diff --git a/apicast/apicast.d/proxy_ssl.conf b/apicast/apicast.d/proxy_ssl.conf index f0126001d..64ccf2419 100644 --- a/apicast/apicast.d/proxy_ssl.conf +++ b/apicast/apicast.d/proxy_ssl.conf @@ -1,4 +1,3 @@ # This file is not in the built docker image and have to be added by hand. -proxy_ssl_trusted_certificate ca-bundle.crt; -proxy_ssl_verify on; +proxy_ssl_verify off; diff --git a/apicast/conf.d/apicast.conf b/apicast/conf.d/apicast.conf index 1761147ed..9ad9e8274 100644 --- a/apicast/conf.d/apicast.conf +++ b/apicast/conf.d/apicast.conf @@ -48,10 +48,6 @@ location @out_of_band_authrep_action { } } -proxy_ssl_server_name on; -proxy_ssl_name $http_host; -proxy_ssl_verify_depth 5; - location / { set $cached_key null; set $credentials null; diff --git a/apicast/conf/nginx.conf b/apicast/conf/nginx.conf index 97635f858..3f7469f6d 100644 --- a/apicast/conf/nginx.conf +++ b/apicast/conf/nginx.conf @@ -65,6 +65,8 @@ http { server_name _; underscores_in_headers on; + include ../http.d/ssl.conf; + include ../apicast.d/*.conf; include ../conf.d/apicast.conf; } diff --git a/apicast/http.d/lua_ssl.conf b/apicast/http.d/ssl.conf similarity index 74% rename from apicast/http.d/lua_ssl.conf rename to apicast/http.d/ssl.conf index 7de183a76..5e97f5f6f 100644 --- a/apicast/http.d/lua_ssl.conf +++ b/apicast/http.d/ssl.conf @@ -6,3 +6,9 @@ # lua_ssl_verify_depth 5; lua_ssl_trusted_certificate ca-bundle.crt; + +proxy_ssl_server_name on; +proxy_ssl_name $http_host; +proxy_ssl_verify_depth 5; + +proxy_ssl_trusted_certificate ca-bundle.crt; diff --git a/examples/ssl-verification/README.md b/examples/ssl-verification/README.md new file mode 100644 index 000000000..d5b1faeff --- /dev/null +++ b/examples/ssl-verification/README.md @@ -0,0 +1,20 @@ +# SSL/TLS Verification + +APIcast supports certificate verification against trusted CAs. This feature is off by default because some environments use custom CAs and would make those connections fail by default. + +## Upstream verification + +This validation is controller by `proxy_ssl_*` nginx directives. Everything is set up to use default OS trusted certificates. Only step needed is to add custom configuration to enable the verification: + +```nginx +# apicast.d/proxy_ssl.conf +proxy_ssl_verify on; +``` + +## 3scale AMP verification + +To enable verification for connections between APIcast and 3scale AMP you'll need to set `OPENSSL_VERIFY` environment variable. Everything is set up to use the default OS trusted certificate chain. + +```shell +docker run --env OPENSSL_VERIFY=true apicast +``` \ No newline at end of file diff --git a/examples/ssl-verification/badssl.json b/examples/ssl-verification/badssl.json new file mode 100644 index 000000000..32867443f --- /dev/null +++ b/examples/ssl-verification/badssl.json @@ -0,0 +1,41 @@ +{ + "services": [ + { + "id": "wrong-host", + "backend_version": 1, + "proxy": { + "api_backend": "https://wrong.host.badssl.com", + "hosts": [ + "wrong.host.badssl.com" + ], + "proxy_rules": [ + { + "http_method": "GET", + "pattern": "/", + "metric_system_name": "hits", + "delta": 1 + } + ] + } + }, + { + "id": "ok-host", + "backend_version": 1, + "proxy": { + "api_backend": "https://badssl.com", + "hosts": [ + "badssl.com" + ], + "proxy_rules": [ + { + "http_method": "GET", + "pattern": "/", + "metric_system_name": "hits", + "delta": 1 + } + ] + } + } + ] +} + diff --git a/examples/ssl-verification/proxy_ssl.conf b/examples/ssl-verification/proxy_ssl.conf new file mode 100644 index 000000000..93e4f13e8 --- /dev/null +++ b/examples/ssl-verification/proxy_ssl.conf @@ -0,0 +1 @@ +proxy_ssl_verify on;