.0`. - # port: 9445 - # enable_http2: true - #ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format - # used to verify the certificate when APISIX needs to do SSL/TLS handshaking - # with external services (e.g. etcd) - ssl_protocols: TLSv1.2 TLSv1.3 + # - ip: 127.0.0.3 # If not set, default to `0.0.0.0`. + # port: 9445 + # enable_http2: true + # ssl_trusted_certificate: /path/to/ca-cert # Path to CA certificates in the PEM format. + ssl_protocols: TLSv1.2 TLSv1.3 # TLS versions supported. ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless. - # ref: https://github.com/mozilla/server-side-tls/issues/135 - - key_encrypt_salt: # If not set, will save origin ssl key into etcd. - - edd1c9f0985e76a2 # If set this, the key_encrypt_salt should be an array whose elements are string, and the size is also 16, and it will encrypt ssl key with AES-128-CBC - # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! - # Only use the first key to encrypt, and decrypt in the order of the array. - - #fallback_sni: "my.default.domain" # If set this, when the client doesn't send SNI during handshake, the fallback SNI will be used instead - enable_control: true - #control: + ssl_session_tickets: false # If true, session tickets are used for SSL/TLS connections. + # Disabled by default because it renders Perfect Forward Secrecy (FPS) + # useless. See https://github.com/mozilla/server-side-tls/issues/135. + + key_encrypt_salt: # Salt SSL key before saving to etcd. + - edd1c9f0985e76a2 # If this is set, the key_encrypt_salt should be an array of 16-byte + # strings. SSL keys will be encrypted using AES-128-CBC with the + # specified salt value before being stored in etcd. + # CAUTION: DO NOT CHANGE THE SALT VALUE AFTER SAVING THE SSL KEYS. + # OTHERWISE THE ENCRYPTED KEY CANNOT BE DECRYPTED. + # Only use the first key to encrypt, and decrypt in the order of the array. + + # fallback_sni: "my.default.domain" # Fallback SNI to use if client does not send SNI during + # the handshake. + + enable_control: true # Enable Control API + # control: # ip: 127.0.0.1 # port: 9090 disable_sync_configuration_during_start: false # safe exit. Remove this once the feature is stable From 3da031bcfc8d13d327082b4413829eb2f6796a4a Mon Sep 17 00:00:00 2001 From: Traky Date: Fri, 9 Jun 2023 14:21:44 +0800 Subject: [PATCH 08/23] updated comments about salt used with AES-128-CBC --- conf/config-default.yaml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index b49b85e9e863..66cbb2323493 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -106,29 +106,29 @@ apisix: # Disabled by default because it renders Perfect Forward Secrecy (FPS) # useless. See https://github.com/mozilla/server-side-tls/issues/135. - key_encrypt_salt: # Salt SSL key before saving to etcd. - - edd1c9f0985e76a2 # If this is set, the key_encrypt_salt should be an array of 16-byte - # strings. SSL keys will be encrypted using AES-128-CBC with the - # specified salt value before being stored in etcd. - # CAUTION: DO NOT CHANGE THE SALT VALUE AFTER SAVING THE SSL KEYS. - # OTHERWISE THE ENCRYPTED KEY CANNOT BE DECRYPTED. - # Only use the first key to encrypt, and decrypt in the order of the array. + key_encrypt_salt: # Salt for SSL/TLS private key used with AES-128-CBC. + - edd1c9f0985e76a2 # Each salt value should be a hexadecimal string of length 16. + # Support multiple salt values for rotation. + # CAUTION: DO NOT MODIFY SALT VALUE AFTER KEY IS WRITTEN TO ETCD. + # VALUES CANNOT BE DECRYPTED OTHERWISE. # fallback_sni: "my.default.domain" # Fallback SNI to use if client does not send SNI during # the handshake. - enable_control: true # Enable Control API + enable_control: true # Control API # control: # ip: 127.0.0.1 # port: 9090 - disable_sync_configuration_during_start: false # safe exit. Remove this once the feature is stable - data_encryption: # add `encrypt_fields = { $field },` in plugin schema to enable encryption - enable: false # if not set, the default value is `false`. + + disable_sync_configuration_during_start: false # Safe exit. TO BE REMOVED. + + data_encryption: # Encrypt fields specified in `encrypt_fields` in plugin schema. + enable: false keyring: - - qeddd145sfvddff3 # If not set, will save origin value into etcd. - # If set this, the keyring should be an array whose elements are string, and the size is also 16, and it will encrypt fields with AES-128-CBC - # !!! So do not change it after encryption, it can't decrypt the fields have be saved if you change !! - # Only use the first key to encrypt, and decrypt in the order of the array. + - qeddd145sfvddff3 # Salt for other fields encrypted with AES-128-CBC. + # Each salt value should be a hexadecimal string of length 16. + # Support multiple salt values for rotation. + # CAUTION: DO NOT MODIFY SALT VALUE AFTER CONFIGURATIONS ARE WRITTEN INTO ETCD. VALUES CANNOT BE DECRYPTED OTHERWISE. nginx_config: # config for render the template to generate nginx.conf #user: root # specifies the execution user of the worker process. From 511498c7bfd0b7ac82a64263bba52b2c060e50e1 Mon Sep 17 00:00:00 2001 From: Traky Date: Fri, 9 Jun 2023 14:31:36 +0800 Subject: [PATCH 09/23] tweak --- conf/config-default.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 66cbb2323493..8b1eb311aa2e 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -14,8 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. # -# CAUTION: DO NOT MODIFY DEFAULT CONFIGURATIONS IN THIS FILE -# You should keep custom configurations in conf/config.yaml. +# CAUTION: DO NOT MODIFY DEFAULT CONFIGURATIONS IN THIS FILE. +# Keep the custom configurations in conf/config.yaml. # apisix: From 6ee626016b2e13f04c54d193fb7e1e2c8a70935b Mon Sep 17 00:00:00 2001 From: Traky Date: Fri, 9 Jun 2023 16:58:22 +0800 Subject: [PATCH 10/23] Add comment for enable_admin --- conf/config-default.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 8b1eb311aa2e..de4b1d75fde0 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -27,7 +27,7 @@ apisix: # - ip: 127.0.0.2 # If not set, default to `0.0.0.0`/ # port: 9082 # enable_http2: true - enable_admin: true + enable_admin: true # Admin API enable_dev_mode: false # If true, nginx worker_processes will be set to 1. enable_reuseport: true # If true, nginx SO_REUSEPORT option will be enabled. show_upstream_status_in_response_header: false # If true, include the upstream HTTP status code in From 1a51dbbb815e56fb79f03d8e386e73d810d14341 Mon Sep 17 00:00:00 2001 From: Traky Date: Fri, 9 Jun 2023 17:03:20 +0800 Subject: [PATCH 11/23] Fixed typo: ture --- conf/config-default.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index de4b1d75fde0..22871af1d851 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -42,7 +42,7 @@ apisix: # enable_tcp_pp: true # Enable the PROXY protocol when stream_proxy.tcp is set. # enable_tcp_pp_to_upstream: true # Enable the PROXY protocol. - enable_server_tokens: true # If ture, show APISIX version in the `Server` response header. + enable_server_tokens: true # If true, show APISIX version in the `Server` response header. extra_lua_path: "" # Extend lua_package_path to load third-party code. extra_lua_cpath: "" # Extend lua_package_cpath to load third-party code. # lua_module_hook: "my_project.my_hook" # Hook module used to inject third-party code into APISIX. From 00a70aca8897d53a54b39a0a0679ccedc9f4e778 Mon Sep 17 00:00:00 2001 From: Traky Date: Fri, 9 Jun 2023 18:30:56 +0800 Subject: [PATCH 12/23] active voice --- conf/config-default.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 22871af1d851..d2c38c7fd80f 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -28,8 +28,8 @@ apisix: # port: 9082 # enable_http2: true enable_admin: true # Admin API - enable_dev_mode: false # If true, nginx worker_processes will be set to 1. - enable_reuseport: true # If true, nginx SO_REUSEPORT option will be enabled. + enable_dev_mode: false # If true, set nginx worker_processes to 1. + enable_reuseport: true # If true, enable nginx SO_REUSEPORT option. show_upstream_status_in_response_header: false # If true, include the upstream HTTP status code in # the response header `X-APISIX-Upstream-Status`. # If false, show `X-APISIX-Upstream-Status` only if From 0cd175e248f402f103edee91db9ea6941279dad8 Mon Sep 17 00:00:00 2001 From: Traky Date: Thu, 15 Jun 2023 16:15:49 +0800 Subject: [PATCH 13/23] fix for ci linter --- conf/config-default.yaml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index d2c38c7fd80f..0cbbfa218c08 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -41,7 +41,7 @@ apisix: # listen_https_port: 9182 # APISIX listening port for HTTPS traffic with PROXY protocol. # enable_tcp_pp: true # Enable the PROXY protocol when stream_proxy.tcp is set. # enable_tcp_pp_to_upstream: true # Enable the PROXY protocol. - + enable_server_tokens: true # If true, show APISIX version in the `Server` response header. extra_lua_path: "" # Extend lua_package_path to load third-party code. extra_lua_cpath: "" # Extend lua_package_cpath to load third-party code. @@ -64,9 +64,9 @@ apisix: memory_size: 50m delete_uri_tail_slash: false # Delete the '/' at the end of the URI - normalize_uri_like_servlet: false # If true, use the same path normalization rules as the Java + normalize_uri_like_servlet: false # If true, use the same path normalization rules as the Java # servlet specification. See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization, which is used in Tomcat. - + router: http: radixtree_host_uri # radixtree_host_uri: match route by host and URI # radixtree_uri: match route by URI @@ -76,21 +76,21 @@ apisix: # stream_proxy: # TCP/UDP L4 proxy # only: true # Enable L4 proxy only without L7 proxy. # tcp: - # - addr: 9100 # TCP proxy listening ports + # - addr: 9100 # Set the TCP proxy listening ports. # tls: true # - addr: "127.0.0.1:9101" - # udp: # UDP proxy listening ports + # udp: # Set the UDP proxy listening ports. # - 9200 # - "127.0.0.1:9201" - + # dns_resolver: # If not set, read from `/etc/resolv.conf` # - 1.1.1.1 # - 8.8.8.8 # dns_resolver_valid: 30 # Override the default TTL of the DNS records. - resolver_timeout: 5 # Time that the server will wait for a response from the DNS resolver + resolver_timeout: 5 # Time that the server will wait for a response from the DNS resolver # before timing out. enable_resolv_search_opt: true # If true, use search option in the resolv.conf file in DNS lookups. - + ssl: enable: true listen: # APISIX listening port for HTTPS traffic. @@ -103,18 +103,18 @@ apisix: ssl_protocols: TLSv1.2 TLSv1.3 # TLS versions supported. ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_session_tickets: false # If true, session tickets are used for SSL/TLS connections. - # Disabled by default because it renders Perfect Forward Secrecy (FPS) + # Disabled by default because it renders Perfect Forward Secrecy (FPS) # useless. See https://github.com/mozilla/server-side-tls/issues/135. key_encrypt_salt: # Salt for SSL/TLS private key used with AES-128-CBC. - edd1c9f0985e76a2 # Each salt value should be a hexadecimal string of length 16. # Support multiple salt values for rotation. - # CAUTION: DO NOT MODIFY SALT VALUE AFTER KEY IS WRITTEN TO ETCD. + # CAUTION: DO NOT MODIFY SALT VALUE AFTER KEY IS WRITTEN TO ETCD. # VALUES CANNOT BE DECRYPTED OTHERWISE. - # fallback_sni: "my.default.domain" # Fallback SNI to use if client does not send SNI during - # the handshake. - + # fallback_sni: "my.default.domain" # Fallback SNI to use if client does not send SNI during + # # the handshake. + enable_control: true # Control API # control: # ip: 127.0.0.1 From f702c4ba99c98160497d469c315de300b664f6bd Mon Sep 17 00:00:00 2001 From: Traky Date: Thu, 15 Jun 2023 18:01:15 +0800 Subject: [PATCH 14/23] updated per comments --- conf/config-default.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 0cbbfa218c08..795825a039c1 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -87,8 +87,8 @@ apisix: # - 1.1.1.1 # - 8.8.8.8 # dns_resolver_valid: 30 # Override the default TTL of the DNS records. - resolver_timeout: 5 # Time that the server will wait for a response from the DNS resolver - # before timing out. + resolver_timeout: 5 # Set the time in seconds that the server will wait for a response from the + # DNS resolver before timing out. enable_resolv_search_opt: true # If true, use search option in the resolv.conf file in DNS lookups. ssl: @@ -99,7 +99,8 @@ apisix: # - ip: 127.0.0.3 # If not set, default to `0.0.0.0`. # port: 9445 # enable_http2: true - # ssl_trusted_certificate: /path/to/ca-cert # Path to CA certificates in the PEM format. + # ssl_trusted_certificate: /path/to/ca-cert # Set the path to CA certificates used to verify client + # certificates in the PEM format. ssl_protocols: TLSv1.2 TLSv1.3 # TLS versions supported. ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_session_tickets: false # If true, session tickets are used for SSL/TLS connections. @@ -112,7 +113,7 @@ apisix: # CAUTION: DO NOT MODIFY SALT VALUE AFTER KEY IS WRITTEN TO ETCD. # VALUES CANNOT BE DECRYPTED OTHERWISE. - # fallback_sni: "my.default.domain" # Fallback SNI to use if client does not send SNI during + # fallback_sni: "my.default.domain" # Fallback SNI to be used if the client does not send SNI during # # the handshake. enable_control: true # Control API From b036bba563e240af5ff714477cdd8f10ff0b0f30 Mon Sep 17 00:00:00 2001 From: Traky Date: Fri, 16 Jun 2023 15:07:50 +0800 Subject: [PATCH 15/23] updated desc for key_encrypt_salt and keyring as discussed --- conf/config-default.yaml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 795825a039c1..83d1a532a58c 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -107,11 +107,14 @@ apisix: # Disabled by default because it renders Perfect Forward Secrecy (FPS) # useless. See https://github.com/mozilla/server-side-tls/issues/135. - key_encrypt_salt: # Salt for SSL/TLS private key used with AES-128-CBC. - - edd1c9f0985e76a2 # Each salt value should be a hexadecimal string of length 16. - # Support multiple salt values for rotation. - # CAUTION: DO NOT MODIFY SALT VALUE AFTER KEY IS WRITTEN TO ETCD. - # VALUES CANNOT BE DECRYPTED OTHERWISE. + key_encrypt_salt: # Set the encryption key for AES-128-CBC. It should be a + - edd1c9f0985e76a2 # hexadecimal string of length 16. + # For the convenience of key replacement, key_encrypt_salt + # supports the use of multiple keys. The additional keys are + # used in sequential order for decryption, when the previous + # decryption attempt fails. + # CAUTION: DO NOT MODIFY SALT VALUE AFTER DATA HAS BEEN WRITTEN + # TO ETCD. IT CAN RENDER THE ENCRYPTED DATA UNRECOVERABLE. # fallback_sni: "my.default.domain" # Fallback SNI to be used if the client does not send SNI during # # the handshake. @@ -126,10 +129,13 @@ apisix: data_encryption: # Encrypt fields specified in `encrypt_fields` in plugin schema. enable: false keyring: - - qeddd145sfvddff3 # Salt for other fields encrypted with AES-128-CBC. - # Each salt value should be a hexadecimal string of length 16. - # Support multiple salt values for rotation. - # CAUTION: DO NOT MODIFY SALT VALUE AFTER CONFIGURATIONS ARE WRITTEN INTO ETCD. VALUES CANNOT BE DECRYPTED OTHERWISE. + - qeddd145sfvddff3 # hexadecimal string of length 16. + # For the convenience of key replacement, keyring + # supports the use of multiple keys. The additional keys are + # used in sequential order for decryption, when the previous + # decryption attempt fails. + # CAUTION: DO NOT MODIFY SALT VALUE AFTER DATA HAS BEEN WRITTEN + # TO ETCD. IT CAN RENDER THE ENCRYPTED DATA UNRECOVERABLE. nginx_config: # config for render the template to generate nginx.conf #user: root # specifies the execution user of the worker process. From 722146677cf5b487eee342aa616cd9687e19c54e Mon Sep 17 00:00:00 2001 From: Traky Date: Fri, 16 Jun 2023 15:09:18 +0800 Subject: [PATCH 16/23] fix --- conf/config-default.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 83d1a532a58c..256368116a48 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -128,7 +128,7 @@ apisix: data_encryption: # Encrypt fields specified in `encrypt_fields` in plugin schema. enable: false - keyring: + keyring: # Set the encryption key for AES-128-CBC. It should be a - qeddd145sfvddff3 # hexadecimal string of length 16. # For the convenience of key replacement, keyring # supports the use of multiple keys. The additional keys are From 41bee347b317566446389b081d33d6960d5453a7 Mon Sep 17 00:00:00 2001 From: Traky Date: Fri, 16 Jun 2023 15:10:22 +0800 Subject: [PATCH 17/23] fixed indentation --- conf/config-default.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 256368116a48..764eaa81615f 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -128,14 +128,14 @@ apisix: data_encryption: # Encrypt fields specified in `encrypt_fields` in plugin schema. enable: false - keyring: # Set the encryption key for AES-128-CBC. It should be a - - qeddd145sfvddff3 # hexadecimal string of length 16. - # For the convenience of key replacement, keyring - # supports the use of multiple keys. The additional keys are - # used in sequential order for decryption, when the previous - # decryption attempt fails. - # CAUTION: DO NOT MODIFY SALT VALUE AFTER DATA HAS BEEN WRITTEN - # TO ETCD. IT CAN RENDER THE ENCRYPTED DATA UNRECOVERABLE. + keyring: # Set the encryption key for AES-128-CBC. It should be a + - qeddd145sfvddff3 # hexadecimal string of length 16. + # For the convenience of key replacement, keyring + # supports the use of multiple keys. The additional keys are + # used in sequential order for decryption, when the previous + # decryption attempt fails. + # CAUTION: DO NOT MODIFY SALT VALUE AFTER DATA HAS BEEN WRITTEN + # TO ETCD. IT CAN RENDER THE ENCRYPTED DATA UNRECOVERABLE. nginx_config: # config for render the template to generate nginx.conf #user: root # specifies the execution user of the worker process. From babba6f0b67e7a7106a82ca7b09821f052c8c094 Mon Sep 17 00:00:00 2001 From: Traky Date: Fri, 16 Jun 2023 15:11:08 +0800 Subject: [PATCH 18/23] removed trailing whitespaces for ci --- conf/config-default.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 764eaa81615f..31aae88376b6 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -107,13 +107,13 @@ apisix: # Disabled by default because it renders Perfect Forward Secrecy (FPS) # useless. See https://github.com/mozilla/server-side-tls/issues/135. - key_encrypt_salt: # Set the encryption key for AES-128-CBC. It should be a + key_encrypt_salt: # Set the encryption key for AES-128-CBC. It should be a - edd1c9f0985e76a2 # hexadecimal string of length 16. - # For the convenience of key replacement, key_encrypt_salt - # supports the use of multiple keys. The additional keys are - # used in sequential order for decryption, when the previous + # For the convenience of key replacement, key_encrypt_salt + # supports the use of multiple keys. The additional keys are + # used in sequential order for decryption, when the previous # decryption attempt fails. - # CAUTION: DO NOT MODIFY SALT VALUE AFTER DATA HAS BEEN WRITTEN + # CAUTION: DO NOT MODIFY SALT VALUE AFTER DATA HAS BEEN WRITTEN # TO ETCD. IT CAN RENDER THE ENCRYPTED DATA UNRECOVERABLE. # fallback_sni: "my.default.domain" # Fallback SNI to be used if the client does not send SNI during @@ -130,11 +130,11 @@ apisix: enable: false keyring: # Set the encryption key for AES-128-CBC. It should be a - qeddd145sfvddff3 # hexadecimal string of length 16. - # For the convenience of key replacement, keyring - # supports the use of multiple keys. The additional keys are - # used in sequential order for decryption, when the previous + # For the convenience of key replacement, keyring + # supports the use of multiple keys. The additional keys are + # used in sequential order for decryption, when the previous # decryption attempt fails. - # CAUTION: DO NOT MODIFY SALT VALUE AFTER DATA HAS BEEN WRITTEN + # CAUTION: DO NOT MODIFY SALT VALUE AFTER DATA HAS BEEN WRITTEN # TO ETCD. IT CAN RENDER THE ENCRYPTED DATA UNRECOVERABLE. nginx_config: # config for render the template to generate nginx.conf From b83e58e0fb0065cce482eb6d88553befdf5f0c12 Mon Sep 17 00:00:00 2001 From: Traky Date: Fri, 16 Jun 2023 15:56:32 +0800 Subject: [PATCH 19/23] If not set, APISIX saves the original data into etcd. --- conf/config-default.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 31aae88376b6..ca812cdcb89a 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -109,6 +109,7 @@ apisix: key_encrypt_salt: # Set the encryption key for AES-128-CBC. It should be a - edd1c9f0985e76a2 # hexadecimal string of length 16. + # If not set, APISIX saves the original data into etcd. # For the convenience of key replacement, key_encrypt_salt # supports the use of multiple keys. The additional keys are # used in sequential order for decryption, when the previous @@ -130,6 +131,7 @@ apisix: enable: false keyring: # Set the encryption key for AES-128-CBC. It should be a - qeddd145sfvddff3 # hexadecimal string of length 16. + # If not set, APISIX saves the original data into etcd. # For the convenience of key replacement, keyring # supports the use of multiple keys. The additional keys are # used in sequential order for decryption, when the previous From 81ebd02c947e2f11b95351cc0c869162fa46a73a Mon Sep 17 00:00:00 2001 From: Traky Deng Date: Wed, 21 Jun 2023 11:03:14 +0800 Subject: [PATCH 20/23] updated caution --- conf/config-default.yaml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index ca812cdcb89a..c3888d51eeb8 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -114,8 +114,11 @@ apisix: # supports the use of multiple keys. The additional keys are # used in sequential order for decryption, when the previous # decryption attempt fails. - # CAUTION: DO NOT MODIFY SALT VALUE AFTER DATA HAS BEEN WRITTEN - # TO ETCD. IT CAN RENDER THE ENCRYPTED DATA UNRECOVERABLE. + # CAUTION: If you would like to update the key, add the new key as the + # first item in the array and keep the older keys below the newly added + # key, so that data can be decrypted with the older keys and encrypted + # with the new key. Removing the old keys directly can render the data + # unrecoverable. # fallback_sni: "my.default.domain" # Fallback SNI to be used if the client does not send SNI during # # the handshake. @@ -136,8 +139,11 @@ apisix: # supports the use of multiple keys. The additional keys are # used in sequential order for decryption, when the previous # decryption attempt fails. - # CAUTION: DO NOT MODIFY SALT VALUE AFTER DATA HAS BEEN WRITTEN - # TO ETCD. IT CAN RENDER THE ENCRYPTED DATA UNRECOVERABLE. + # CAUTION: If you would like to update the key, add the new key as the + # first item in the array and keep the older keys below the newly added + # key, so that data can be decrypted with the older keys and encrypted + # with the new key. Removing the old keys directly can render the data + # unrecoverable. nginx_config: # config for render the template to generate nginx.conf #user: root # specifies the execution user of the worker process. From 90a12e85839f4b354ff84ec6b59c4f6cbedf1fc4 Mon Sep 17 00:00:00 2001 From: Traky Deng Date: Wed, 21 Jun 2023 13:35:55 +0800 Subject: [PATCH 21/23] removed duplicated info --- conf/config-default.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index c3888d51eeb8..93bd4b65bfea 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -110,10 +110,6 @@ apisix: key_encrypt_salt: # Set the encryption key for AES-128-CBC. It should be a - edd1c9f0985e76a2 # hexadecimal string of length 16. # If not set, APISIX saves the original data into etcd. - # For the convenience of key replacement, key_encrypt_salt - # supports the use of multiple keys. The additional keys are - # used in sequential order for decryption, when the previous - # decryption attempt fails. # CAUTION: If you would like to update the key, add the new key as the # first item in the array and keep the older keys below the newly added # key, so that data can be decrypted with the older keys and encrypted @@ -135,10 +131,6 @@ apisix: keyring: # Set the encryption key for AES-128-CBC. It should be a - qeddd145sfvddff3 # hexadecimal string of length 16. # If not set, APISIX saves the original data into etcd. - # For the convenience of key replacement, keyring - # supports the use of multiple keys. The additional keys are - # used in sequential order for decryption, when the previous - # decryption attempt fails. # CAUTION: If you would like to update the key, add the new key as the # first item in the array and keep the older keys below the newly added # key, so that data can be decrypted with the older keys and encrypted From f161bd102ad9007a936d921de0c948762bca86a8 Mon Sep 17 00:00:00 2001 From: Traky Deng Date: Mon, 26 Jun 2023 16:27:16 +0800 Subject: [PATCH 22/23] Apply suggestions from code review Co-authored-by: leslie --- conf/config-default.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 93bd4b65bfea..d4a773046c97 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -24,11 +24,11 @@ apisix: - 9080 # - port: 9081 # enable_http2: true # If not set, default to `false`. - # - ip: 127.0.0.2 # If not set, default to `0.0.0.0`/ + # - ip: 127.0.0.2 # If not set, default to `0.0.0.0` # port: 9082 # enable_http2: true enable_admin: true # Admin API - enable_dev_mode: false # If true, set nginx worker_processes to 1. + enable_dev_mode: false # If true, set nginx `worker_processes` to 1. enable_reuseport: true # If true, enable nginx SO_REUSEPORT option. show_upstream_status_in_response_header: false # If true, include the upstream HTTP status code in # the response header `X-APISIX-Upstream-Status`. From 5020338bc20074031077a1b3d7a2f68a7a4a423d Mon Sep 17 00:00:00 2001 From: Traky Deng Date: Tue, 27 Jun 2023 14:47:24 +0800 Subject: [PATCH 23/23] fixed for linter --- conf/config-default.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index d4a773046c97..147a9434251e 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -87,21 +87,21 @@ apisix: # - 1.1.1.1 # - 8.8.8.8 # dns_resolver_valid: 30 # Override the default TTL of the DNS records. - resolver_timeout: 5 # Set the time in seconds that the server will wait for a response from the + resolver_timeout: 5 # Set the time in seconds that the server will wait for a response from the # DNS resolver before timing out. enable_resolv_search_opt: true # If true, use search option in the resolv.conf file in DNS lookups. ssl: enable: true - listen: # APISIX listening port for HTTPS traffic. + listen: # APISIX listening port for HTTPS traffic. - port: 9443 enable_http2: true - # - ip: 127.0.0.3 # If not set, default to `0.0.0.0`. + # - ip: 127.0.0.3 # If not set, default to `0.0.0.0`. # port: 9445 # enable_http2: true - # ssl_trusted_certificate: /path/to/ca-cert # Set the path to CA certificates used to verify client - # certificates in the PEM format. - ssl_protocols: TLSv1.2 TLSv1.3 # TLS versions supported. + # ssl_trusted_certificate: /path/to/ca-cert # Set the path to CA certificates used to verify client + # certificates in the PEM format. + ssl_protocols: TLSv1.2 TLSv1.3 # TLS versions supported. ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_session_tickets: false # If true, session tickets are used for SSL/TLS connections. # Disabled by default because it renders Perfect Forward Secrecy (FPS) @@ -112,9 +112,9 @@ apisix: # If not set, APISIX saves the original data into etcd. # CAUTION: If you would like to update the key, add the new key as the # first item in the array and keep the older keys below the newly added - # key, so that data can be decrypted with the older keys and encrypted + # key, so that data can be decrypted with the older keys and encrypted # with the new key. Removing the old keys directly can render the data - # unrecoverable. + # unrecoverable. # fallback_sni: "my.default.domain" # Fallback SNI to be used if the client does not send SNI during # # the handshake. @@ -133,9 +133,9 @@ apisix: # If not set, APISIX saves the original data into etcd. # CAUTION: If you would like to update the key, add the new key as the # first item in the array and keep the older keys below the newly added - # key, so that data can be decrypted with the older keys and encrypted + # key, so that data can be decrypted with the older keys and encrypted # with the new key. Removing the old keys directly can render the data - # unrecoverable. + # unrecoverable. nginx_config: # config for render the template to generate nginx.conf #user: root # specifies the execution user of the worker process.