This is an automated email from the ASF dual-hosted git repository. wenming pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push: new d87ce33 feature: support injecting lua_ssl_trusted_certificate. (#2519) d87ce33 is described below commit d87ce33485254279ef3b7ac622e2c7dc8a9429b5 Author: Alex Zhang <zchao1...@gmail.com> AuthorDate: Wed Oct 28 06:49:20 2020 +0800 feature: support injecting lua_ssl_trusted_certificate. (#2519) --- bin/apisix | 23 +++++++++++++++++++++++ conf/config-default.yaml | 3 +++ 2 files changed, 26 insertions(+) diff --git a/bin/apisix b/bin/apisix index efefcea..f98c636 100755 --- a/bin/apisix +++ b/bin/apisix @@ -390,6 +390,10 @@ http { ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; + {% if ssl.ssl_trusted_certificate ~= nil then %} + lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *}; + {% end %} + ssl_protocols {* ssl.ssl_protocols *}; ssl_ciphers {* ssl.ssl_ciphers *}; ssl_prefer_server_ciphers on; @@ -591,6 +595,17 @@ local function read_file(file_path) end +local function is_file_exist(file_path) + local file, err = io.open(file_path) + if not file then + return false, "failed to open file: " .. file_path .. ", error info: " .. err + end + + file:close() + return true +end + + local function is_empty_yaml_line(line) return line == '' or string.find(line, '^%s*$') or string.find(line, '^%s*#') @@ -905,6 +920,14 @@ Please modify "admin_key" in conf/config.yaml . yaml_conf.apisix.ssl.listen_port = listen_port end + if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then + local ok, err = is_file_exist(yaml_conf.apisix.ssl.ssl_trusted_certificate) + if not ok then + io.stderr:write(err, "\n") + os.exit(1) + end + end + -- Using template.render local sys_conf = { diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 688fa54..5c15aaf 100644 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -101,6 +101,9 @@ apisix: enable: true enable_http2: true listen_port: 9443 + # ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format + # used to verify the certificate when APISIX needs to do SSL/TLS handshaking + # with external services (e.g. etcd) ssl_protocols: "TLSv1.2 TLSv1.3" ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd.