apache · moonming · Nov 20, 2020 · Aug 24, 2020 · Aug 24, 2020 · Aug 24, 2020
diff --git a/.travis/apisix_cli_test.sh b/.travis/apisix_cli_test.sh
@@ -67,6 +67,9 @@ echo "passed: nginx.conf file contains reuseport configuration"
 echo "
 apisix:
     ssl:
+        enable: true
+        ssl_cert: '../t/certs/apisix.crt'
+        ssl_cert_key: '../t/certs/apisix.key'
         listen_port: 8443
 " > conf/config.yaml
 
@@ -95,6 +98,9 @@ apisix:
     - 9081
     - 9082
   ssl:
+    enable: true
+    ssl_cert: '../t/certs/apisix.crt'
+    ssl_cert_key: '../t/certs/apisix.key'
     listen_port:
       - 9443
       - 9444
@@ -252,6 +258,13 @@ git checkout conf/config.yaml
 
 echo "
 apisix:
+    ssl:
+        enable: true
+        ssl_cert: '../t/certs/apisix.crt'
+        ssl_cert_key: '../t/certs/apisix.key'
+    admin_api_mtls:
+        admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt'
+        admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key'
     port_admin: 9180
     https_admin: true
 " > conf/config.yaml
@@ -506,6 +519,8 @@ echo '
 apisix:
     ssl:
         enable: true
+        ssl_cert: "../t/certs/apisix.crt"
+        ssl_cert_key: "../t/certs/apisix.key"
         ssl_session_tickets: true
 ' > conf/config.yaml
 

diff --git a/.travis/common.sh b/.travis/common.sh
@@ -34,3 +34,16 @@ create_lua_deps() {
     sudo cp -r deps build-cache/
     sudo cp rockspec/apisix-master-0.rockspec build-cache/
 }
+
+enable_ssl() {
+    echo "
+    apisix:
+        ssl:
+            enable: true
+            ssl_cert: '../t/certs/apisix.crt'
+            ssl_cert_key: '../t/certs/apisix.key'
+        admin_api_mtls:
+            admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt'
+            admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key'
+    " > conf/config.yaml
+}
diff --git a/.travis/linux_apisix_current_luarocks_runner.sh b/.travis/linux_apisix_current_luarocks_runner.sh
@@ -27,6 +27,7 @@ do_install() {
 script() {
     export_or_prefix
     openresty -V
+    enable_ssl
 
     sudo rm -rf /usr/local/apisix
 

diff --git a/.travis/linux_openresty_runner.sh b/.travis/linux_openresty_runner.sh
@@ -101,6 +101,7 @@ script() {
     export_or_prefix
     openresty -V
 
+    enable_ssl
 
     ./build-cache/grpc_server_example &
 

diff --git a/Makefile b/Makefile
@@ -124,7 +124,6 @@ install: default
 	$(INSTALL) conf/mime.types /usr/local/apisix/conf/mime.types
 	$(INSTALL) conf/config.yaml /usr/local/apisix/conf/config.yaml
 	$(INSTALL) conf/config-default.yaml /usr/local/apisix/conf/config-default.yaml
-	$(INSTALL) conf/cert/apisix.* /usr/local/apisix/conf/cert/
 
 	$(INSTALL) -d $(INST_LUADIR)/apisix
 	$(INSTALL) apisix/*.lua $(INST_LUADIR)/apisix/

diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua
@@ -233,18 +233,12 @@ http {
         {%if https_admin then%}
         listen {* port_admin *} ssl;
 
-        {%if admin_api_mtls and admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and
-         admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" and
-         admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= ""
-        then%}
         ssl_verify_client on;
         ssl_certificate      {* admin_api_mtls.admin_ssl_cert *};
         ssl_certificate_key  {* admin_api_mtls.admin_ssl_cert_key *};
+        {%if admin_api_mtls.admin_ssl_ca_cert and admin_api_mtls.admin_ssl_ca_cert ~= "" then%}
         ssl_client_certificate {* admin_api_mtls.admin_ssl_ca_cert *};
-        {% else %}
-        ssl_certificate      cert/apisix_admin_ssl.crt;
-        ssl_certificate_key  cert/apisix_admin_ssl.key;
-        {%end%}
+        {% end %}
 
         ssl_session_cache    shared:SSL:20m;
         ssl_protocols {* ssl.ssl_protocols *};
@@ -323,8 +317,9 @@ http {
         {% end %}
         {% end %} {% -- if enable_ipv6 %}
 
-        ssl_certificate      cert/apisix.crt;
-        ssl_certificate_key  cert/apisix.key;
+        {% if ssl.enable then %}
+        ssl_certificate      {* ssl.ssl_cert *};
+        ssl_certificate_key  {* ssl.ssl_cert_key *};
         ssl_session_cache    shared:SSL:20m;
         ssl_session_timeout 10m;
 
@@ -340,6 +335,7 @@ http {
         {% else %}
         ssl_session_tickets off;
         {% end %}
+        {% end %}
 
         {% if with_module_status then %}
         location = /apisix/nginx_status {
@@ -382,9 +378,11 @@ http {
         }
         {% end %}
 
+        {% if ssl.enable then %}
         ssl_certificate_by_lua_block {
             apisix.http_ssl_phase()
         }
+        {% end %}
 
         location / {
             set $upstream_mirror_host        '';

diff --git a/bin/apisix b/bin/apisix
@@ -426,6 +426,19 @@ Please modify "admin_key" in conf/config.yaml .
         end
     end
 
+    admin_api_mtls = yaml_conf.apisix.admin_api_mtls
+    if yaml_conf.apisix.https_admin and not (admin_api_mtls and
+        admin_api_mtls.admin_ssl_cert and admin_api_mtls.admin_ssl_cert ~= "" and
+        admin_api_mtls.admin_ssl_cert_key and admin_api_mtls.admin_ssl_cert_key ~= "" ) then
+        error("missing ssl cert for https admin")
+    end
+
+    ssl = yaml_conf.apisix.ssl
+    if ssl and ssl.enable and not (
+        ssl.ssl_cert and ssl.ssl_cert ~= "" and
+        ssl.ssl_cert_key and ssl.ssl_cert_key ~= "") then
+        error("missing ssl cert for ssl")
+    end
 
     -- Using template.render
     local sys_conf = {

diff --git a/conf/config-default.yaml b/conf/config-default.yaml
@@ -62,6 +62,7 @@ apisix:
   #   - "::/64"
   # port_admin: 9180              # use a separate port
   # https_admin: true             # enable HTTPS when use a separate port for Admin API.
+                                  # need to also enable SSL
                                 # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
   admin_api_mtls:               # Depends on `port_admin` and `https_admin`.
     admin_ssl_cert: ""             # Path of your self-signed server side cert.
@@ -101,12 +102,14 @@ apisix:
   dns_resolver_valid: 30          # valid time for dns result 30 seconds
   resolver_timeout: 5             # resolver timeout
   ssl:
-    enable: true
+    enable: false                 # ssl is disabled by default
     enable_http2: true
     listen_port: 9443
     # ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format
                                                 # used to verify the certificate when APISIX needs to do SSL/TLS handshaking
                                                 # with external services (e.g. etcd)
+    ssl_cert: ""
+    ssl_cert_key: ""
     ssl_protocols: "TLSv1.2 TLSv1.3"
     ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
     ssl_session_tickets: false              #  disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.

diff --git a/t/APISIX.pm b/t/APISIX.pm
@@ -74,12 +74,12 @@ my $default_yaml_config = read_file("conf/config-default.yaml");
 $default_yaml_config =~ s/#- example-plugin/- example-plugin/;
 
 my $user_yaml_config = read_file("conf/config.yaml");
-my $ssl_crt = read_file("conf/cert/apisix.crt");
-my $ssl_key = read_file("conf/cert/apisix.key");
-my $ssl_ecc_crt = read_file("conf/cert/apisix_ecc.crt");
-my $ssl_ecc_key = read_file("conf/cert/apisix_ecc.key");
-my $test2_crt = read_file("conf/cert/test2.crt");
-my $test2_key = read_file("conf/cert/test2.key");
+my $ssl_crt = read_file("t/certs/apisix.crt");
+my $ssl_key = read_file("t/certs/apisix.key");
+my $ssl_ecc_crt = read_file("t/certs/apisix_ecc.crt");
+my $ssl_ecc_key = read_file("t/certs/apisix_ecc.key");
+my $test2_crt = read_file("t/certs/test2.crt");
+my $test2_key = read_file("t/certs/test2.key");
 $user_yaml_config = <<_EOC_;
 apisix:
   node_listen: 1984

diff --git a/t/admin/ssl.t b/t/admin/ssl.t
@@ -30,8 +30,8 @@ __DATA__
             local etcd = require("apisix.core.etcd")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}
 
             local code, body = t.test('/apisix/admin/ssl/1',
@@ -157,8 +157,8 @@ GET /t
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {cert = ssl_cert, key = ssl_key, sni = "foo.com"}
 
             local code, message, res = t.test('/apisix/admin/ssl',
@@ -210,8 +210,8 @@ GET /t
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {sni = "foo.com"}
 
             local code, body = t.test('/apisix/admin/ssl/1',
@@ -249,8 +249,8 @@ GET /t
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {cert = ssl_cert, key = ssl_key, sni = "*.foo.com"}
 
             local code, body = t.test('/apisix/admin/ssl/1',
@@ -287,8 +287,8 @@ passed
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {
                 cert = ssl_cert, key = ssl_key,
                 snis = {"*.foo.com", "bar.com"},
@@ -328,8 +328,8 @@ passed
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {
                 cert = ssl_cert, key = ssl_key,
                 sni = "bar.com",
@@ -371,8 +371,8 @@ passed
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}
 
             local code, body = t.test('/apisix/admin/ssl/a-b-c-ABC_0123',
@@ -401,8 +401,8 @@ passed
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}
 
             local code, body = t.test('/apisix/admin/ssl/a-b-c-ABC_0123',
@@ -430,8 +430,8 @@ passed
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}
 
             local code, body = t.test('/apisix/admin/ssl/*invalid',
@@ -459,10 +459,10 @@ GET /t
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
-            local ssl_ecc_cert = t.read_file("conf/cert/apisix_ecc.crt")
-            local ssl_ecc_key = t.read_file("conf/cert/apisix_ecc.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
+            local ssl_ecc_cert = t.read_file("t/certs/apisix_ecc.crt")
+            local ssl_ecc_key = t.read_file("t/certs/apisix_ecc.key")
             local data = {
                 cert = ssl_cert,
                 key = ssl_key,
@@ -505,7 +505,7 @@ passed
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_ecc_cert = t.read_file("conf/cert/apisix_ecc.crt")
+            local ssl_ecc_cert = t.read_file("t/certs/apisix_ecc.crt")
 
             local data = {
                 sni = "test.com",
@@ -548,8 +548,8 @@ GET /t
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {cert = ssl_cert, key = ssl_key, sni = "test.com", labels = { version = "v2", build = "16", env = "production"}}
 
             local code, body = t.test('/apisix/admin/ssl/1',
@@ -592,8 +592,8 @@ passed
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {cert = ssl_cert, key = ssl_key, sni = "test.com", labels = { env = {"production", "release"}}}
 
             local code, body = t.test('/apisix/admin/ssl/1',
@@ -635,8 +635,8 @@ GET /t
             local core = require("apisix.core")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {
                 cert = ssl_cert, 
                 key = ssl_key, 
@@ -710,8 +710,8 @@ GET /t
             local etcd = require("apisix.core.etcd")
             local t = require("lib.test_admin")
 
-            local ssl_cert = t.read_file("conf/cert/apisix.crt")
-            local ssl_key =  t.read_file("conf/cert/apisix.key")
+            local ssl_cert = t.read_file("t/certs/apisix.crt")
+            local ssl_key =  t.read_file("t/certs/apisix.key")
             local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}
 
             local code, body, res = t.test('/apisix/admin/ssl',

diff --git a/conf/cert/apisix.crt → t/certs/apisix.crt b/conf/cert/apisix.crt → t/certs/apisix.crt
diff --git a/conf/cert/apisix.key → t/certs/apisix.key b/conf/cert/apisix.key → t/certs/apisix.key
diff --git a/conf/cert/apisix_admin_ssl.crt → t/certs/apisix_admin_ssl.crt b/conf/cert/apisix_admin_ssl.crt → t/certs/apisix_admin_ssl.crt
diff --git a/conf/cert/apisix_admin_ssl.key → t/certs/apisix_admin_ssl.key b/conf/cert/apisix_admin_ssl.key → t/certs/apisix_admin_ssl.key
diff --git a/conf/cert/apisix_ecc.crt → t/certs/apisix_ecc.crt b/conf/cert/apisix_ecc.crt → t/certs/apisix_ecc.crt
diff --git a/conf/cert/apisix_ecc.key → t/certs/apisix_ecc.key b/conf/cert/apisix_ecc.key → t/certs/apisix_ecc.key
diff --git a/conf/cert/openssl-test2.conf → t/certs/openssl-test2.conf b/conf/cert/openssl-test2.conf → t/certs/openssl-test2.conf
diff --git a/conf/cert/openssl.conf → t/certs/openssl.conf b/conf/cert/openssl.conf → t/certs/openssl.conf
diff --git a/conf/cert/test2.crt → t/certs/test2.crt b/conf/cert/test2.crt → t/certs/test2.crt
diff --git a/conf/cert/test2.key → t/certs/test2.key b/conf/cert/test2.key → t/certs/test2.key
diff --git a/t/plugin/redirect.t b/t/plugin/redirect.t
@@ -574,8 +574,8 @@ location /t {
         local core = require("apisix.core")
         local t = require("lib.test_admin")
 
-        local ssl_cert = t.read_file("conf/cert/apisix.crt")
-        local ssl_key =  t.read_file("conf/cert/apisix.key")
+        local ssl_cert = t.read_file("t/certs/apisix.crt")
+        local ssl_key =  t.read_file("t/certs/apisix.key")
         local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}
 
         local code, body = t.test('/apisix/admin/ssl/1',