Re: [I] help request: Is there any way to bypass mTLS using the domain:port method? [apisix]
Baoyuantop commented on issue #12606: URL: https://github.com/apache/apisix/issues/12606#issuecomment-3630473802 If there is still a problem, please open it again. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [I] help request: Is there any way to bypass mTLS using the domain:port method? [apisix]
Baoyuantop closed issue #12606: help request: Is there any way to bypass mTLS using the domain:port method? URL: https://github.com/apache/apisix/issues/12606 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [I] help request: Is there any way to bypass mTLS using the domain:port method? [apisix]
Baoyuantop commented on issue #12606: URL: https://github.com/apache/apisix/issues/12606#issuecomment-3454404906 Hi @jojo578578, any updates? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [I] help request: Is there any way to bypass mTLS using the domain:port method? [apisix]
Baoyuantop commented on issue #12606: URL: https://github.com/apache/apisix/issues/12606#issuecomment-3317635190 Hi @jojo578578, can you describe your specific business scenario? There is a configuration item `skip_mtls_uri_regex` in APISIX that can configure routing rules that skip mtls. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [I] help request: Is there any way to bypass mTLS using the domain:port method? [apisix]
Baoyuantop commented on issue #12606: URL: https://github.com/apache/apisix/issues/12606#issuecomment-3327394422 1. Use different hostnames (SNI) to differentiate security policies: for example, enable client-side mTLS for `mtls.test.com` and disable it for `open.test.com`, create and bind separate SSL resources for each. 2. If the same hostname is required, traffic can only be permitted based on the path: configure a URI prefix or regular expression that allows for certificate exemptions in the corresponding SSL resource using the `client.skip_mtls_uri_regex` parameter, "differentiating by port for the same hostname" is not possible. 3. Workaround at the infrastructure layer: At L4/Nginx/load balancer, traffic is split by port to two gateways (two APISIX instances or different cluster configurations), one with client-side mTLS enabled and the other without. This approach allows for different port policies for the same domain. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [I] help request: Is there any way to bypass mTLS using the domain:port method? [apisix]
jojo578578 commented on issue #12606: URL: https://github.com/apache/apisix/issues/12606#issuecomment-3317828191 hi @Baoyuantop I know you mentioned the method of bypassing mTLS by configuring routing, but I want to achieve this by configuring the domain name with a specific port. Are there any methods to do that? For example, test.com:8088/* requires a client certificate, while test.com:8089/* can bypass client-side mTLS authentication. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [I] help request: Is there any way to bypass mTLS using the domain:port method? [apisix]
jojo578578 commented on issue #12606: URL: https://github.com/apache/apisix/issues/12606#issuecomment-3317798196 I know you mentioned the method of bypassing mTLS by configuring routing, but I want to achieve this by configuring the domain name with a specific port. Are there any methods to do that? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [I] help request: Is there any way to bypass mTLS using the domain:port method? [apisix]
jojo578578 commented on issue #12606: URL: https://github.com/apache/apisix/issues/12606#issuecomment-3296729001 我看有一个功能是通过路由绕过mtls,但是我的路由都是/*,我是通过给apisix的服务器绑定了一个域名,然后通过开通不同的端口实现转发路由,有没有办法可以实现这个,例如test.com:8088/*需要提供客户端证书,而test.com:8089/*可以跳过客户端双向认证 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [I] help request: Is there any way to bypass mTLS using the domain:port method? [apisix]
Baoyuantop commented on issue #12606: URL: https://github.com/apache/apisix/issues/12606#issuecomment-3296672215 Hi @jojo578578, any updates? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [I] help request: Is there any way to bypass mTLS using the domain:port method? [apisix]
Baoyuantop commented on issue #12606: URL: https://github.com/apache/apisix/issues/12606#issuecomment-3274142575 Hi @jojo578578, can you provide more detailed requirements information? Including your request chain. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
