双向认证提供了一种更好的方法来阻止未经授权的对 APISIX Admin API 的访问。
客户端需要向服务器提供证书,服务器将检查该客户端证书是否由受信的 CA 签名,并决定是否响应其请求。
生成自签证书对,包括 CA、server、client 证书对。
修改 conf/config.yaml 中的配置项:
admin_listen: ip: 127.0.0.1 port: 9180 https_admin: true admin_api_mtls: admin_ssl_ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed ca cert. admin_ssl_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side cert. admin_ssl_cert_key: "/data/certs/mtls_server.key" # Path of your self-signed server side key.
apisix init
apisix reload
需要将证书文件的路径与域名按实际情况替换。
:::note
您可以这样从 config.yaml 中获取 admin_key 并存入环境变量:
admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
:::
curl --cacert /data/certs/mtls_ca.crt --key /data/certs/mtls_client.key --cert /data/certs/mtls_client.crt https://admin.apisix.dev:9180/apisix/admin/routes -H "X-API-KEY: $admin_key"
你需要构建 APISIX-runtime,并且需要在配置文件中设定 etcd.tls 来使 ETCD 的双向认证功能正常工作。
deployment: role: traditional role_traditional: config_provider: etcd etcd: tls: cert: /data/certs/etcd_client.pem # path of certificate used by the etcd client key: /data/certs/etcd_client.key # path of key used by the etcd client
如果 APISIX 不信任 etcd server 使用的 CA 证书,我们需要设置 CA 证书。
apisix: ssl: ssl_trusted_certificate: /path/to/certs/ca-certificates.crt # path of CA certificate used by the etcd server
双向认证是一种密码学安全的验证客户端身份的手段。当你需要加密并保护流量的双向安全时很有用。
我们提供了一个演示教程,详细地讲解了如何配置客户端和 APISIX 之间的 mTLS。
在配置 ssl 资源时,同时需要配置 client.ca 和 client.depth 参数,分别代表为客户端证书签名的 CA 列表,和证书链的最大深度。可参考:SSL API 文档。
下面是一个可用于生成带双向认证配置的 SSL 资源的 shell 脚本示例(如果需要,可修改 API 地址、API Key 和 SSL 资源的 ID。):
curl http://127.0.0.1:9180/apisix/admin/ssls/1 \ -H "X-API-KEY: $admin_key" -X PUT -d ' "cert": "'"$(cat t/certs/mtls_server.crt)"'", "key": "'"$(cat t/certs/mtls_server.key)"'", "snis": [ "admin.apisix.dev" ], "client": { "ca": "'"$(cat t/certs/mtls_ca.crt)"'", "depth": 10 } }'
测试:
curl -vvv --resolve 'admin.apisix.dev:9443:127.0.0.1' https://admin.apisix.dev:9443/hello --cert t/certs/mtls_client.crt --key t/certs/mtls_client.key --cacert t/certs/mtls_ca.crt * Added admin.apisix.dev:9443:127.0.0.1 to DNS cache * Hostname admin.apisix.dev was found in DNS cache * Trying 127.0.0.1:9443... * Connected to admin.apisix.dev (127.0.0.1) port 9443 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: t/certs/mtls_ca.crt * CApath: none * [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Client hello (1): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Server hello (2): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Unknown (8): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Request CERT (13): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Certificate (11): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, CERT verify (15): * [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Finished (20): * [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Certificate (11): * [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, CERT verify (15): * [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 * ALPN: server accepted h2 * Server certificate: * subject: C=cn; ST=GuangDong; L=ZhuHai; CN=admin.apisix.dev; OU=ops * start date: Dec 1 10:17:24 2022 GMT * expire date: Aug 18 10:17:24 2042 GMT * subjectAltName: host "admin.apisix.dev" matched cert's "admin.apisix.dev" * issuer: C=cn; ST=GuangDong; L=ZhuHai; CN=ca.apisix.dev; OU=ops * SSL certificate verify ok. * Using HTTP2, server supports multiplexing * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * h2h3 [:method: GET] * h2h3 [:path: /hello] * h2h3 [:scheme: https] * h2h3 [:authority: admin.apisix.dev:9443] * h2h3 [user-agent: curl/7.87.0] * h2h3 [accept: */*] * Using Stream ID: 1 (easy handle 0x13000bc00) > GET /hello HTTP/2 > Host: admin.apisix.dev:9443 > user-agent: curl/7.87.0 > accept: */*
注意,测试时使用的域名需要符合证书的参数。
有时候上游的服务启用了双向认证。在这种情况下,APISIX 作为上游服务的客户端,需要提供客户端证书来正常与其进行通信。
在配置 upstream 资源时,可以使用参数 tls.client_cert 和 tls.client_key 来配置 APISIX 用于与上游进行通讯时使用的证书。可参考 Upstream API 文档。
该功能需要 APISIX 运行在 APISIX-Runtime 上。
下面是一个与配置 SSL 时相似的 shell 脚本,可为一个已存在的 upstream 资源配置双向认证。
curl http://127.0.0.1:9180/apisix/admin/upstreams/1 \ -H "X-API-KEY: $admin_key" -X PATCH -d ' { "tls": { "client_cert": "'"$(cat t/certs/mtls_client.crt)"'", "client_key": "'"$(cat t/certs/mtls_client.key)"'" } }'