This is an automated email from the ASF dual-hosted git repository.
navendu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new bfc6a1908 docs: add docs for the new ocsp-stapling plugin (#10900)
bfc6a1908 is described below
commit bfc6a1908367bc0e953942f5d9c5797b34cda5a3
Author: yuweizzz <yuwei764969...@gmail.com>
AuthorDate: Tue Feb 20 11:04:08 2024 +0800
docs: add docs for the new ocsp-stapling plugin (#10900)
---
docs/en/latest/config.json | 3 +-
docs/en/latest/plugins/ocsp-stapling.md | 133 +++++++++++++++++++++++++++++++
docs/zh/latest/config.json | 3 +-
docs/zh/latest/plugins/ocsp-stapling.md | 134 ++++++++++++++++++++++++++++++++
4 files changed, 271 insertions(+), 2 deletions(-)
diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json
index fd9a43f2f..824ac8245 100644
--- a/docs/en/latest/config.json
+++ b/docs/en/latest/config.json
@@ -80,7 +80,8 @@
"plugins/ext-plugin-post-req",
"plugins/ext-plugin-post-resp",
"plugins/inspect",
- "plugins/workflow"
+ "plugins/workflow",
+ "plugins/ocsp-stapling"
]
},
{
diff --git a/docs/en/latest/plugins/ocsp-stapling.md
b/docs/en/latest/plugins/ocsp-stapling.md
new file mode 100644
index 000000000..fe85579de
--- /dev/null
+++ b/docs/en/latest/plugins/ocsp-stapling.md
@@ -0,0 +1,133 @@
+---
+title: ocsp-stapling
+keywords:
+ - Apache APISIX
+ - Plugin
+ - ocsp-stapling
+description: This document contains information about the Apache APISIX
ocsp-stapling Plugin.
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Description
+
+The `ocsp-stapling` Plugin dynamically sets the behavior of [OCSP
stapling](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling)
in Nginx.
+
+## Enable Plugin
+
+This Plugin is disabled by default. Modify the config file to enable the
plugin:
+
+```yaml title="./conf/config.yaml"
+plugins:
+ - ...
+ - ocsp-stapling
+```
+
+After modifying the config file, reload APISIX or send an hot-loaded HTTP
request through the Admin API to take effect:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/plugins/reload -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT
+```
+
+## Attributes
+
+The attributes of this plugin are stored in specific field `ocsp_stapling`
within SSL Resource.
+
+| Name | Type | Required | Default | Valid
values | Description
|
+|----------------|----------------------|----------|---------------|--------------|-----------------------------------------------------------------------------------------------|
+| enabled | boolean | False | false |
| Like the `ssl_stapling` directive, enables or disables OCSP stapling
feature. |
+| skip_verify | boolean | False | false |
| Like the `ssl_stapling_verify` directive, enables or disables verification
of OCSP responses. |
+| cache_ttl | integer | False | 3600 | >= 60
| Specifies the expired time of OCSP response cache.
|
+
+## Example usage
+
+You should create an SSL Resource first, and the certificate of the server
certificate issuer should be known. Normally the fullchain certificate works
fine.
+
+Create an SSL Resource as such:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/ssls/1 \
+-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "cert" : "'"$(cat server.crt)"'",
+ "key": "'"$(cat server.key)"'",
+ "snis": ["test.com"],
+ "ocsp_stapling": {
+ "enabled": true
+ }
+}'
+```
+
+Next, establish a secure connection to the server, request the SSL/TLS session
status, and display the output from the server:
+
+```shell
+echo -n "Q" | openssl s_client -status -connect localhost:9443 -servername
test.com 2>&1 | cat
+```
+
+```
+...
+CONNECTED(00000003)
+OCSP response:
+======================================
+OCSP Response Data:
+ OCSP Response Status: successful (0x0)
+...
+```
+
+To disable OCSP stapling feature, you can make a request as shown below:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/ssls/1 \
+-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "cert" : "'"$(cat server.crt)"'",
+ "key": "'"$(cat server.key)"'",
+ "snis": ["test.com"],
+ "ocsp_stapling": {
+ "enabled": false
+ }
+}'
+```
+
+## Delete Plugin
+
+Make sure all your SSL Resource doesn't contains `ocsp_stapling` field
anymore. To remove this field, you can make a request as shown below:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/ssls/1 \
+-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d '
+{
+ "ocsp_stapling": null
+}'
+```
+
+Modify the config file `./conf/config.yaml` to disable the plugin:
+
+```yaml title="./conf/config.yaml"
+plugins:
+ - ...
+ # - ocsp-stapling
+```
+
+After modifying the config file, reload APISIX or send an hot-loaded HTTP
request through the Admin API to take effect:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/plugins/reload -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT
+```
diff --git a/docs/zh/latest/config.json b/docs/zh/latest/config.json
index ba732d033..6e5ec2404 100644
--- a/docs/zh/latest/config.json
+++ b/docs/zh/latest/config.json
@@ -68,7 +68,8 @@
"plugins/ext-plugin-pre-req",
"plugins/ext-plugin-post-req",
"plugins/ext-plugin-post-resp",
- "plugins/workflow"
+ "plugins/workflow",
+ "plugins/ocsp-stapling"
]
},
{
diff --git a/docs/zh/latest/plugins/ocsp-stapling.md
b/docs/zh/latest/plugins/ocsp-stapling.md
new file mode 100644
index 000000000..d69862e94
--- /dev/null
+++ b/docs/zh/latest/plugins/ocsp-stapling.md
@@ -0,0 +1,134 @@
+---
+title: ocsp-stapling
+keywords:
+ - Apache APISIX
+ - API 网关
+ - 插件
+ - ocsp-stapling
+description: 本文介绍了 API 网关 Apache APISIX ocsp-stapling 插件的相关信息。
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## 描述
+
+`ocsp-stapling` 插件可以动态地设置 Nginx 中 [OCSP
stapling](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling)
的相关行为。
+
+## 启用插件
+
+这个插件是默认禁用的,通过修改配置文件 `./conf/config.yaml` 来启用它:
+
+```yaml
+plugins:
+ - ...
+ - ocsp-stapling
+```
+
+修改配置文件之后,重启 APISIX 或者通过插件热加载接口来使配置生效:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/plugins/reload -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT
+```
+
+## 属性
+
+插件属性存储在 SSL 资源的 `ocsp_stapling` 字段中。
+
+| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述
|
+|----------------|----------------------|----------|---------------|--------------|-----------------------------------------------------------------------|
+| enabled | boolean | False | false |
| 与 `ssl_stapling` 指令类似,用于启用或禁用 OCSP stapling 特性 |
+| skip_verify | boolean | False | false |
| 与 `ssl_stapling_verify` 指令类似,用于启用或禁用对于 OCSP 响应结果的校验 |
+| cache_ttl | integer | False | 3600 | >= 60
| 指定 OCSP 响应结果的缓存时间 |
+
+## 使用示例
+
+首先您应该创建一个 SSL 资源,并且证书资源中应该包含颁发者的证书。通常情况下,全链路证书就可以正常工作。
+
+如下示例中,生成相关的 SSL 资源:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/ssls/1 \
+-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "cert" : "'"$(cat server.crt)"'",
+ "key": "'"$(cat server.key)"'",
+ "snis": ["test.com"],
+ "ocsp_stapling": {
+ "enabled": true
+ }
+}'
+```
+
+通过上述命令生成 SSL 资源后,可以通过以下方法测试:
+
+```shell
+echo -n "Q" | openssl s_client -status -connect localhost:9443 -servername
test.com 2>&1 | cat
+```
+
+```
+...
+CONNECTED(00000003)
+OCSP response:
+======================================
+OCSP Response Data:
+ OCSP Response Status: successful (0x0)
+...
+```
+
+可以通过以下方法禁用插件:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/ssls/1 \
+-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "cert" : "'"$(cat server.crt)"'",
+ "key": "'"$(cat server.key)"'",
+ "snis": ["test.com"],
+ "ocsp_stapling": {
+ "enabled": false
+ }
+}'
+```
+
+## 删除插件
+
+在删除插件之前,需要确保所有的 SSL 资源都已经移除 `ocsp_stapling` 字段,可以通过以下命令实现对单个 SSL 资源的对应字段移除:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/ssls/1 \
+-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d '
+{
+ "ocsp_stapling": null
+}'
+```
+
+通过修改配置文件 `./conf/config.yaml` 来禁用它:
+
+```yaml
+plugins:
+ - ...
+ # - ocsp-stapling
+```
+
+修改配置文件之后,重启 APISIX 或者通过插件热加载接口来使配置生效:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/plugins/reload -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT
+```
