title: Mutual TLS Authentication keywords:
Mutual TLS authentication provides a better way to prevent unauthorized access to APISIX.
The clients will provide their certificates to the server and the server will check whether the cert is signed by the supplied CA and decide whether to serve the request.
Generate self-signed key pairs, including ca, server, client key pairs.
Modify configuration items in conf/config.yaml:
admin_listen: ip: 127.0.0.1 port: 9180 https_admin: true admin_api_mtls: admin_ssl_ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed ca cert. admin_ssl_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side cert. admin_ssl_cert_key: "/data/certs/mtls_server.key" # Path of your self-signed server side key.
apisix init
apisix reload
Please replace the following certificate paths and domain name with your real ones.
:::note You can fetch the admin_key from config.yaml and save to an environment variable with the following command:
admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
:::
curl --cacert /data/certs/mtls_ca.crt --key /data/certs/mtls_client.key --cert /data/certs/mtls_client.crt https://admin.apisix.dev:9180/apisix/admin/routes -H "X-API-KEY: $admin_key"
You need to configure etcd.tls for APISIX to work on an etcd cluster with mTLS enabled as shown below:
deployment: role: traditional role_traditional: config_provider: etcd etcd: tls: cert: /data/certs/etcd_client.pem # path of certificate used by the etcd client key: /data/certs/etcd_client.key # path of key used by the etcd client
If APISIX does not trust the CA certificate that used by etcd server, we need to set up the CA certificate.
apisix: ssl: ssl_trusted_certificate: /path/to/certs/ca-certificates.crt # path of CA certificate used by the etcd server
Using mTLS is a way to verify clients cryptographically. It is useful and important in cases where you want to have encrypted and secure traffic in both directions.
We provide a tutorial that explains in detail how to configure mTLS between the client and APISIX.
When configuring ssl, use parameter client.ca and client.depth to configure the root CA that signing client certificates and the max length of certificate chain. Please refer to Admin API for details.
Here is an example shell script to create SSL with mTLS (id is 1, changes admin API url if needed):
curl http://127.0.0.1:9180/apisix/admin/ssls/1 \ -H "X-API-KEY: $admin_key" -X PUT -d ' { "cert": "'"$(cat t/certs/mtls_server.crt)"'", "key": "'"$(cat t/certs/mtls_server.key)"'", "snis": [ "admin.apisix.dev" ], "client": { "ca": "'"$(cat t/certs/mtls_ca.crt)"'", "depth": 10 } }'
Send a request to verify:
curl --resolve 'mtls.test.com:<APISIX_HTTPS_PORT>:<APISIX_URL>' "https://<APISIX_URL>:<APISIX_HTTPS_PORT>/hello" -k --cert ./client.pem --key ./client.key * Added admin.apisix.dev:9443:127.0.0.1 to DNS cache * Hostname admin.apisix.dev was found in DNS cache * Trying 127.0.0.1:9443... * Connected to admin.apisix.dev (127.0.0.1) port 9443 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: t/certs/mtls_ca.crt * CApath: none * [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Client hello (1): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Server hello (2): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Unknown (8): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Request CERT (13): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Certificate (11): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, CERT verify (15): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Finished (20): * [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Certificate (11): * [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, CERT verify (15): * [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 * ALPN: server accepted h2 * Server certificate: * subject: C=cn; ST=GuangDong; L=ZhuHai; CN=admin.apisix.dev; OU=ops * start date: Dec 1 10:17:24 2022 GMT * expire date: Aug 18 10:17:24 2042 GMT * subjectAltName: host "admin.apisix.dev" matched cert's "admin.apisix.dev" * issuer: C=cn; ST=GuangDong; L=ZhuHai; CN=ca.apisix.dev; OU=ops * SSL certificate verify ok. * Using HTTP2, server supports multiplexing * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * h2h3 [:method: GET] * h2h3 [:path: /hello] * h2h3 [:scheme: https] * h2h3 [:authority: admin.apisix.dev:9443] * h2h3 [user-agent: curl/7.87.0] * h2h3 [accept: */*] * Using Stream ID: 1 (easy handle 0x13000bc00) > GET /hello HTTP/2 > Host: admin.apisix.dev:9443 > user-agent: curl/7.87.0 > accept: */*
Please make sure that the SNI fits the certificate domain.
Sometimes the upstream requires mTLS. In this situation, the APISIX acts as the client, it needs to provide client certificate to communicate with upstream.
When configuring upstreams, we could use parameter tls.client_cert and tls.client_key to configure the client certificate APISIX used to communicate with upstreams. Please refer to Admin API for details.
This feature requires APISIX to run on APISIX-Runtime.
Here is a similar shell script to patch a existed upstream with mTLS (changes admin API url if needed):
curl http://127.0.0.1:9180/apisix/admin/upstreams/1 \ -H "X-API-KEY: $admin_key" -X PATCH -d ' { "tls": { "client_cert": "'"$(cat t/certs/mtls_client.crt)"'", "client_key": "'"$(cat t/certs/mtls_client.key)"'" } }'