This is an automated email from the ASF dual-hosted git repository. membphis pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push: new b7325f0 fix: enable ssl as default, using placeholder certificate (#3013) b7325f0 is described below commit b7325f033ea721307c6b52beb52c85beaf710f28 Author: Shuyang Wu <wosoyo...@gmail.com> AuthorDate: Fri Dec 11 17:44:41 2020 +0800 fix: enable ssl as default, using placeholder certificate (#3013) --- .travis/apisix_cli_test.sh | 21 ------------- .travis/common.sh | 13 --------- .travis/linux_apisix_current_luarocks_runner.sh | 1 - .travis/linux_openresty_runner.sh | 2 -- apisix/cli/ops.lua | 10 ++----- conf/cert/ssl_PLACE_HOLDER.crt | 27 +++++++++++++++++ conf/cert/ssl_PLACE_HOLDER.key | 39 +++++++++++++++++++++++++ conf/config-default.yaml | 5 +--- 8 files changed, 70 insertions(+), 48 deletions(-) diff --git a/.travis/apisix_cli_test.sh b/.travis/apisix_cli_test.sh index b793284..de1ad58 100755 --- a/.travis/apisix_cli_test.sh +++ b/.travis/apisix_cli_test.sh @@ -67,9 +67,6 @@ echo "passed: nginx.conf file contains reuseport configuration" echo " apisix: ssl: - enable: true - ssl_cert: '../t/certs/apisix.crt' - ssl_cert_key: '../t/certs/apisix.key' listen_port: 8443 " > conf/config.yaml @@ -98,9 +95,6 @@ apisix: - 9081 - 9082 ssl: - enable: true - ssl_cert: '../t/certs/apisix.crt' - ssl_cert_key: '../t/certs/apisix.key' listen_port: - 9443 - 9444 @@ -387,10 +381,6 @@ git checkout conf/config.yaml echo " apisix: - ssl: - enable: true - ssl_cert: '../t/certs/apisix.crt' - ssl_cert_key: '../t/certs/apisix.key' admin_api_mtls: admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt' admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key' @@ -765,14 +755,6 @@ echo "passed: using env to set worker processes" # set worker processes with env git checkout conf/config.yaml -echo ' -apisix: - ssl: - enable: true - ssl_cert: "../t/certs/apisix.crt" - ssl_cert_key: "../t/certs/apisix.key" -' > conf/config.yaml - make init count=`grep -c "ssl_session_tickets off;" conf/nginx.conf || true ` @@ -784,9 +766,6 @@ fi echo ' apisix: ssl: - enable: true - ssl_cert: "../t/certs/apisix.crt" - ssl_cert_key: "../t/certs/apisix.key" ssl_session_tickets: true ' > conf/config.yaml diff --git a/.travis/common.sh b/.travis/common.sh index 299b2bf..62760a6 100644 --- a/.travis/common.sh +++ b/.travis/common.sh @@ -34,16 +34,3 @@ create_lua_deps() { sudo cp -r deps build-cache/ sudo cp rockspec/apisix-master-0.rockspec build-cache/ } - -enable_ssl() { - echo " - apisix: - ssl: - enable: true - ssl_cert: '../t/certs/apisix.crt' - ssl_cert_key: '../t/certs/apisix.key' - admin_api_mtls: - admin_ssl_cert: '../t/certs/mtls_client.crt' - admin_ssl_cert_key: '../t/certs/mtls_client.key' - " > conf/config.yaml -} diff --git a/.travis/linux_apisix_current_luarocks_runner.sh b/.travis/linux_apisix_current_luarocks_runner.sh index 1947246..c3c64fa 100755 --- a/.travis/linux_apisix_current_luarocks_runner.sh +++ b/.travis/linux_apisix_current_luarocks_runner.sh @@ -27,7 +27,6 @@ do_install() { script() { export_or_prefix openresty -V - enable_ssl sudo rm -rf /usr/local/apisix diff --git a/.travis/linux_openresty_runner.sh b/.travis/linux_openresty_runner.sh index 1be27ee..f451bbe 100755 --- a/.travis/linux_openresty_runner.sh +++ b/.travis/linux_openresty_runner.sh @@ -101,8 +101,6 @@ script() { export_or_prefix openresty -V - enable_ssl - ./build-cache/grpc_server_example & ./bin/apisix help diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua index f2523a5..c3e72cb 100644 --- a/apisix/cli/ops.lua +++ b/apisix/cli/ops.lua @@ -223,13 +223,9 @@ Please modify "admin_key" in conf/config.yaml . util.die("missing ssl cert for https admin") end - local ssl = yaml_conf.apisix.ssl - if ssl and ssl.enable and not ( - ssl.ssl_cert and ssl.ssl_cert ~= "" and - ssl.ssl_cert_key and ssl.ssl_cert_key ~= "") - then - util.die("missing ssl cert for ssl") - end + -- enable ssl with place holder crt&key + yaml_conf.apisix.ssl.ssl_cert = "cert/ssl_PLACE_HOLDER.crt" + yaml_conf.apisix.ssl.ssl_cert_key = "cert/ssl_PLACE_HOLDER.key" -- Using template.render local sys_conf = { diff --git a/conf/cert/ssl_PLACE_HOLDER.crt b/conf/cert/ssl_PLACE_HOLDER.crt new file mode 100644 index 0000000..503f277 --- /dev/null +++ b/conf/cert/ssl_PLACE_HOLDER.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEojCCAwqgAwIBAgIJAK253pMhgCkxMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTEPMA0G +A1UECgwGaXJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTAgFw0xOTA2MjQyMjE4MDVa +GA8yMTE5MDUzMTIyMTgwNVowVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5n +RG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxETAPBgNVBAMM +CHRlc3QuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyCM0rqJe +cvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5jhZB3W6BkWUWR4oNFLLSqcVb +VDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfoeLj0efMiOepOSZflj9Ob4yKR +2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5smPtW1Oc/BV5terhscJdOgmRr +abf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt6iMWEGeQU6mwPENgvj1olji2 +WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiyVt1TmtMWn1ztk6FfLRqwJWR/ +Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1onpRVeXhrBajbCRDRBMwaNw/1 +/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2fzaqpIfyUbPST4GdqNG9NyIh +/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI1cGrGwyXbrieNp63AgMBAAGj +cTBvMB0GA1UdDgQWBBSZtSvV8mBwl0bpkvFtgyiOUUcbszAfBgNVHSMEGDAWgBSZ +tSvV8mBwl0bpkvFtgyiOUUcbszAMBgNVHRMEBTADAQH/MB8GA1UdEQQYMBaCCHRl +c3QuY29tggoqLnRlc3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQAHGEul/x7ViVgC +tC8CbXEslYEkj1XVr2Y4hXZXAXKd3W7V3TC8rqWWBbr6L/tsSVFt126V5WyRmOaY +1A5pju8VhnkhYxYfZALQxJN2tZPFVeME9iGJ9BE1wPtpMgITX8Rt9kbNlENfAgOl +PYzrUZN1YUQjX+X8t8/1VkSmyZysr6ngJ46/M8F16gfYXc9zFj846Z9VST0zCKob +rJs3GtHOkS9zGGldqKKCj+Awl0jvTstI4qtS1ED92tcnJh5j/SSXCAB5FgnpKZWy +hme45nBQj86rJ8FhN+/aQ9H9/2Ib6Q4wbpaIvf4lQdLUEcWAeZGW6Rk0JURwEog1 +7/mMgkapDglgeFx9f/XztSTrkHTaX4Obr+nYrZ2V4KOB4llZnK5GeNjDrOOJDk2y +IJFgBOZJWyS93dQfuKEj42hA79MuX64lMSCVQSjX+ipR289GQZqFrIhiJxLyA+Ve +U/OOcSRr39Kuis/JJ+DkgHYa/PWHZhnJQBxcqXXk1bJGw9BNbhM= +-----END CERTIFICATE----- diff --git a/conf/cert/ssl_PLACE_HOLDER.key b/conf/cert/ssl_PLACE_HOLDER.key new file mode 100644 index 0000000..7105067 --- /dev/null +++ b/conf/cert/ssl_PLACE_HOLDER.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAyCM0rqJecvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5 +jhZB3W6BkWUWR4oNFLLSqcVbVDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfo +eLj0efMiOepOSZflj9Ob4yKR2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5s +mPtW1Oc/BV5terhscJdOgmRrabf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt +6iMWEGeQU6mwPENgvj1olji2WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiy +Vt1TmtMWn1ztk6FfLRqwJWR/Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1o +npRVeXhrBajbCRDRBMwaNw/1/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2 +fzaqpIfyUbPST4GdqNG9NyIh/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI +1cGrGwyXbrieNp63AgMBAAECggGBAJM8g0duoHmIYoAJzbmKe4ew0C5fZtFUQNmu +O2xJITUiLT3ga4LCkRYsdBnY+nkK8PCnViAb10KtIT+bKipoLsNWI9Xcq4Cg4G3t +11XQMgPPgxYXA6m8t+73ldhxrcKqgvI6xVZmWlKDPn+CY/Wqj5PA476B5wEmYbNC +GIcd1FLl3E9Qm4g4b/sVXOHARF6iSvTR+6ol4nfWKlaXSlx2gNkHuG8RVpyDsp9c +z9zUqAdZ3QyFQhKcWWEcL6u9DLBpB/gUjyB3qWhDMe7jcCBZR1ALyRyEjmDwZzv2 +jlv8qlLFfn9R29UI0pbuL1eRAz97scFOFme1s9oSU9a12YHfEd2wJOM9bqiKju8y +DZzePhEYuTZ8qxwiPJGy7XvRYTGHAs8+iDlG4vVpA0qD++1FTpv06cg/fOdnwshE +OJlEC0ozMvnM2rZ2oYejdG3aAnUHmSNa5tkJwXnmj/EMw1TEXf+H6+xknAkw05nh +zsxXrbuFUe7VRfgB5ElMA/V4NsScgQKBwQDmMRtnS32UZjw4A8DsHOKFzugfWzJ8 +Gc+3sTgs+4dNIAvo0sjibQ3xl01h0BB2Pr1KtkgBYB8LJW/FuYdCRS/KlXH7PHgX +84gYWImhNhcNOL3coO8NXvd6+m+a/Z7xghbQtaraui6cDWPiCNd/sdLMZQ/7LopM +RbM32nrgBKMOJpMok1Z6zsPzT83SjkcSxjVzgULNYEp03uf1PWmHuvjO1yELwX9/ +goACViF+jst12RUEiEQIYwr4y637GQBy+9cCgcEA3pN9W5OjSPDVsTcVERig8++O +BFURiUa7nXRHzKp2wT6jlMVcu8Pb2fjclxRyaMGYKZBRuXDlc/RNO3uTytGYNdC2 +IptU5N4M7iZHXj190xtDxRnYQWWo/PR6EcJj3f/tc3Itm1rX0JfuI3JzJQgDb9Z2 +s/9/ub8RRvmQV9LM/utgyOwNdf5dyVoPcTY2739X4ZzXNH+CybfNa+LWpiJIVEs2 +txXbgZrhmlaWzwA525nZ0UlKdfktdcXeqke9eBghAoHARVTHFy6CjV7ZhlmDEtqE +U58FBOS36O7xRDdpXwsHLnCXhbFu9du41mom0W4UdzjgVI9gUqG71+SXrKr7lTc3 +dMHcSbplxXkBJawND/Q1rzLG5JvIRHO1AGJLmRgIdl8jNgtxgV2QSkoyKlNVbM2H +Wy6ZSKM03lIj74+rcKuU3N87dX4jDuwV0sPXjzJxL7NpR/fHwgndgyPcI14y2cGz +zMC44EyQdTw+B/YfMnoZx83xaaMNMqV6GYNnTHi0TO2TAoHBAKmdrh9WkE2qsr59 +IoHHygh7Wzez+Ewr6hfgoEK4+QzlBlX+XV/9rxIaE0jS3Sk1txadk5oFDebimuSk +lQkv1pXUOqh+xSAwk5v88dBAfh2dnnSa8HFN3oz+ZfQYtnBcc4DR1y2X+fVNgr3i +nxruU2gsAIPFRnmvwKPc1YIH9A6kIzqaoNt1f9VM243D6fNzkO4uztWEApBkkJgR +4s/yOjp6ovS9JG1NMXWjXQPcwTq3sQVLnAHxZRJmOvx69UmK4QKBwFYXXjeXiU3d +bcrPfe6qNGjfzK+BkhWznuFUMbuxyZWDYQD5yb6ukUosrj7pmZv3BxKcKCvmONU+ +CHgIXB+hG+R9S2mCcH1qBQoP/RSm+TUzS/Bl2UeuhnFZh2jSZQy3OwryUi6nhF0u +LDzMI/6aO1ggsI23Ri0Y9ZtqVKczTkxzdQKR9xvoNBUufjimRlS80sJCEB3Qm20S +wzarryret/7GFW1/3cz+hTj9/d45i25zArr3Pocfpur5mfz3fJO8jg== +-----END RSA PRIVATE KEY----- diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 28e930f..bff7e34 100644 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -101,15 +101,12 @@ apisix: dns_resolver_valid: 30 # valid time for dns result 30 seconds resolver_timeout: 5 # resolver timeout ssl: - enable: false # ssl is disabled by default - # enable it to use your own cert and key + enable: true enable_http2: true listen_port: 9443 # ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format # used to verify the certificate when APISIX needs to do SSL/TLS handshaking # with external services (e.g. etcd) - # ssl_cert: /path/to/ssl_cert - # ssl_cert_key: /path/to/ssl_cert_key ssl_protocols: "TLSv1.2 TLSv1.3" ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.