Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: enabled HTTP2 and supported to set ssl_protocols. #663

Merged
merged 3 commits into from
Oct 10, 2019
Merged

feature: enabled HTTP2 and supported to set ssl_protocols. #663

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d47cf83
feature: enabled HTTP2 and supported to set `ssl_protocols`.
membphis Oct 10, 2019
9de38df
bugfix: used local certificate if failed to load certificate by SNI.
membphis Oct 10, 2019
a652045
test: updated.
membphis Oct 10, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions bin/apisix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,15 +235,24 @@ http {

server {
listen {* node_listen *};
listen {* node_ssl_listen *} ssl;
{% if ssl.enable then %}
listen {* ssl.listen_port *} ssl {% if ssl.enable_http2 then %} http2 {% end %};
{% end %}

{% if enable_ipv6 then %}
listen [::]:{* node_listen *};
listen [::]:{* node_ssl_listen *} ssl;
{% if ssl.enable then %}
listen [::]:{* node_ssl_listen *} ssl {% if ssl.enable_http2 then %} http2 {% end %};
{% end %}
{% end %} {% -- if enable_ipv6 %}

ssl_certificate cert/apisix.crt;
ssl_certificate_key cert/apisix.key;
ssl_session_cache shared:SSL:1m;

ssl_protocols {* ssl.ssl_protocols *};
ssl_ciphers {* ssl.ssl_ciphers *};

{% if with_module_status then %}
location = /apisix/nginx_status {
allow 127.0.0.0/24;
Expand Down
7 changes: 6 additions & 1 deletion conf/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
apisix:
node_listen: 9080 # APISIX listening port
node_ssl_listen: 9443
enable_heartbeat: true
enable_admin: true
enable_debug: false
Expand Down Expand Up @@ -33,6 +32,12 @@ apisix:
- 114.114.114.114
error_log:
level: warn
ssl:
enable: true
enable_http2: true
listen_port: 9443
ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
ssl_ciphers: "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5"

etcd:
host: "http://127.0.0.1:2379" # etcd address
Expand Down
15 changes: 10 additions & 5 deletions conf/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ working_directory /tmp/apisix_cores/;

worker_shutdown_timeout 3;


http {
lua_package_path "$prefix/deps/share/lua/5.1/?.lua;$prefix/lua/?.lua;/usr/share/lua/5.1/?.lua;;";
lua_package_cpath "$prefix/deps/lib64/lua/5.1/?.so;$prefix/deps/lib/lua/5.1/?.so;/usr/lib64/lua/5.1/?.so;;";
Expand Down Expand Up @@ -83,11 +84,15 @@ http {

server {
listen 9080;
listen 9443 ssl;
listen 9443 ssl http2;

ssl_certificate cert/apisix.crt;
ssl_certificate_key cert/apisix.key;
ssl_session_cache shared:SSL:1m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;

location = /apisix/nginx_status {
allow 127.0.0.0/24;
deny all;
Expand All @@ -102,10 +107,6 @@ http {
}
}

ssl_certificate_by_lua_block {
apisix.http_ssl_phase()
}

location /apisix/dashboard {
index index.html;

Expand All @@ -118,6 +119,10 @@ http {
try_files $uri $uri/ /index.html;
}

ssl_certificate_by_lua_block {
apisix.http_ssl_phase()
}

location / {
set $upstream_scheme 'http';
set $upstream_host $host;
Expand Down
6 changes: 2 additions & 4 deletions lua/apisix.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ local ipmatcher = require("resty.ipmatcher")
local ngx = ngx
local get_method = ngx.req.get_method
local ngx_exit = ngx.exit
local ngx_ERROR = ngx.ERROR
local math = math
local error = error
local ipairs = ipairs
Expand Down Expand Up @@ -142,12 +141,11 @@ function _M.http_ssl_phase()
ngx_ctx.api_ctx = api_ctx
end

local ok, err = router.router_ssl.match(api_ctx)
local ok, err = router.router_ssl.match_and_set(api_ctx)
if not ok then
if err then
core.log.error("failed to fetch ssl config: ", err)
core.log.warn("failed to fetch ssl config: ", err)
end
return ngx_exit(ngx_ERROR)
end
end

Expand Down
6 changes: 3 additions & 3 deletions lua/apisix/http/router/r3_sni.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@ local function set_pem_ssl_key(cert, pkey)
return false, "no request found"
end

ngx_ssl.clear_certs()

local out = ffi.new("char [?]", #cert)
local rc = C.ngx_http_lua_ffi_cert_pem_to_der(cert, #cert, out, errmsg)
if rc < 1 then
Expand Down Expand Up @@ -97,9 +99,7 @@ local function set_pem_ssl_key(cert, pkey)
end


function _M.match(api_ctx)
ngx_ssl.clear_certs()

function _M.match_and_set(api_ctx)
local r3, err = core.lrucache.global("/ssl", ssl.conf_version,
create_r3_router, ssl.values)
if not r3 then
Expand Down
6 changes: 3 additions & 3 deletions lua/apisix/http/router/radixtree_sni.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ local function set_pem_ssl_key(cert, pkey)
return false, "no request found"
end

ngx_ssl.clear_certs()

local out = ffi.new("char [?]", #cert)
local rc = C.ngx_http_lua_ffi_cert_pem_to_der(cert, #cert, out, errmsg)
if rc < 1 then
Expand Down Expand Up @@ -99,9 +101,7 @@ local function set_pem_ssl_key(cert, pkey)
end


function _M.match(api_ctx)
ngx_ssl.clear_certs()

function _M.match_and_set(api_ctx)
local err
if not radixtree_router or
radixtree_router_ver ~= ssl_certificates.conf_version then
Expand Down
5 changes: 3 additions & 2 deletions t/plugin/proxy-rewrite.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -623,7 +623,7 @@ a: iresty



=== TEST 16: set route(rewrite uri empty args)
=== TEST 22: set route(rewrite uri empty args)
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -661,7 +661,8 @@ passed
[error]


=== TEST 22: rewrite uri empty args

=== TEST 23: rewrite uri empty args
--- request
GET /hello HTTP/1.1
--- response_body
Expand Down
4 changes: 2 additions & 2 deletions t/router/r3-sni.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,9 +203,9 @@ GET /t
--- yaml_config eval: $::yaml_config
--- response_body
connected: 1
failed to do SSL handshake: handshake failed
failed to do SSL handshake: certificate host mismatch
--- error_log
SSL_do_handshake() failed (SSL: error:
not found any valid sni configuration



Expand Down
4 changes: 2 additions & 2 deletions t/router/radixtree-sni.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,9 +185,9 @@ location /t {
GET /t
--- response_body
connected: 1
failed to do SSL handshake: handshake failed
failed to do SSL handshake: certificate host mismatch
--- error_log
SSL_do_handshake() failed (SSL: error:
not found any valid sni configuration



Expand Down