You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/06/22 06:36:38 UTC
[GitHub] [incubator-apisix] moonming commented on a change in pull request #1747: feat: Support client-to-server authentication with SSL certificates
moonming commented on a change in pull request #1747:
URL: https://github.com/apache/incubator-apisix/pull/1747#discussion_r443343163
##########
File path: conf/config-for-two-side-ssl-auth.yaml
##########
@@ -0,0 +1,174 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apisix:
+ node_listen: 9080 # APISIX listening port
+ enable_heartbeat: true
+ enable_admin: true
+ enable_admin_cors: true # Admin API support CORS response headers.
+ enable_debug: false
+ enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true
+ enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true.
+ enable_ipv6: true
+ config_center: etcd # etcd: use etcd to store the config value
+ # yaml: fetch the config value from local yaml file `/your_path/conf/apisix.yaml`
+
+ #proxy_protocol: # Proxy Protocol configuration
+ # listen_http_port: 9181 # The port with proxy protocol for http, it differs from node_listen and port_admin.
+ # This port can only receive http request with proxy protocol, but node_listen & port_admin
+ # can only receive http request. If you enable proxy protocol, you must use this port to
+ # receive http request with proxy protocol
+ # listen_https_port: 9182 # The port with proxy protocol for https
+ # enable_tcp_pp: true # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option
+ # enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server
+
+ proxy_cache: # Proxy Caching configuration
+ cache_ttl: 10s # The default caching time if the upstream does not specify the cache time
+ zones: # The parameters of a cache
+ - name: disk_cache_one # The name of the cache, administrator can be specify
+ # which cache to use by name in the admin api
+ memory_size: 50m # The size of shared memory, it's used to store the cache index
+ disk_size: 1G # The size of disk, it's used to store the cache data
+ disk_path: "/tmp/disk_cache_one" # The path to store the cache data
+ cache_levels: "1:2" # The hierarchy levels of a cache
+ # - name: disk_cache_two
+ # memory_size: 50m
+ # disk_size: 1G
+ # disk_path: "/tmp/disk_cache_two"
+ # cache_levels: "1:2"
+
+ allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
+ - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default.
+ # - "::/64"
+ port_admin: 9180 # use a separate port
+ https_admin: true # enable HTTPS when use a separate port for Admin API.
+ # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
+
+ # Default token when use API to call for Admin API.
+ # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
+ # Disabling this configuration item means that the Admin API does not
+ # require any authentication.
+ admin_key:
+ -
+ name: "admin"
+ key: edd1c9f034335f136f87ad84b625c8f1
+ role: admin # admin: manage all configuration data
+ # viewer: only can view configuration data
+ -
+ name: "viewer"
+ key: 4054f7cf07e344346cd3f287985e76a2
+ role: viewer
+ router:
+ http: 'radixtree_uri' # radixtree_uri: match route by uri(base on radixtree)
+ # radixtree_host_uri: match route by host + uri(base on radixtree)
+ ssl: 'radixtree_sni' # radixtree_sni: match route by SNI(base on radixtree)
+ # stream_proxy: # TCP/UDP proxy
+ # tcp: # TCP proxy port list
+ # - 9100
+ # - 9101
+ # udp: # UDP proxy port list
+ # - 9200
+ # - 9211
+ # dns_resolver: # If not set, read from `/etc/resolv.conf`
+ # - 1.1.1.1
+ # - 8.8.8.8
+ dns_resolver_valid: 30 # valid time for dns result 30 seconds
+ resolver_timeout: 5 # resolver timeout
+ ssl:
+ enable: true
+ enable_http2: true
+ listen_port: 9443
+ ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
+ ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
+ verify_client: true
Review comment:
the defalut value should be `false`
##########
File path: doc/two-side-auth-with-ssl.md
##########
@@ -0,0 +1,41 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+[Chinese](zh-cn/two-side-auth-with-ssl.md)
Review comment:
I think `Mutual authentication` or `mTLS` is better name.
##########
File path: conf/config.yaml
##########
@@ -93,6 +93,9 @@ apisix:
listen_port: 9443
ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
+ verify_client: false # Enable or disable client-to-server authentication with HTTPS client certificates
Review comment:
do you means authentication for the API admin caller?
##########
File path: conf/cert/two_side_server.key
##########
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
Review comment:
I don't think it's a good idea to have a few built in self-signed certs, they should only be used for testing.
##########
File path: .travis.yml
##########
@@ -7,6 +7,8 @@ matrix:
services:
- docker
env: OSNAME=linux_openresty
+ - os: linux
+ env: OSNAME=linux_openresty_two_side_ssl_auth
Review comment:
I think `two_side` should be `mTLS`
##########
File path: conf/config.yaml
##########
@@ -93,6 +93,9 @@ apisix:
listen_port: 9443
ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
+ verify_client: false # Enable or disable client-to-server authentication with HTTPS client certificates
Review comment:
Should we let the user specify the path of mTLS certs?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org