Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[env] one way to control openssl peer verification #332

Merged
merged 8 commits into from
Mar 27, 2017
Merged

[env] one way to control openssl peer verification #332

merged 8 commits into from
Mar 27, 2017

Conversation

mikz
Copy link
Contributor

@mikz mikz commented Mar 22, 2017
edited
Loading

still is off by default, but at least can be turned on
closes #322

APIcast <> 3scale AMP

Connection can be verified by setting the OPENSSL_VERIFY env variable to true.
It is off by default.

APIcast <> upstream

Is also off by default. Can be enabled by injecting custom config apicast.d/proxy_ssl.conf with following content:

proxy_ssl_verify on;

CA Bundle

Both verifications are set up to use the operating system's ca bundle.

@octobot octobot added the T-obux label Mar 22, 2017
@mikz mikz mentioned this pull request Mar 22, 2017
Closed
@octobot
Copy link

octobot commented Mar 22, 2017
edited
Loading

1 Warning
⚠️ Big PR

Spell Checker found issues

doc/parameters.md

Line Typo
3 APIcast v2 has a number of parameters co
3 ariables) that can modify the behavior of the gateway. The following
5 e that when deploying APIcast v2 with OpenShift, some of thee
15 Default: **stderr**
17 or more information. The file pathcan be either absolute, or relati
21 nfo
21 warn
37 Default: "apicast"
68 Values: a number > **60**
69 Default: 0
71 r. The value should be set to 0 or more than 60. For example,
71 ould be set to 0 or more than 60. For example, if `APICAST_CON
71 ONFIGURATION_CACHE` is set to 120, the gateway will reload the
71 eload the configuration every 2 minutes (120 seconds).
71 onfiguration every 2 minutes (120 seconds).
75 Default: "127.0.0.1"
77 ning Redis instance for OAuth 2.0 flow. REDIS_HOST parameter
81 Default: 6379
83 ning Redis instance for OAuth 2.0 flow. REDIS_PORT parameter
89 ning Redis instance for OAuth 2.0 flow. REDIS_URL parameter c
89 e used to set the full URI as DSN format like: `redis://PASSWOR
93 pty, the DNS resolver will be autodiscovered.
140 Setting it to particual version will make it not auto
144 ance for 3scale Applications (a.k.a. clients in Red Hat Single Sig
158 tificate bundle generated by [export-builtin-trusted-certs](https://github.com/openresty

examples/ssl-verification/README.md

Line Typo
3 verification against trusted CAs. This feature is off by defau
3 some environments use custom CAs and would make those connecti

Spell Checker found issues

doc/parameters.md

Line Typo
3 APIcast v2 has a number of parameters co
3 ariables) that can modify the behavior of the gateway. The following
5 e that when deploying APIcast v2 with OpenShift, some of thee
15 Default: **stderr**
17 or more information. The file pathcan be either absolute, or relati
21 nfo
21 warn
37 Default: "apicast"
68 Values: a number > **60**
69 Default: 0
71 r. The value should be set to 0 or more than 60. For example,
71 ould be set to 0 or more than 60. For example, if `APICAST_CON
71 ONFIGURATION_CACHE` is set to 120, the gateway will reload the
71 eload the configuration every 2 minutes (120 seconds).
71 onfiguration every 2 minutes (120 seconds).
75 Default: "127.0.0.1"
77 ning Redis instance for OAuth 2.0 flow. REDIS_HOST parameter
81 Default: 6379
83 ning Redis instance for OAuth 2.0 flow. REDIS_PORT parameter
89 ning Redis instance for OAuth 2.0 flow. REDIS_URL parameter c
89 e used to set the full URI as DSN format like: `redis://PASSWOR
93 pty, the DNS resolver will be autodiscovered.
140 Setting it to particual version will make it not auto
144 ance for 3scale Applications (a.k.a. clients in Red Hat Single Sig
158 tificate bundle generated by [export-builtin-trusted-certs](https://github.com/openresty

examples/ssl-verification/README.md

Line Typo
3 verification against trusted CAs. This feature is off by defau
3 some environments use custom CAs and would make those connecti

Generated by 🚫 Danger

@mikz mikz force-pushed the openssl-verify branch 5 times, most recently from e985b22 to 4730e25 Compare March 24, 2017 13:10
mikz added 3 commits March 24, 2017 14:22
@mikz
[env] one way to control openssl peer verification
002e6b9 
still is off by default, but at least can be turned on
@mikz
allow ssl peer verification
e655bd4 
use ca-bundle from curl
and override it inside s2i image: 3scale/s2i-openresty#24
@mikz
fix boot process to use ca-bundle
25c4230
@mikz mikz force-pushed the openssl-verify branch 2 times, most recently from d4d78f8 to 5e52347 Compare March 24, 2017 13:35
mikz
mikz commented Mar 24, 2017
View reviewed changes
apicast/libexec/boot.lua Outdated
@@ -0,0 +1,10 @@
#!/usr/bin/env resty
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be removed and same changes applied to the keycloak configuration loader

@mikz mikz force-pushed the openssl-verify branch 2 times, most recently from 54ee4a0 to 72b00eb Compare March 27, 2017 08:24
mikz added 2 commits March 27, 2017 12:02
@mikz
[libexec] unify configuration loading helpers
6c63287
@mikz
[nginx] allow enabling proxy_ssl_verify
8349947 
[nginx] proxy ssl verification off by default

because it would be off in the resulting docker image
so better to have it the same in development
@mikz mikz merged commit c8d2a01 into master Mar 27, 2017
@mikz mikz deleted the openssl-verify branch March 27, 2017 13:10
@mikz mikz removed the in progress label Mar 27, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mikz mikz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Keycloak host ssl not verified
2 participants
@mikz @octobot