Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: move conf/cert to t/certs and disable ssl by default #2112

Merged
merged 32 commits into from
Nov 20, 2020
Merged

fix: move conf/cert to t/certs and disable ssl by default #2112

Show file tree
Hide file tree
Changes from 22 commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
f8cfc85
move cert besides in Makefile
Yiyiyimu Aug 24, 2020
2d503f5
move cert besides in Makefile
Yiyiyimu Aug 24, 2020
71a3445
rm certs in Makefile
Yiyiyimu Aug 24, 2020
cf12693
merge master
Yiyiyimu Aug 24, 2020
9c5ce68
turn default ssl off
Yiyiyimu Nov 18, 2020
3d66357
fix typo
Yiyiyimu Nov 18, 2020
095fa8c
merge master
Yiyiyimu Nov 18, 2020
0400580
enable ssl for test
Yiyiyimu Nov 18, 2020
df91f35
fix test
Yiyiyimu Nov 18, 2020
f84eb6e
change crt path
Yiyiyimu Nov 18, 2020
b7a396d
1. made apisix.crt could be customizied 2. add cert/key path to 'enab…
Yiyiyimu Nov 18, 2020
b4fed44
change path for enable-ssl
Yiyiyimu Nov 18, 2020
28eff9e
check pwd
Yiyiyimu Nov 18, 2020
99626fa
move enbale_ssl path
Yiyiyimu Nov 18, 2020
31bd449
sync change in test files
Yiyiyimu Nov 18, 2020
948594f
add ca file
Yiyiyimu Nov 18, 2020
1e7a7ed
fix error
Yiyiyimu Nov 18, 2020
97417d0
fix error
Yiyiyimu Nov 18, 2020
2fa0c5e
rm ca crt
Yiyiyimu Nov 19, 2020
8daaf1e
fix typo
Yiyiyimu Nov 19, 2020
727197c
fix cli test
Yiyiyimu Nov 19, 2020
298237a
fix typo
Yiyiyimu Nov 19, 2020
8266257
use mtls certs
Yiyiyimu Nov 19, 2020
52afd00
fix typo
Yiyiyimu Nov 19, 2020
d1f5763
revert
Yiyiyimu Nov 19, 2020
6e79957
ci: fix CI fail
johzchen Nov 19, 2020
71c3a86
fix: mTLS case
johzchen Nov 19, 2020
adcf6a0
ci: fix CI fail
johzchen Nov 19, 2020
70e1158
fix: revert
johzchen Nov 19, 2020
3230611
enable ssl in one test
Yiyiyimu Nov 19, 2020
d4de547
add clearer guidance in config yaml
Yiyiyimu Nov 19, 2020
0e86abf
add guidance to set ssl cert in config yaml
Yiyiyimu Nov 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .travis/apisix_cli_test.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,9 @@ echo "passed: nginx.conf file contains reuseport configuration"
echo "
apisix:
ssl:
enable: true
ssl_cert: '../t/certs/apisix.crt'
ssl_cert_key: '../t/certs/apisix.key'
listen_port: 8443
" > conf/config.yaml

Expand Down Expand Up @@ -95,6 +98,9 @@ apisix:
- 9081
- 9082
ssl:
enable: true
ssl_cert: '../t/certs/apisix.crt'
ssl_cert_key: '../t/certs/apisix.key'
listen_port:
- 9443
- 9444
Expand Down Expand Up @@ -252,6 +258,13 @@ git checkout conf/config.yaml

echo "
apisix:
ssl:
enable: true
ssl_cert: '../t/certs/apisix.crt'
ssl_cert_key: '../t/certs/apisix.key'
admin_api_mtls:
admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt'
admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key'
port_admin: 9180
https_admin: true
" > conf/config.yaml
Expand Down Expand Up @@ -506,6 +519,8 @@ echo '
apisix:
ssl:
enable: true
ssl_cert: "../t/certs/apisix.crt"
ssl_cert_key: "../t/certs/apisix.key"
ssl_session_tickets: true
' > conf/config.yaml

Expand Down
13 changes: 13 additions & 0 deletions .travis/common.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,16 @@ create_lua_deps() {
sudo cp -r deps build-cache/
sudo cp rockspec/apisix-master-0.rockspec build-cache/
}

enable_ssl() {
echo "
apisix:
ssl:
enable: true
ssl_cert: '../t/certs/apisix.crt'
ssl_cert_key: '../t/certs/apisix.key'
admin_api_mtls:
admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt'
admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key'
" > conf/config.yaml
}
1 change: 1 addition & 0 deletions .travis/linux_apisix_current_luarocks_runner.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ do_install() {
script() {
export_or_prefix
openresty -V
enable_ssl

sudo rm -rf /usr/local/apisix

Expand Down
1 change: 1 addition & 0 deletions .travis/linux_openresty_runner.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ script() {
export_or_prefix
openresty -V

enable_ssl

./build-cache/grpc_server_example &

Expand Down
1 change: 0 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,6 @@ install: default
$(INSTALL) conf/mime.types /usr/local/apisix/conf/mime.types
$(INSTALL) conf/config.yaml /usr/local/apisix/conf/config.yaml
$(INSTALL) conf/config-default.yaml /usr/local/apisix/conf/config-default.yaml
$(INSTALL) conf/cert/apisix.* /usr/local/apisix/conf/cert/

$(INSTALL) -d $(INST_LUADIR)/apisix
$(INSTALL) apisix/*.lua $(INST_LUADIR)/apisix/
Expand Down
18 changes: 8 additions & 10 deletions apisix/cli/ngx_tpl.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,18 +233,12 @@ http {
{%if https_admin then%}
listen {* port_admin *} ssl;

{%if admin_api_mtls and admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and
admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" and
admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= ""
then%}
ssl_verify_client on;
ssl_certificate {* admin_api_mtls.admin_ssl_cert *};
ssl_certificate_key {* admin_api_mtls.admin_ssl_cert_key *};
{%if admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= "" then%}
ssl_client_certificate {* admin_api_mtls.admin_ssl_ca_cert *};
{% else %}
ssl_certificate cert/apisix_admin_ssl.crt;
ssl_certificate_key cert/apisix_admin_ssl.key;
{%end%}
{% end %}

ssl_session_cache shared:SSL:20m;
ssl_protocols {* ssl.ssl_protocols *};
Expand Down Expand Up @@ -323,8 +317,9 @@ http {
{% end %}
{% end %} {% -- if enable_ipv6 %}

ssl_certificate cert/apisix.crt;
ssl_certificate_key cert/apisix.key;
{% if ssl.enable then %}
ssl_certificate {* ssl.ssl_cert *};
ssl_certificate_key {* ssl.ssl_cert_key *};
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;

Expand All @@ -340,6 +335,7 @@ http {
{% else %}
ssl_session_tickets off;
{% end %}
{% end %}

{% if with_module_status then %}
location = /apisix/nginx_status {
Expand Down Expand Up @@ -382,9 +378,11 @@ http {
}
{% end %}

{% if ssl.enable then %}
ssl_certificate_by_lua_block {
apisix.http_ssl_phase()
}
{% end %}

location / {
set $upstream_mirror_host '';
Expand Down
13 changes: 13 additions & 0 deletions bin/apisix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -426,6 +426,19 @@ Please modify "admin_key" in conf/config.yaml .
end
end

admin_api_mtls = yaml_conf.apisix.admin_api_mtls
if yaml_conf.apisix.https_admin and not (admin_api_mtls and
admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and
admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" ) then
error("missing ssl cert for https admin")
end

ssl = yaml_conf.apisix.ssl
if ssl and ssl.enable and not (
ssl.ssl_cert and ssl.ssl_cert ~= "" and
ssl.ssl_cert_key and ssl.ssl_cert_key ~= "") then
error("missing ssl cert for ssl")
end

-- Using template.render
local sys_conf = {
Expand Down
5 changes: 4 additions & 1 deletion conf/config-default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ apisix:
# - "::/64"
# port_admin: 9180 # use a separate port
# https_admin: true # enable HTTPS when use a separate port for Admin API.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the default value?

Copy link
Member Author

@Yiyiyimu Yiyiyimu Nov 19, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nil I think

# need to also enable SSL
# Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
admin_api_mtls: # Depends on `port_admin` and `https_admin`.
admin_ssl_cert: "" # Path of your self-signed server side cert.
Expand Down Expand Up @@ -101,12 +102,14 @@ apisix:
dns_resolver_valid: 30 # valid time for dns result 30 seconds
resolver_timeout: 5 # resolver timeout
ssl:
enable: true
enable: false # ssl is disabled by default
enable_http2: true
listen_port: 9443
# ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format
# used to verify the certificate when APISIX needs to do SSL/TLS handshaking
# with external services (e.g. etcd)
ssl_cert: ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is the path or content of the certificate? we need to add comments.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! fixed

ssl_cert_key: ""
ssl_protocols: "TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
Expand Down
12 changes: 6 additions & 6 deletions t/APISIX.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,12 +74,12 @@ my $default_yaml_config = read_file("conf/config-default.yaml");
$default_yaml_config =~ s/#- example-plugin/- example-plugin/;

my $user_yaml_config = read_file("conf/config.yaml");
my $ssl_crt = read_file("conf/cert/apisix.crt");
my $ssl_key = read_file("conf/cert/apisix.key");
my $ssl_ecc_crt = read_file("conf/cert/apisix_ecc.crt");
my $ssl_ecc_key = read_file("conf/cert/apisix_ecc.key");
my $test2_crt = read_file("conf/cert/test2.crt");
my $test2_key = read_file("conf/cert/test2.key");
my $ssl_crt = read_file("t/certs/apisix.crt");
my $ssl_key = read_file("t/certs/apisix.key");
my $ssl_ecc_crt = read_file("t/certs/apisix_ecc.crt");
my $ssl_ecc_key = read_file("t/certs/apisix_ecc.key");
my $test2_crt = read_file("t/certs/test2.crt");
my $test2_key = read_file("t/certs/test2.key");
$user_yaml_config = <<_EOC_;
apisix:
node_listen: 1984
Expand Down
62 changes: 31 additions & 31 deletions t/admin/ssl.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ __DATA__
local etcd = require("apisix.core.etcd")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}

local code, body = t.test('/apisix/admin/ssl/1',
Expand Down Expand Up @@ -157,8 +157,8 @@ GET /t
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "foo.com"}

local code, message, res = t.test('/apisix/admin/ssl',
Expand Down Expand Up @@ -210,8 +210,8 @@ GET /t
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {sni = "foo.com"}

local code, body = t.test('/apisix/admin/ssl/1',
Expand Down Expand Up @@ -249,8 +249,8 @@ GET /t
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "*.foo.com"}

local code, body = t.test('/apisix/admin/ssl/1',
Expand Down Expand Up @@ -287,8 +287,8 @@ passed
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {
cert = ssl_cert, key = ssl_key,
snis = {"*.foo.com", "bar.com"},
Expand Down Expand Up @@ -328,8 +328,8 @@ passed
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {
cert = ssl_cert, key = ssl_key,
sni = "bar.com",
Expand Down Expand Up @@ -371,8 +371,8 @@ passed
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}

local code, body = t.test('/apisix/admin/ssl/a-b-c-ABC_0123',
Expand Down Expand Up @@ -401,8 +401,8 @@ passed
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}

local code, body = t.test('/apisix/admin/ssl/a-b-c-ABC_0123',
Expand Down Expand Up @@ -430,8 +430,8 @@ passed
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}

local code, body = t.test('/apisix/admin/ssl/*invalid',
Expand Down Expand Up @@ -459,10 +459,10 @@ GET /t
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_ecc_cert = t.read_file("conf/cert/apisix_ecc.crt")
local ssl_ecc_key = t.read_file("conf/cert/apisix_ecc.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local ssl_ecc_cert = t.read_file("t/certs/apisix_ecc.crt")
local ssl_ecc_key = t.read_file("t/certs/apisix_ecc.key")
local data = {
cert = ssl_cert,
key = ssl_key,
Expand Down Expand Up @@ -505,7 +505,7 @@ passed
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_ecc_cert = t.read_file("conf/cert/apisix_ecc.crt")
local ssl_ecc_cert = t.read_file("t/certs/apisix_ecc.crt")

local data = {
sni = "test.com",
Expand Down Expand Up @@ -548,8 +548,8 @@ GET /t
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "test.com", labels = { version = "v2", build = "16", env = "production"}}

local code, body = t.test('/apisix/admin/ssl/1',
Expand Down Expand Up @@ -592,8 +592,8 @@ passed
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "test.com", labels = { env = {"production", "release"}}}

local code, body = t.test('/apisix/admin/ssl/1',
Expand Down Expand Up @@ -635,8 +635,8 @@ GET /t
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {
cert = ssl_cert,
key = ssl_key,
Expand Down Expand Up @@ -710,8 +710,8 @@ GET /t
local etcd = require("apisix.core.etcd")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}

local code, body, res = t.test('/apisix/admin/ssl',
Expand Down
0 conf/cert/apisix.crt → t/certs/apisix.crt
View file
Open in desktop
File renamed without changes.
0 conf/cert/apisix.key → t/certs/apisix.key
View file
Open in desktop
File renamed without changes.
0 conf/cert/apisix_admin_ssl.crt → t/certs/apisix_admin_ssl.crt
View file
Open in desktop
File renamed without changes.
0 conf/cert/apisix_admin_ssl.key → t/certs/apisix_admin_ssl.key
View file
Open in desktop
File renamed without changes.
0 conf/cert/apisix_ecc.crt → t/certs/apisix_ecc.crt
View file
Open in desktop
File renamed without changes.
0 conf/cert/apisix_ecc.key → t/certs/apisix_ecc.key
View file
Open in desktop
File renamed without changes.
0 conf/cert/openssl-test2.conf → t/certs/openssl-test2.conf
View file
Open in desktop
File renamed without changes.
0 conf/cert/openssl.conf → t/certs/openssl.conf
View file
Open in desktop
File renamed without changes.
0 conf/cert/test2.crt → t/certs/test2.crt
View file
Open in desktop
File renamed without changes.
0 conf/cert/test2.key → t/certs/test2.key
View file
Open in desktop
File renamed without changes.
4 changes: 2 additions & 2 deletions t/plugin/redirect.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -574,8 +574,8 @@ location /t {
local core = require("apisix.core")
local t = require("lib.test_admin")

local ssl_cert = t.read_file("conf/cert/apisix.crt")
local ssl_key = t.read_file("conf/cert/apisix.key")
local ssl_cert = t.read_file("t/certs/apisix.crt")
local ssl_key = t.read_file("t/certs/apisix.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}

local code, body = t.test('/apisix/admin/ssl/1',
Expand Down
Loading