You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by we...@apache.org on 2020/10/27 22:49:36 UTC

[apisix] branch master updated: feature: support injecting lua_ssl_trusted_certificate. (#2519)

This is an automated email from the ASF dual-hosted git repository.

wenming pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new d87ce33  feature: support injecting lua_ssl_trusted_certificate. (#2519)
d87ce33 is described below

commit d87ce33485254279ef3b7ac622e2c7dc8a9429b5
Author: Alex Zhang <zc...@gmail.com>
AuthorDate: Wed Oct 28 06:49:20 2020 +0800

    feature: support injecting lua_ssl_trusted_certificate. (#2519)
---
 bin/apisix               | 23 +++++++++++++++++++++++
 conf/config-default.yaml |  3 +++
 2 files changed, 26 insertions(+)

diff --git a/bin/apisix b/bin/apisix
index efefcea..f98c636 100755
--- a/bin/apisix
+++ b/bin/apisix
@@ -390,6 +390,10 @@ http {
         ssl_session_cache    shared:SSL:20m;
         ssl_session_timeout 10m;
 
+        {% if ssl.ssl_trusted_certificate ~= nil then %}
+        lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *};
+        {% end %}
+
         ssl_protocols {* ssl.ssl_protocols *};
         ssl_ciphers {* ssl.ssl_ciphers *};
         ssl_prefer_server_ciphers on;
@@ -591,6 +595,17 @@ local function read_file(file_path)
 end
 
 
+local function is_file_exist(file_path)
+    local file, err = io.open(file_path)
+    if not file then
+        return false, "failed to open file: " .. file_path .. ", error info: " .. err
+    end
+
+    file:close()
+    return true
+end
+
+
 local function is_empty_yaml_line(line)
     return line == '' or string.find(line, '^%s*$') or
            string.find(line, '^%s*#')
@@ -905,6 +920,14 @@ Please modify "admin_key" in conf/config.yaml .
         yaml_conf.apisix.ssl.listen_port = listen_port
     end
 
+    if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then
+        local ok, err = is_file_exist(yaml_conf.apisix.ssl.ssl_trusted_certificate)
+        if not ok then
+            io.stderr:write(err, "\n")
+            os.exit(1)
+        end
+    end
+
 
     -- Using template.render
     local sys_conf = {
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 688fa54..5c15aaf 100644
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -101,6 +101,9 @@ apisix:
     enable: true
     enable_http2: true
     listen_port: 9443
+    # ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format
+                                                # used to verify the certificate when APISIX needs to do SSL/TLS handshaking
+                                                # with external services (e.g. etcd)
     ssl_protocols: "TLSv1.2 TLSv1.3"
     ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
     key_encrypt_salt: "edd1c9f0985e76a2"    #  If not set, will save origin ssl key into etcd.