feat: Support admin API authentication with SSL certificates

.travis/linux_openresty_mtls_runner.sh

@@ -109,13 +109,34 @@ script() {
     sleep 1
     cat logs/error.log
 
-
+    # correct certs 
     code=$(curl -i -o /dev/null -s -w %{http_code}  --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes)
     if [ ! $code -eq 200 ]; then
         echo "failed: failed to enabled mTLS for admin"
         exit 1
     fi
 
+    # no certs
+    code=$(curl -i -o /dev/null -s -w %{http_code} -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes)
+    if [ ! $code -eq 000 ]; then
+        echo "failed: failed to enabled mTLS for admin"
+        exit 1
+    fi
+
+    # no ca cert 
+    code=$(curl -i -o /dev/null -s -w %{http_code} --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes)
+    if [ ! $code -eq 000 ]; then
+        echo "failed: failed to enabled mTLS for admin"
+        exit 1
+    fi
+
+    # error key
+    code=$(curl -i -o /dev/null -s -w %{http_code}  --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_server.key --cert ./t/certs/mtls_client.crt -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' https://admin.apisix.dev:9180/apisix/admin/routes)
+    if [ ! $code -eq 000 ]; then
+        echo "failed: failed to enabled mTLS for admin"
+        exit 1
+    fi
+
     ./bin/apisix stop
     sleep 1
 

bin/apisix

@@ -291,7 +291,10 @@ http {
         {%if https_admin then%}
         listen {* port_admin *} ssl;
 
-        {%if admin_api_mtls and admin_api_mtls.mtls_enable then%}
+        {%if admin_api_mtls and admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and 
+         admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" and 
+         admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= "" 
+        then%}
         ssl_verify_client on;
         ssl_certificate      {* admin_api_mtls.admin_ssl_cert *};
         ssl_certificate_key  {* admin_api_mtls.admin_ssl_cert_key *};

conf/config.yaml

@@ -53,14 +53,13 @@ apisix:
   allow_admin:                  # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
     - 127.0.0.0/24              # If we don't set any IP list, then any IP access is allowed by default.
   #   - "::/64"
-  port_admin: 9180              # use a separate port
-  https_admin: true             # enable HTTPS when use a separate port for Admin API.
-                                  # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
-  admin_api_mtls:
-    mtls_enable: true          # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`.
-    admin_ssl_cert: "../t/certs/mtls_server.crt"             # Path of your self-signed server side cert.
-    admin_ssl_cert_key: "../t/certs/mtls_server.key"              # Path of your self-signed server side key.
-    admin_ssl_ca_cert: "../t/certs/mtls_ca.crt"                     # Path of your self-signed ca cert.
+  # port_admin: 9180              # use a separate port
+  # https_admin: true             # enable HTTPS when use a separate port for Admin API.
+                                # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
+  admin_api_mtls:               # Depends on `port_admin` and `https_admin`.
+    admin_ssl_cert: ""             # Path of your self-signed server side cert.
+    admin_ssl_cert_key: ""              # Path of your self-signed server side key.
+    admin_ssl_ca_cert: ""                     # Path of your self-signed ca cert.
 
   # Default token when use API to call for Admin API.
   # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.