[GitHub] [apisix] qwzhou89 commented on issue #9823: help request: Is mTLS between APISIX and upstream supported inside stream_proxy?

[via GitHub]

qwzhou89 commented on issue #9823:
URL: https://github.com/apache/apisix/issues/9823#issuecomment-1654858135

   > can you share more detail ?
   > 
   > ```
   > client <- mtls -> apisix <-mtls-> upstream (tcp)
   > ```
   
   I read the source code of apisix, it should be in the stream proxy, the mtls 
between apisx and upstream is not yet supported, that is, even if the apisix 
side is equipped with cert and key to communicate with upstream, it does not 
work.
   But nginx itself supports it, so if there is only 1 upstream, which is 
fixed, then it can be achieved by combining stream_configuration_snippet.
   Inside stream_configuration_snippet with upstream cert and key, then you can 
do mtls communication.
   
   ```yaml
     stream_configuration_snippet: |
       proxy_ssl on;
       # ssl_upstream1_client.crt/key，配置的stream_routes里面upsteam的client证书和私钥。
       # 如果是自签名的证书，那么需要把ca证书放到ca-bundle里面。
       proxy_ssl_certificate cert/ssl_upstream1_client.crt;
       proxy_ssl_certificate_key cert/ssl_upstream1_client.key;
       proxy_ssl_trusted_certificate ssl/ca-bundle;
   ``` 
   If there are multiple upstreams with different certificates, then you have 
to wait for apisix support. Or you can just configure the stream, ports and 
certificates yourself like nginx, without apisix configuration at all.
   ```yaml
     stream_configuration_snippet: |
       # Add custom Nginx stream configuration to nginx.conf.
       # The configuration should be well indented!
       upstream k8st1apisever {
         server 192.168.11.1:6443;
         server 192.168.11.2:6443;
         server 192.168.11.3:6443;
       }
       server {
         listen 7443 ssl reuseport;
         ssl_certificate      cert/server-k8st1-self.cer;
         ssl_certificate_key  cert/server-k8st1-self.key;
         ssl_trusted_certificate ssl/ca-bundle;
         proxy_pass k8st1apisever;
         proxy_ssl on;
         proxy_ssl_certificate cert/k8st1-client.crt;
         proxy_ssl_certificate_key cert/k8st1-client.key;
         proxy_ssl_trusted_certificate ssl/ca-bundle;
         proxy_ssl_server_name on;
         proxy_ssl_name "192.168.11.1";
       }
       # 另一个upstream和server的配置，证书，端口都不同。
       upstream k8st2apisever {
         server 192.168.12.1:6443;
         server 192.168.12.2:6443;
         server 192.168.12.3:6443;
       }
       server {
         listen 8443 ssl reuseport;
         ssl_certificate      cert/server-k8st2-self.cer;
         ssl_certificate_key  cert/server-k8st2-self.key;
         ssl_trusted_certificate ssl/ca-bundle;
         proxy_pass k8st1apisever;
         proxy_ssl on;
         proxy_ssl_certificate cert/k8st2-client.crt;
         proxy_ssl_certificate_key cert/k8st2-client.key;
         proxy_ssl_trusted_certificate ssl/ca-bundle;
         proxy_ssl_server_name on;
         proxy_ssl_name "192.168.12.2";
       }
   ``` 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org