feat: Support admin API authentication with SSL certificates

.travis.yml

@@ -8,7 +8,7 @@ matrix:
         - docker
       env: OSNAME=linux_openresty
     - os: linux
-      env: OSNAME=linux_openresty_two_side_ssl_auth
+      env: OSNAME=linux_openresty_mtls
     - os: osx
       env: OSNAME=osx_openresty
       cache:

bin/apisix

@@ -291,9 +291,11 @@ http {
         {%if https_admin then%}
         listen {* port_admin *} ssl;
 
-        {%if ssl.verify_client then%}
-        ssl_certificate      cert/two_side_server.crt;
-        ssl_certificate_key  cert/two_side_server.key;
+        {%if mtls and mtls.enable then%}
+        ssl_verify_client on;
+        ssl_certificate      {* mtls.server_cert *};
+        ssl_certificate_key  {* mtls.server_key *};
+        ssl_client_certificate {* mtls.ca_cert *};
         {% else %}
         ssl_certificate      cert/apisix_admin_ssl.crt;
         ssl_certificate_key  cert/apisix_admin_ssl.key;
@@ -305,11 +307,6 @@ http {
         ssl_ciphers {* ssl.ssl_ciphers *};
         ssl_prefer_server_ciphers on;
 
-        {%if ssl.verify_client then%}
-        ssl_client_certificate cert/two_side_ca.crt;
-        ssl_verify_client on;
-        {%end%}
-
         {% else %}
         listen {* port_admin *};
         {%end%}

conf/config-for-two-side-ssl-auth.yaml → conf/config-mtls.yaml

@@ -55,7 +55,12 @@ apisix:
   #   - "::/64"
   port_admin: 9180              # use a separate port
   https_admin: true             # enable HTTPS when use a separate port for Admin API.
-                                  # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
+                                # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
+  mtls:
+    enable: true               # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`.
+    ca_cert: "../t/certs/mtls_ca.crt"                 # Path of your self-signed ca cert.
+    server_key: "../t/certs/mtls_server.key"          # Path of your self-signed server side cert.
+    server_cert: "../t/certs/mtls_server.crt"         # Path of your self-signed server side key.
 
   # Default token when use API to call for Admin API.
   # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
@@ -93,7 +98,6 @@ apisix:
     listen_port: 9443
     ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
     ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
-    verify_client: true
     key_encrypt_salt: "edd1c9f0985e76a2"    #  If not set, will save origin ssl key into etcd.
                                             #  If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC
                                             #  !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! 

conf/config.yaml

@@ -56,6 +56,11 @@ apisix:
   # port_admin: 9180              # use a separate port
   # https_admin: true             # enable HTTPS when use a separate port for Admin API.
                                   # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
+  mtls:
+    enable: false               # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`.
+    ca_cert: ""                 # Path of your self-signed ca cert.
+    server_key: ""              # Path of your self-signed server side cert.
+    server_cert: ""             # Path of your self-signed server side key.
 
   # Default token when use API to call for Admin API.
   # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
@@ -93,9 +98,6 @@ apisix:
     listen_port: 9443
     ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
     ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
-    verify_client: false                    # Enable or disable client-to-server authentication with HTTPS client certificates
-                                            # It depends on `port_admin` and `https_admin`, they need to be enable if you want to enable `verify_client`.
-                                            # And you need to replace your real certs to `cert/two_side_ca.crt`, `cert/two_side_server.crt` and `cert/two_side_server.key`. 
     key_encrypt_salt: "edd1c9f0985e76a2"    #  If not set, will save origin ssl key into etcd.
                                             #  If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC
                                             #  !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! 

doc/two-side-auth-with-ssl.md → doc/mtls.md

@@ -17,24 +17,25 @@
 #
 -->
 
-[Chinese](zh-cn/two-side-auth-with-ssl.md)
+[Chinese](zh-cn/mtls.md)
 
-## Enable client-to-server authentication with ssl certificates
+## Enable mutual TLS authentication
 
 1. Generate self-signed key pairs, including ca, server, client key pairs.
 
-2. Replace `cert/two-side-ca.crt` with the ca cert just generated. And replace `cert/two-side-client.crt` and `cert/two-side-client.key` in the same way.
-
-3. Modify configuration items in `conf/config.yaml`:
+2. Modify configuration items in `conf/config.yaml`:
 ```yaml
   port_admin: 9180
   https_admin: true
 
-  ssl:
-    verify_client: true   
+  mtls:
+    enable: true               # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`.
+    ca_cert: "/data/certs/mtls_ca.crt"                 # Path of your self-signed ca cert.
+    server_key: "/data/certs/mtls_server.key"          # Path of your self-signed server side cert.
+    server_cert: "/data/certs/mtls_server.crt"         # Path of your self-signed server side key.  
 ```
 
-4. Run command:
+3. Run command:
 ```shell
 apisix init
 apisix reload

doc/zh-cn/two-side-auth-with-ssl.md → doc/zh-cn/mtls.md

@@ -17,24 +17,25 @@
 #
 -->
 
-[English](../two-side-auth-with-ssl.md)
+[English](../mtls.md)
 
 ## 开启双向认证
 
 1. 生成自签证书对，包括 ca、server、client 证书对。
 
-2. 用刚刚生成的证书相应的替换 `cert/two-side-ca.crt`、`cert/two-side-client.crt` 和 `cert/two-side-client.key`。 
-
-3. 修改 `conf/config.yaml` 中的配置项:
+2. 修改 `conf/config.yaml` 中的配置项:
 ```yaml
   port_admin: 9180
   https_admin: true
 
-  ssl:
-    verify_client: true   
+  mtls:
+    enable: true               # Enable or disable mtls. Enable depends on `port_admin` and `https_admin`.
+    ca_cert: "/data/certs/mtls_ca.crt"                 # Path of your self-signed ca cert.
+    server_key: "/data/certs/mtls_server.key"          # Path of your self-signed server side cert.
+    server_cert: "/data/certs/mtls_server.crt"         # Path of your self-signed server side key.
 ```
 
-4. 执行命令:
+3. 执行命令:
 ```shell
 apisix init
 apisix reload