AlinsRan opened a new pull request, #13596: URL: https://github.com/apache/apisix/pull/13596
### Description Fixes #12472 The stream (L4 TCP/TLS) subsystem could not present a client certificate (mTLS) when APISIX proxies to a TLS upstream, unlike the http subsystem which honors upstream `tls.client_cert`/`client_key`/`client_cert_id`. This was confirmed by a maintainer in the issue: `apisix/upstream.lua` set the stream upstream TLS (SNI/enable) but never applied the client certificate. #### Root cause The http subsystem injects the client cert per-request through the apisix-nginx-module C API `ngx_http_apisix_upstream_set_cert_and_key` (applied via `SSL_use_certificate` during the upstream handshake). The stream subsystem only exposes `ngx_stream_apisix_upstream_enable_tls` (a boolean flag) — there is **no** stream counterpart that sets the client cert, so the http mechanism cannot be reused as-is. #### Approach (self-contained, no nginx/openresty-C changes) Use the native nginx **stream** `proxy_ssl_certificate` / `proxy_ssl_certificate_key` directives, which support variables and inline PEM via the `data:` scheme (nginx >= 1.21.4, satisfied by APISIX-Runtime): - `apisix/cli/ngx_tpl.lua`: declare `$upstream_mtls_cert` / `$upstream_mtls_key` (empty by default) and add `proxy_ssl_certificate`/`proxy_ssl_certificate_key` in the stream server block (guarded by `use_apisix_base`). An empty value means no client certificate is presented. - `apisix/upstream.lua`: in the stream `scheme == "tls"` branch, fill those vars from `up_conf.tls.client_cert`/`client_key` (inline) or from the ssl object referenced by `tls.client_cert_id`, using the `data:` inline PEM form (no temp files). - `apisix/init.lua`: extract the `client_cert_id` -> `api_ctx.upstream_ssl` resolution into a shared `resolve_upstream_client_cert` helper and call it from `stream_preread_phase` too (previously it ran only on the http path). - Tests: `t/stream-node/upstream-mtls.t` (inline cert success/failure + `client_cert_id`). - Docs: note stream support in `docs/en/latest/mtls.md`. No schema change needed — `tls.client_cert`/`client_key`/`client_cert_id` already exist on the upstream schema. > bug-triage-2026-06 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
