You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apisix.apache.org by Zhang Chao <zc...@gmail.com> on 2020/10/24 03:04:02 UTC
[DISCUSS] Support TLS mode for the communication with ETCD cluster
Hello Community!
Recently I observed some issues and disscuss in the QQ group about the support of HTTPS for ETCD cluster.
I think it might be a necessary feature, although since the limitations of Cosocket we cannot support the mutual TLS
authentication, we can still support the simple TLS mode: only authenticating the etcd cluster.
So two things we need to do to support this.
1) lua-resty-etcd
We should enhance lua-resty-etcd to support the optional SSL handshaking after connecting to one of ETCD endpoint, care must be taken here about the TLS SNI extension, the Session reuse and the SSL verification.
2) APISIX
We also should add some new items in the configuration, and use these new items when creating the etcd client objects.
etcd:
......
tls:
mode: simple # TLS mode for communicating with the ETCD
# cluster, optional value can be:
# disable: do not setup a TLS connection
# to ETCD endpoints.
# simple: originate a TLS connection to the
# ETCD endpoint
# The default mode is disable.
Something I cannot decide is how we configure the SNI, I don’t think expose a configuration item like “sni” is a good way, I’m inclined to use existing items to deduce the SNI (like hosts?). On the other hand, I haven’t decided yet about the SSL verification. Maybe we can add more options for the mode like “weak”, “strict” or an explicit item like “verify” is also OK. What’s your idea?
Chao Zhang
zchao1995@gmail.com
Re: [DISCUSS] Support TLS mode for the communication with ETCD cluster
Posted by YuanSheng Wang <me...@apache.org>.
On Fri, Oct 30, 2020 at 10:45 AM Zhang Chao <zc...@gmail.com> wrote:
> After investigating more, I think wether to use TLS connection with etcd
> can be decided by the scheme in etcd endpoints, and we can just configure
> some auxiliary options in config-default.yaml like “verfiy”. PR was
> committed to Github.
>
nice ^_^
>
>
> On October 25, 2020 at 11:02:56 AM, Zhang Chao (zchao1995@gmail.com)
> wrote:
>
> So here is my newest thought about the TLS etcd connection:
>
>
> etcd:
> ......
>
> tls:
> mode: simple # TLS mode for communicating with the ETCD
> # cluster, optional value can be:
> # disable: do not setup a TLS connection
> # to ETCD endpoints.
> # simple: originate a TLS connection to the
> # ETCD endpoint
> # The default mode is disable.
> verify: true. # Whether to verify the ETCD cluster certificate.
>
> trusted_certificate_file: /path/to/ca # Specify a file path with trusted CA
> certificates
> # in the PEM format to verfiy the ETCD cluster certificate.
>
>
> The comments might need some improvements. Incidentally, we may put the
> trusted_certificate_file option into the “apisix” section, not only for the
> ETCD.
>
>
> Chao Zhang
> zchao1995@gmail.com
>
>
>
> > On Oct 24, 2020, at 9:00 PM, Ming Wen <we...@apache.org> wrote:
> >
> > Nice, +1 for TLS etcd connection
> >
> > Zhang Chao <zc...@gmail.com>于2020年10月24日 周六下午8:57写道:
> >
> >> Agreed your idea.
> >>
> >> Chao Zhang
> >> zchao1995@gmail.com
> >>
> >>
> >>
> >>> On Oct 24, 2020, at 7:38 PM, Zexuan Luo <sp...@apache.org>
> wrote:
> >>>
> >>>> taken here about the TLS SNI extension, the Session reuse and the SSL
> >>> verification.
> >>>
> >>> I think we don't need to support SSL session reuse. Using TLS ticket is
> >>> enough, which is supported by the client automatically.
> >>>
> >>>> an explicit item like “verify”
> >>>
> >>> I think we should also support customized trust CA like what
> >>> `lua_ssl_trusted_certificate` does. It is useful for self signed
> >>> certificates.
> >>>
> >>>
> >>>
> >>> Zhang Chao <zc...@gmail.com> 于2020年10月24日周六 上午11:04写道:
> >>>
> >>>> Hello Community!
> >>>>
> >>>> Recently I observed some issues and disscuss in the QQ group about the
> >>>> support of HTTPS for ETCD cluster.
> >>>>
> >>>> I think it might be a necessary feature, although since the
> limitations
> >> of
> >>>> Cosocket we cannot support the mutual TLS
> >>>> authentication, we can still support the simple TLS mode: only
> >>>> authenticating the etcd cluster.
> >>>>
> >>>> So two things we need to do to support this.
> >>>>
> >>>> 1) lua-resty-etcd
> >>>>
> >>>> We should enhance lua-resty-etcd to support the optional SSL
> handshaking
> >>>> after connecting to one of ETCD endpoint, care must be taken here
> about
> >> the
> >>>> TLS SNI extension, the Session reuse and the SSL verification.
> >>>>
> >>>> 2) APISIX
> >>>>
> >>>> We also should add some new items in the configuration, and use these
> >> new
> >>>> items when creating the etcd client objects.
> >>>>
> >>>> etcd:
> >>>> ......
> >>>>
> >>>> tls:
> >>>> mode: simple # TLS mode for communicating with the ETCD
> >>>> # cluster, optional value can be:
> >>>> # disable: do not setup a TLS connection
> >>>> # to ETCD endpoints.
> >>>> # simple: originate a TLS connection to the
> >>>> # ETCD endpoint
> >>>> # The default mode is disable.
> >>>>
> >>>> Something I cannot decide is how we configure the SNI, I don’t think
> >>>> expose a configuration item like “sni” is a good way, I’m inclined to
> >> use
> >>>> existing items to deduce the SNI (like hosts?). On the other hand, I
> >>>> haven’t decided yet about the SSL verification. Maybe we can add more
> >>>> options for the mode like “weak”, “strict” or an explicit item like
> >>>> “verify” is also OK. What’s your idea?
> >>>>
> >>>>
> >>>> Chao Zhang
> >>>> zchao1995@gmail.com
> >>>>
> >>>>
> >>>>
> >>>>
> >>
> >> --
> > Thanks,
> > Ming Wen, Apache APISIX & Apache SkyWalking
> > Twitter: _WenMing
>
--
*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix
Re: [DISCUSS] Support TLS mode for the communication with ETCD cluster
Posted by Zhang Chao <zc...@gmail.com>.
After investigating more, I think wether to use TLS connection with etcd
can be decided by the scheme in etcd endpoints, and we can just configure
some auxiliary options in config-default.yaml like “verfiy”. PR was
committed to Github.
On October 25, 2020 at 11:02:56 AM, Zhang Chao (zchao1995@gmail.com) wrote:
So here is my newest thought about the TLS etcd connection:
etcd:
......
tls:
mode: simple # TLS mode for communicating with the ETCD
# cluster, optional value can be:
# disable: do not setup a TLS connection
# to ETCD endpoints.
# simple: originate a TLS connection to the
# ETCD endpoint
# The default mode is disable.
verify: true. # Whether to verify the ETCD cluster certificate.
trusted_certificate_file: /path/to/ca # Specify a file path with trusted CA
certificates
# in the PEM format to verfiy the ETCD cluster certificate.
The comments might need some improvements. Incidentally, we may put the
trusted_certificate_file option into the “apisix” section, not only for the
ETCD.
Chao Zhang
zchao1995@gmail.com
> On Oct 24, 2020, at 9:00 PM, Ming Wen <we...@apache.org> wrote:
>
> Nice, +1 for TLS etcd connection
>
> Zhang Chao <zc...@gmail.com>于2020年10月24日 周六下午8:57写道:
>
>> Agreed your idea.
>>
>> Chao Zhang
>> zchao1995@gmail.com
>>
>>
>>
>>> On Oct 24, 2020, at 7:38 PM, Zexuan Luo <sp...@apache.org> wrote:
>>>
>>>> taken here about the TLS SNI extension, the Session reuse and the SSL
>>> verification.
>>>
>>> I think we don't need to support SSL session reuse. Using TLS ticket is
>>> enough, which is supported by the client automatically.
>>>
>>>> an explicit item like “verify”
>>>
>>> I think we should also support customized trust CA like what
>>> `lua_ssl_trusted_certificate` does. It is useful for self signed
>>> certificates.
>>>
>>>
>>>
>>> Zhang Chao <zc...@gmail.com> 于2020年10月24日周六 上午11:04写道:
>>>
>>>> Hello Community!
>>>>
>>>> Recently I observed some issues and disscuss in the QQ group about the
>>>> support of HTTPS for ETCD cluster.
>>>>
>>>> I think it might be a necessary feature, although since the
limitations
>> of
>>>> Cosocket we cannot support the mutual TLS
>>>> authentication, we can still support the simple TLS mode: only
>>>> authenticating the etcd cluster.
>>>>
>>>> So two things we need to do to support this.
>>>>
>>>> 1) lua-resty-etcd
>>>>
>>>> We should enhance lua-resty-etcd to support the optional SSL
handshaking
>>>> after connecting to one of ETCD endpoint, care must be taken here
about
>> the
>>>> TLS SNI extension, the Session reuse and the SSL verification.
>>>>
>>>> 2) APISIX
>>>>
>>>> We also should add some new items in the configuration, and use these
>> new
>>>> items when creating the etcd client objects.
>>>>
>>>> etcd:
>>>> ......
>>>>
>>>> tls:
>>>> mode: simple # TLS mode for communicating with the ETCD
>>>> # cluster, optional value can be:
>>>> # disable: do not setup a TLS connection
>>>> # to ETCD endpoints.
>>>> # simple: originate a TLS connection to the
>>>> # ETCD endpoint
>>>> # The default mode is disable.
>>>>
>>>> Something I cannot decide is how we configure the SNI, I don’t think
>>>> expose a configuration item like “sni” is a good way, I’m inclined to
>> use
>>>> existing items to deduce the SNI (like hosts?). On the other hand, I
>>>> haven’t decided yet about the SSL verification. Maybe we can add more
>>>> options for the mode like “weak”, “strict” or an explicit item like
>>>> “verify” is also OK. What’s your idea?
>>>>
>>>>
>>>> Chao Zhang
>>>> zchao1995@gmail.com
>>>>
>>>>
>>>>
>>>>
>>
>> --
> Thanks,
> Ming Wen, Apache APISIX & Apache SkyWalking
> Twitter: _WenMing
Re: [DISCUSS] Support TLS mode for the communication with ETCD
cluster
Posted by Zhang Chao <zc...@gmail.com>.
So here is my newest thought about the TLS etcd connection:
etcd:
......
tls:
mode: simple # TLS mode for communicating with the ETCD
# cluster, optional value can be:
# disable: do not setup a TLS connection
# to ETCD endpoints.
# simple: originate a TLS connection to the
# ETCD endpoint
# The default mode is disable.
verify: true. # Whether to verify the ETCD cluster certificate.
trusted_certificate_file: /path/to/ca # Specify a file path with trusted CA certificates
# in the PEM format to verfiy the ETCD cluster certificate.
The comments might need some improvements. Incidentally, we may put the trusted_certificate_file option into the “apisix” section, not only for the ETCD.
Chao Zhang
zchao1995@gmail.com
> On Oct 24, 2020, at 9:00 PM, Ming Wen <we...@apache.org> wrote:
>
> Nice, +1 for TLS etcd connection
>
> Zhang Chao <zc...@gmail.com>于2020年10月24日 周六下午8:57写道:
>
>> Agreed your idea.
>>
>> Chao Zhang
>> zchao1995@gmail.com
>>
>>
>>
>>> On Oct 24, 2020, at 7:38 PM, Zexuan Luo <sp...@apache.org> wrote:
>>>
>>>> taken here about the TLS SNI extension, the Session reuse and the SSL
>>> verification.
>>>
>>> I think we don't need to support SSL session reuse. Using TLS ticket is
>>> enough, which is supported by the client automatically.
>>>
>>>> an explicit item like “verify”
>>>
>>> I think we should also support customized trust CA like what
>>> `lua_ssl_trusted_certificate` does. It is useful for self signed
>>> certificates.
>>>
>>>
>>>
>>> Zhang Chao <zc...@gmail.com> 于2020年10月24日周六 上午11:04写道:
>>>
>>>> Hello Community!
>>>>
>>>> Recently I observed some issues and disscuss in the QQ group about the
>>>> support of HTTPS for ETCD cluster.
>>>>
>>>> I think it might be a necessary feature, although since the limitations
>> of
>>>> Cosocket we cannot support the mutual TLS
>>>> authentication, we can still support the simple TLS mode: only
>>>> authenticating the etcd cluster.
>>>>
>>>> So two things we need to do to support this.
>>>>
>>>> 1) lua-resty-etcd
>>>>
>>>> We should enhance lua-resty-etcd to support the optional SSL handshaking
>>>> after connecting to one of ETCD endpoint, care must be taken here about
>> the
>>>> TLS SNI extension, the Session reuse and the SSL verification.
>>>>
>>>> 2) APISIX
>>>>
>>>> We also should add some new items in the configuration, and use these
>> new
>>>> items when creating the etcd client objects.
>>>>
>>>> etcd:
>>>> ......
>>>>
>>>> tls:
>>>> mode: simple # TLS mode for communicating with the ETCD
>>>> # cluster, optional value can be:
>>>> # disable: do not setup a TLS connection
>>>> # to ETCD endpoints.
>>>> # simple: originate a TLS connection to the
>>>> # ETCD endpoint
>>>> # The default mode is disable.
>>>>
>>>> Something I cannot decide is how we configure the SNI, I don’t think
>>>> expose a configuration item like “sni” is a good way, I’m inclined to
>> use
>>>> existing items to deduce the SNI (like hosts?). On the other hand, I
>>>> haven’t decided yet about the SSL verification. Maybe we can add more
>>>> options for the mode like “weak”, “strict” or an explicit item like
>>>> “verify” is also OK. What’s your idea?
>>>>
>>>>
>>>> Chao Zhang
>>>> zchao1995@gmail.com
>>>>
>>>>
>>>>
>>>>
>>
>> --
> Thanks,
> Ming Wen, Apache APISIX & Apache SkyWalking
> Twitter: _WenMing
Re: [DISCUSS] Support TLS mode for the communication with ETCD cluster
Posted by Ming Wen <we...@apache.org>.
Nice, +1 for TLS etcd connection
Zhang Chao <zc...@gmail.com>于2020年10月24日 周六下午8:57写道:
> Agreed your idea.
>
> Chao Zhang
> zchao1995@gmail.com
>
>
>
> > On Oct 24, 2020, at 7:38 PM, Zexuan Luo <sp...@apache.org> wrote:
> >
> >> taken here about the TLS SNI extension, the Session reuse and the SSL
> > verification.
> >
> > I think we don't need to support SSL session reuse. Using TLS ticket is
> > enough, which is supported by the client automatically.
> >
> >> an explicit item like “verify”
> >
> > I think we should also support customized trust CA like what
> > `lua_ssl_trusted_certificate` does. It is useful for self signed
> > certificates.
> >
> >
> >
> > Zhang Chao <zc...@gmail.com> 于2020年10月24日周六 上午11:04写道:
> >
> >> Hello Community!
> >>
> >> Recently I observed some issues and disscuss in the QQ group about the
> >> support of HTTPS for ETCD cluster.
> >>
> >> I think it might be a necessary feature, although since the limitations
> of
> >> Cosocket we cannot support the mutual TLS
> >> authentication, we can still support the simple TLS mode: only
> >> authenticating the etcd cluster.
> >>
> >> So two things we need to do to support this.
> >>
> >> 1) lua-resty-etcd
> >>
> >> We should enhance lua-resty-etcd to support the optional SSL handshaking
> >> after connecting to one of ETCD endpoint, care must be taken here about
> the
> >> TLS SNI extension, the Session reuse and the SSL verification.
> >>
> >> 2) APISIX
> >>
> >> We also should add some new items in the configuration, and use these
> new
> >> items when creating the etcd client objects.
> >>
> >> etcd:
> >> ......
> >>
> >> tls:
> >> mode: simple # TLS mode for communicating with the ETCD
> >> # cluster, optional value can be:
> >> # disable: do not setup a TLS connection
> >> # to ETCD endpoints.
> >> # simple: originate a TLS connection to the
> >> # ETCD endpoint
> >> # The default mode is disable.
> >>
> >> Something I cannot decide is how we configure the SNI, I don’t think
> >> expose a configuration item like “sni” is a good way, I’m inclined to
> use
> >> existing items to deduce the SNI (like hosts?). On the other hand, I
> >> haven’t decided yet about the SSL verification. Maybe we can add more
> >> options for the mode like “weak”, “strict” or an explicit item like
> >> “verify” is also OK. What’s your idea?
> >>
> >>
> >> Chao Zhang
> >> zchao1995@gmail.com
> >>
> >>
> >>
> >>
>
> --
Thanks,
Ming Wen, Apache APISIX & Apache SkyWalking
Twitter: _WenMing
Re: [DISCUSS] Support TLS mode for the communication with ETCD
cluster
Posted by Zhang Chao <zc...@gmail.com>.
Agreed your idea.
Chao Zhang
zchao1995@gmail.com
> On Oct 24, 2020, at 7:38 PM, Zexuan Luo <sp...@apache.org> wrote:
>
>> taken here about the TLS SNI extension, the Session reuse and the SSL
> verification.
>
> I think we don't need to support SSL session reuse. Using TLS ticket is
> enough, which is supported by the client automatically.
>
>> an explicit item like “verify”
>
> I think we should also support customized trust CA like what
> `lua_ssl_trusted_certificate` does. It is useful for self signed
> certificates.
>
>
>
> Zhang Chao <zc...@gmail.com> 于2020年10月24日周六 上午11:04写道:
>
>> Hello Community!
>>
>> Recently I observed some issues and disscuss in the QQ group about the
>> support of HTTPS for ETCD cluster.
>>
>> I think it might be a necessary feature, although since the limitations of
>> Cosocket we cannot support the mutual TLS
>> authentication, we can still support the simple TLS mode: only
>> authenticating the etcd cluster.
>>
>> So two things we need to do to support this.
>>
>> 1) lua-resty-etcd
>>
>> We should enhance lua-resty-etcd to support the optional SSL handshaking
>> after connecting to one of ETCD endpoint, care must be taken here about the
>> TLS SNI extension, the Session reuse and the SSL verification.
>>
>> 2) APISIX
>>
>> We also should add some new items in the configuration, and use these new
>> items when creating the etcd client objects.
>>
>> etcd:
>> ......
>>
>> tls:
>> mode: simple # TLS mode for communicating with the ETCD
>> # cluster, optional value can be:
>> # disable: do not setup a TLS connection
>> # to ETCD endpoints.
>> # simple: originate a TLS connection to the
>> # ETCD endpoint
>> # The default mode is disable.
>>
>> Something I cannot decide is how we configure the SNI, I don’t think
>> expose a configuration item like “sni” is a good way, I’m inclined to use
>> existing items to deduce the SNI (like hosts?). On the other hand, I
>> haven’t decided yet about the SSL verification. Maybe we can add more
>> options for the mode like “weak”, “strict” or an explicit item like
>> “verify” is also OK. What’s your idea?
>>
>>
>> Chao Zhang
>> zchao1995@gmail.com
>>
>>
>>
>>
Re: [DISCUSS] Support TLS mode for the communication with ETCD cluster
Posted by Zexuan Luo <sp...@apache.org>.
> taken here about the TLS SNI extension, the Session reuse and the SSL
verification.
I think we don't need to support SSL session reuse. Using TLS ticket is
enough, which is supported by the client automatically.
> an explicit item like “verify”
I think we should also support customized trust CA like what
`lua_ssl_trusted_certificate` does. It is useful for self signed
certificates.
Zhang Chao <zc...@gmail.com> 于2020年10月24日周六 上午11:04写道:
> Hello Community!
>
> Recently I observed some issues and disscuss in the QQ group about the
> support of HTTPS for ETCD cluster.
>
> I think it might be a necessary feature, although since the limitations of
> Cosocket we cannot support the mutual TLS
> authentication, we can still support the simple TLS mode: only
> authenticating the etcd cluster.
>
> So two things we need to do to support this.
>
> 1) lua-resty-etcd
>
> We should enhance lua-resty-etcd to support the optional SSL handshaking
> after connecting to one of ETCD endpoint, care must be taken here about the
> TLS SNI extension, the Session reuse and the SSL verification.
>
> 2) APISIX
>
> We also should add some new items in the configuration, and use these new
> items when creating the etcd client objects.
>
> etcd:
> ......
>
> tls:
> mode: simple # TLS mode for communicating with the ETCD
> # cluster, optional value can be:
> # disable: do not setup a TLS connection
> # to ETCD endpoints.
> # simple: originate a TLS connection to the
> # ETCD endpoint
> # The default mode is disable.
>
> Something I cannot decide is how we configure the SNI, I don’t think
> expose a configuration item like “sni” is a good way, I’m inclined to use
> existing items to deduce the SNI (like hosts?). On the other hand, I
> haven’t decided yet about the SSL verification. Maybe we can add more
> options for the mode like “weak”, “strict” or an explicit item like
> “verify” is also OK. What’s your idea?
>
>
> Chao Zhang
> zchao1995@gmail.com
>
>
>
>