id: support-fips-in-apisix title: Support FIPS in APISIX keywords:
OpenSSL 3.0 supports FIPS mode. To support FIPS in APISIX, you can compile apisix-base with OpenSSL 3.0.
To compile apisix-base with OpenSSL 3.0, run the commands below as root user:
cd $(mktemp -d) OPENSSL3_PREFIX=${OPENSSL3_PREFIX-/usr/local} apt install -y build-essential git clone https://github.com/openssl/openssl cd openssl ./Configure --prefix=$OPENSSL3_PREFIX/openssl-3.0 enable-fips make install echo $OPENSSL3_PREFIX/openssl-3.0/lib64 > /etc/ld.so.conf.d/openssl3.conf ldconfig $OPENSSL3_PREFIX/openssl-3.0/bin/openssl fipsinstall -out $OPENSSL3_PREFIX/openssl-3.0/ssl/fipsmodule.cnf -module $OPENSSL3_PREFIX/openssl-3.0/lib64/ossl-modules/fips.so sed -i 's@# .include fipsmodule.cnf@.include '"$OPENSSL3_PREFIX"'/openssl-3.0/ssl/fipsmodule.cnf@g; s/# \(fips = fips_sect\)/\1\nbase = base_sect\n\n[base_sect]\nactivate=1\n/g' $OPENSSL3_PREFIX/openssl-3.0/ssl/openssl.cnf cd .. export cc_opt="-I$OPENSSL3_PREFIX/openssl-3.0/include" export ld_opt="-L$OPENSSL3_PREFIX/openssl-3.0/lib64 -Wl,-rpath,$OPENSSL3_PREFIX/openssl-3.0/lib64" wget https://raw.githubusercontent.com/api7/apisix-build-tools/master/build-apisix-base.sh chmod +x build-apisix-base.sh ./build-apisix-base.sh latest
This will install apisix-base to /usr/local/openresty-debug
.