[THREESCALE-328] Allow to set a client SSL cert for upstream #610
Conversation
gateway/conf.d/apicast.conf
Outdated
|
|
||
| # {% if proxy_ssl_certificate and proxy_ssl_certificate_key %} | ||
| # {% capture proxy_ssl_session_reuse %} | ||
| # proxy_ssl_session_reuse off; |
There was a problem hiding this comment.
Maybe we should expose this as a config option with a default value so it can be customized.
There was a problem hiding this comment.
Maybe, but I couldn't make this work properly with proxy_ssl_session_reuse on;
gateway/conf.d/apicast.conf
Outdated
| # proxy_ssl_certificate {{ proxy_ssl_certificate }}; | ||
| # {% endcapture %} | ||
| # {% capture ssl_certificate_key %} | ||
| # proxy_ssl_certificate_key {{ proxy_ssl_certificate_key }}; |
There was a problem hiding this comment.
Lets not forget proxy_ssl_password_file.
There was a problem hiding this comment.
Yes. Otherwise, we'll need to type the password when Apicast boots.
| -- @tfield ?policy_chain policy_chain @{policy_chain} instance | ||
| -- @tfield ?{string,...} nameservers list of nameservers | ||
| -- @tfield ?string package.path path to load Lua files | ||
| -- @tfield ?string package.cpath path to load libraries | ||
| -- @table environment.default_config default configuration | ||
| _M.default_config = { | ||
| ca_bundle = resty_env.value('SSL_CERT_FILE'), | ||
| proxy_ssl_certificate = resty_env.value('SSL_PROXY_CERTIFICATE'), |
There was a problem hiding this comment.
We probably should covert them to absolute paths because it fails with relative ones as it changes nginx workdir/prefix with:
nginx: [emerg] BIO_new_file("/tmp/public.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/tmp/public.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
But we also should support engine:name:id format which would load the key from OpenSSL.
gateway/conf.d/apicast.conf
Outdated
| # {% endcapture %} | ||
| # {{ proxy_ssl_session_reuse | replace: "#", "" }} | ||
| # {{ ssl_certificate | replace: "#", "" }} | ||
| # {{ ssl_certificate_key | replace: "#", "" }} |
There was a problem hiding this comment.
I find this working quite well:
# {% if proxy_ssl_certificate and proxy_ssl_certificate_key %}
# {% capture proxy_ssl %}
#{#} proxy_ssl_session_reuse off;
#{#} proxy_ssl_certificate {{ proxy_ssl_certificate }};
#{#} proxy_ssl_certificate_key {{ proxy_ssl_certificate_key }};
# {% endcapture %}
# {{ proxy_ssl | replace: "#{#}", "" }}
# {% endif %}This makes it obvious that it should strip only the first part of the comment and allows commenting lines within comments.
| -- @tfield ?policy_chain policy_chain @{policy_chain} instance | ||
| -- @tfield ?{string,...} nameservers list of nameservers | ||
| -- @tfield ?string package.path path to load Lua files | ||
| -- @tfield ?string package.cpath path to load libraries | ||
| -- @table environment.default_config default configuration | ||
| _M.default_config = { | ||
| ca_bundle = resty_env.value('SSL_CERT_FILE'), | ||
| proxy_ssl_certificate = resty_env.value('SSL_PROXY_CERTIFICATE'), | ||
| proxy_ssl_certificate_key = resty_env.value('SSL_PROXY_CERTIFICATE_KEY'), |
There was a problem hiding this comment.
We probably could name these like APICAST_PROXY_* (APICAST_PROXY_CERTIFICATE and APICAST_PROXY_CERTIFICATE_KEY).
APICAST_PROXY is not the best name. Maybe APICAST_UPSTREAM_HTTPS ?
gateway/conf.d/apicast.conf
Outdated
|
|
||
| # {% if proxy_ssl_certificate and proxy_ssl_certificate_key %} | ||
| # {% capture proxy_ssl %} | ||
| #{#} # proxy_ssl_session_reuse off; |
There was a problem hiding this comment.
We'll need to set this one according to APICAST_PROXY_SESSION_REUSE.
t/mutual-ssl.t
Outdated
| use Test::APIcast::Blackbox 'no_plan'; | ||
|
|
||
| env_to_apicast( | ||
| 'APICAST_PROXY_CERTIFICATE' => '../html/server.crt', |
There was a problem hiding this comment.
These should be client.crt and client.key.
t/mutual-ssl.t
Outdated
| ssl_certificate $TEST_NGINX_SERVROOT/html/server.crt; | ||
| ssl_certificate_key $TEST_NGINX_SERVROOT/html/server.key; | ||
|
|
||
| ssl_client_certificate $TEST_NGINX_SERVROOT/html/server.crt; |
mikz
force-pushed
the
configurable-proxy-ssl-cert
branch
6 times, most recently
from
e267984 to
e9e237f
Compare
| "proxy": { | ||
| "api_backend": "https://client.badssl.com", | ||
| "backend": { | ||
| "endpoint": "https://echo-api.3scale.net" |
There was a problem hiding this comment.
Yep. But I could not figure it out from the debug logs. Haven't done wireshark yet.
mikz
force-pushed
the
configurable-proxy-ssl-cert
branch
from
e9e237f to
5da2d65
Compare
* so they are read at the very last moment * this allows updating them in between loadng config and rendering the template * depends on 3scale/liquid-lua#4, 3scale/liquid-lua#5
mikz
force-pushed
the
configurable-proxy-ssl-cert
branch
from
8288105 to
cc4dbfb
Compare
mikz
force-pushed
the
configurable-proxy-ssl-cert
branch
from
cc4dbfb to
66f77bb
Compare
davidor
force-pushed
the
configurable-proxy-ssl-cert
branch
from
a3cce31 to
850a2a5
Compare
mikz
changed the title
…ERTIFICATE_KEY [THREESCALE-328]
This PR introduces 2 new ENVs (
APICAST_PROXY_HTTPS_CERTIFICATE_KEYandAPICAST_PROXY_HTTPS_CERTIFICATE), they are used to set a client SSL certificate using theproxy_ssl_certificateand theproxy_ssl_certificate_keyNGINX directives.As a limitation, this certificate needs to be valid for all the services configured.
Closes THREESCALE-328.