You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/05/27 10:38:38 UTC
[GitHub] [apisix] believe1499 opened a new issue, #7153: help request: APISIX如何配置支持SSL的MQTT转发
believe1499 opened a new issue, #7153:
URL: https://github.com/apache/apisix/issues/7153
### Description
需求:有一个启用SSL的MQTT服务想通过APISIX的mqtt-proxy进行转发,当前是通过Nginx的4层代理进行转发的,Nginx当前的配置比较简单,配置如下:
`upstream qa-live.test.net_pool {
server 172.28.48.58:8883;
}
server {
listen 8883;
proxy_pass qa-live.test.net_pool;
}`
之前也提过问题(https://github.com/apache/apisix/discussions/7151),根据回答做了相关配置还是不行,所以想再请教一下这块应该怎么去配置。下面会把之前配置之后的报错附上。
### Environment
- APISIX version (run `apisix version`):2.13.1
- Operating system (run `uname -a`):Linux gz-vm-30-73-203 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):nginx version: openresty/1.19.9.1
built by gcc 9.3.1 20200408 (Red Hat 9.3.1-2) (GCC)
built with OpenSSL 1.1.1n 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.19.9.1.5 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.20 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.10 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-ap
i/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.HOhTx9UT8p/openresty-1.19.9.1/../mod_dubbo --add-module=/tmp/tmp.HOhTx9UT8p/openresty-1.19.9.1/../ngx_multi_upstream_module --add-module=/tmp/tmp.HOhTx9UT8p/openresty-1.19.9.1/../apisix-nginx-module --add-module=/tmp/tmp.HOhTx9UT8p/openresty-1.19.9.1/../apisix-nginx-module/src/stream --add-module=/tmp/tmp.HOhTx9UT8p/openresty-1.19.9.1/../wasm-nginx-module --add-module=/tmp/tmp.HOhTx9UT8p/openresty-1.19.9.1/../lua-var-nginx-module --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_modul
e --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #7153: help request: APISIX如何配置支持SSL的MQTT转发
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #7153:
URL: https://github.com/apache/apisix/issues/7153#issuecomment-1140591786
> @believe1499 The wildcard match of the SNI is limited to just one level.
`qa-live.test.net` can't match `*.test.net`? It looks like it should match.
> failed to find any SSL certificate by SNI: qa-live.test.net
Obviously this is an SNI match failure and I need to know what this certificate you uploaded is stored as in etcd. (Since you uploaded it in dashboard, I'd actually like to know the format you uploaded it in curl, so I can reproduce it quickly)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] believe1499 commented on issue #7153: help request: APISIX如何配置支持SSL的MQTT转发
Posted by GitBox <gi...@apache.org>.
believe1499 commented on issue #7153:
URL: https://github.com/apache/apisix/issues/7153#issuecomment-1140811562
I uploaded the wrong certificate, It works correctly now. Thank you!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #7153: help request: APISIX如何配置支持SSL的MQTT转发
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #7153:
URL: https://github.com/apache/apisix/issues/7153#issuecomment-1140573555
@believe1499 The wildcard match of the SNI is limited to just one level.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] believe1499 commented on issue #7153: help request: APISIX如何配置支持SSL的MQTT转发
Posted by GitBox <gi...@apache.org>.
believe1499 commented on issue #7153:
URL: https://github.com/apache/apisix/issues/7153#issuecomment-1139505068
1、通过dashboard上传了证书的cer和key文件,对应的sni是*.test.net和test.net
2、config.yaml的配置如下:
`apisix:
admin_key:
- name: admin
key: edd1c9f034335f136f87ad84b625c8f1 # using fixed API token has security risk, please update it when you deploy to production environment
role: admin
stream_proxy:
only: true
tcp:
- 9100
- 9200
- addr: 8883
tls: true`
3、新增stream routes配置
`curl http://127.0.0.1:9080/apisix/admin/stream_routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X POST -d '
{
"plugins": {
"mqtt-proxy": {
"protocol_name": "MQTT",
"protocol_level": 4
}
},
"server_port": 8883,
"upstream": {
"scheme": "tls",
"type": "roundrobin",
"nodes": [
{
"host": "172.28.48.58",
"port": 8883,
"weight": 1
}
]
}
}'`
4、配置完后通过MQTTX客户端通过域名 mqtts://qa-live.test.net:8883进行连接,报错如下:
`2022/05/27 16:27:12 [error] 24042#24042: *7716953 stream [lua] radixtree_sni.lua:145: match_and_set(): failed to find any SSL certificate by SNI: qa-live.test.net, context: ssl_certificate_by_lua*, client: 172.25.4.4, server: 0.0.0.0:8883`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] believe1499 closed issue #7153: help request: APISIX如何配置支持SSL的MQTT转发
Posted by GitBox <gi...@apache.org>.
believe1499 closed issue #7153: help request: APISIX如何配置支持SSL的MQTT转发
URL: https://github.com/apache/apisix/issues/7153
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org