You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by we...@apache.org on 2020/10/27 22:49:36 UTC
[apisix] branch master updated: feature: support injecting
lua_ssl_trusted_certificate. (#2519)
This is an automated email from the ASF dual-hosted git repository.
wenming pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new d87ce33 feature: support injecting lua_ssl_trusted_certificate. (#2519)
d87ce33 is described below
commit d87ce33485254279ef3b7ac622e2c7dc8a9429b5
Author: Alex Zhang <zc...@gmail.com>
AuthorDate: Wed Oct 28 06:49:20 2020 +0800
feature: support injecting lua_ssl_trusted_certificate. (#2519)
---
bin/apisix | 23 +++++++++++++++++++++++
conf/config-default.yaml | 3 +++
2 files changed, 26 insertions(+)
diff --git a/bin/apisix b/bin/apisix
index efefcea..f98c636 100755
--- a/bin/apisix
+++ b/bin/apisix
@@ -390,6 +390,10 @@ http {
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
+ {% if ssl.ssl_trusted_certificate ~= nil then %}
+ lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *};
+ {% end %}
+
ssl_protocols {* ssl.ssl_protocols *};
ssl_ciphers {* ssl.ssl_ciphers *};
ssl_prefer_server_ciphers on;
@@ -591,6 +595,17 @@ local function read_file(file_path)
end
+local function is_file_exist(file_path)
+ local file, err = io.open(file_path)
+ if not file then
+ return false, "failed to open file: " .. file_path .. ", error info: " .. err
+ end
+
+ file:close()
+ return true
+end
+
+
local function is_empty_yaml_line(line)
return line == '' or string.find(line, '^%s*$') or
string.find(line, '^%s*#')
@@ -905,6 +920,14 @@ Please modify "admin_key" in conf/config.yaml .
yaml_conf.apisix.ssl.listen_port = listen_port
end
+ if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then
+ local ok, err = is_file_exist(yaml_conf.apisix.ssl.ssl_trusted_certificate)
+ if not ok then
+ io.stderr:write(err, "\n")
+ os.exit(1)
+ end
+ end
+
-- Using template.render
local sys_conf = {
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 688fa54..5c15aaf 100644
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -101,6 +101,9 @@ apisix:
enable: true
enable_http2: true
listen_port: 9443
+ # ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format
+ # used to verify the certificate when APISIX needs to do SSL/TLS handshaking
+ # with external services (e.g. etcd)
ssl_protocols: "TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd.