juzhiyuan commented on code in PR #1468: URL: https://github.com/apache/apisix-website/pull/1468#discussion_r1067770642
########## blog/en/blog/2023/01/02/accessing_apisix-dashboard_from_everywhere_with_keycloak_authentication.md: ########## @@ -0,0 +1,1036 @@ +--- +title: "Accessing Apisix-dashboard from everywhere with Keycloak authentication" Review Comment: Hi, please use `APISIX` instead of `Apisix` and check all other places. :) We only use `Apisix` in Ingress Resources like `ApisixRoute`. ########## blog/en/blog/2023/01/02/accessing_apisix-dashboard_from_everywhere_with_keycloak_authentication.md: ########## @@ -0,0 +1,1036 @@ +--- +title: "Accessing Apisix-dashboard from everywhere with Keycloak authentication" +authors: + - name: "Busico Mirto Silvio" + title: "" + url: "https://github.com/MirtoBusico"; + image_url: "https://avatars.githubusercontent.com/u/11090934?s=400&u=644e4f87c2fad56760f6eb4f46cbcb4db059880a&v=4"; +keywords: + - Apache APISIX + - API Gateway + - Authentication + - OpenID Connect + - Keycloak + - Nginx reverse proxy + - openid-connect +description: This article describes how to expose Apisix-dashboard using Apisix to authenticate the access using openid-connect plugin and a Keycloak server to manage identities +tags: [Authentication, Plugins] +image: https://github.com/MirtoBusico/assets-for-blogs/blob/main/blog01a.png +--- + +> This article describes how to setup an external access to apisix-dashboard protecting the URL with authentication managed by a keycloak server. + +<!--truncate--> + + + + +# Accessing Apisix-dashboard from everywhere with Keycloak authentication + + + + +This article presents how to setup a framework where a user can access the Apisix-dashboard protected using an authentication system managed by a Keycloak server. + +# Prerequisites + +Basic understanding of nginx reverse proxy, kubernetes, apisix and openid connect. + +> A lot of information on this matter can be found in ["Use Keycloak with API Gateway to secure APIs"](https://apisix.apache.org/blog/2022/07/06/use-keycloak-with-api-gateway-to-secure-apis/) blog post + +Here I'll present instructions, examples, code and screenshots taken from my home lab. + +The framework used in this article consists of some KVM virtual machines (from now VM): + +| VM Name | Role | Services | Description | +|-------------|------|----------|-------------| +| hdev | Development |kubectl, istioctl, helm | workstation from where manage the cluster | +| hserv | external services | DNS server, Nginx, Keycloak | services used by the cluster VM and external users | +| hkm | Kubernetes master | master node | control plane manager for K8S | +| hkw1 | K8S worker 1 | first worker node | node for hosting pods | +| hkw2 | K8S worker 2 | second worker node | node for hosting pods | +| hkw3 | K8S worker 3 | third worker node | node for hosting pods | + +The **hserv** VM have two lan cards: one on an external lan to expose services and one an internal lan to communicate with the Kubernetes (from now K8S) cluster. +All the other VM are only connected to the internal lan. + +All the machines resolve the IP addresses using the DNS server installed on **hserv** + +**Hserv** and **hdev** machines have a Graphical User Interface (from now GUI). All the other machines have only the character console. + +> The real framework is more complex. Here are reported only the relevant components + +All machines use Ubuntu distribution but commands reported here should worh for other distributions with some modifications. +The username used throughout this article will be **"sysop"** So the home directory will be indicated as **"/home/sysop"** or **"~/"**. + +# Create a Certification authority and certificates + +For all the VM the DNS server will resolve **"apisix.h.net"** to the external address of **hserv**. +In all others machine that will access the the services exposed by **hserv** there will be a line in the **"/etc/hosts"** file resolving **"apisix.h.net"** to the external address of **hserv**. + +> Working on **hserv** + +Create the directory for the entire project software +``` +cd +mkdir H +``` +Create the directory to hold the Certification authority (from now CA) certificates and the web sites certificates +``` +cd ~/H +mkdir hservcerts +cd hservcerts +``` +Create a private key for **"hservca"** +``` +sudo openssl genrsa -out hservca.key 2048 +``` +This generates a **hservca.key** key file. Using this fiile generate the CA certificate +``` +sudo openssl req -x509 -new -nodes -key hservca.key -sha256 -days 3650 -out hservca.pem +``` +This generates a **hservca.pem"** certificate file. These two files will be used to create the web sites certificates + + +## Add the CA to browsers +To be able to access the web sites with certidicates issued by this private CA, the CA certificate file have to be added to the web browser that will access these sites. + +> Working on hdev + +Copy the **"hservca.pem"** file in any machine that will access these sites. +``` +cd +cp ~/H/hservcerts/hservca.pem . +rcp hservca.pem mirto@_any_machine_name_://home/_your_username_/ +``` + +For **Firefox** browser go to: +``` +Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities -> Import +``` +and import **"hservca.pem"** (remember to flag all options) + +For **Chromium** or **Chrome** browsers go to: +``` +Settings -> Advanced -> Privacy and security -> Manage certificates -> Authorities -> Import (flag all options) +``` +and import **"hservca.pem"** (remember to flag all options) + +## Add the CA to the operating system +> Working on hdev + +Copy the "hservca.pem" file in the "/home/sysop" directory. +Copy this file on any other machine that will use sertificates signed by this CA. +``` +cd +cp ~/H/hservcerts/hservca.pem . +rcp hservca.pem mirto@_any_machine_name_://home/_your_username_/ +``` + +> Work on any machine + +Then on any machine and hserv do the following: + +``` +cd +sudo mkdir -p /usr/share/ca-certificates/extra +sudo cp hservca.pem /usr/share/ca-certificates/extra/hservca.crt +sudo dpkg-reconfigure ca-certificates +``` +> **Attention**: +> +> • "dpkg-reconfigure ca-certificates" do not recognize the ".pem" extension. Copy the **"hservca.pem"** file to **"hservca.crt"** +> +> • select the new certificate in "dpkg-reconfigure ca-certificates" (extra/hservca.crt is not selected) + +Confirm that you want to proceed: select “yes” and click “Ok”. Select the new “hservca.crt” entry and click “Ok” + + + +# Install nginx-mainline + +Verify the system is updated +``` +sudo apt update +sudo apt full-upgrade +``` +Install prerequisites +``` +sudo apt install wget gnupg2 ca-certificates lsb-release ubuntu-keyring software-properties-common -y +``` +Download the Nginx GPG key +``` +wget -O- https://nginx.org/keys/nginx_signing.key | sudo gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg +``` +Add the Nginx mainline apt repository +``` +echo deb [arch=amd64,arm64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx | sudo tee /etc/apt/sources.list.d/nginx-mainline.list +``` +Pin the Nginx repository +``` +echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx +``` +Update apt and install nginx +``` +sudo apt update +sudo apt install nginx +``` + +# Install Keycloak +> Work on **hserv** + +## Prerequisites +Install jdk +``` +sudo apt install default-jdk +``` +Remove anacron +``` +sudo apt remove anacron +``` +Reboot the **hserv** machine + +## Keycloak installation +Go in base installation directory and get keycloak installation files (verify what is the last release) +``` +cd ~/H/ +wget https://github.com/keycloak/keycloak/releases/download/20.0.1/keycloak-20.0.1.zip +``` +Extract the files +``` +unzip keycloak-20.0.1.zip +``` +Go to the bin directory and start keycloak in standalone mode +``` +cd ~/H/keycloak-20.0.1/bin/ +./kc.sh start-dev +``` +Verify that Keycloak is accessible from **hserv** at the URL **"http://localhost:8080"** + +Create the admin user as name **"admin"** and password **"1357Togo"** + + + +Go to the administration console + + + +Login and the “Master” realm appears. Note the Keycloak version + + + + +## Automatic Keycloak startup + +> Work on **hserv** + +Create in **“/usr/lib/systemd/system”** a file named **“keycloak.service”** containing +``` +[Unit] +Description=keycloak service +After=network.service + +[Service] +ExecStart=/home/sysop/H/keycloak-20.0.1/bin/kc.sh start-dev >/var/log/keycloak.log 2>&1 +PIDFile=/var/run/keycloak.pid + +[Install] +WantedBy=multi-user.target +``` +Enable and activate the service +``` +sudo systemctl enable keycloak +sudo systemctl start keycloak +``` +Reboot hserv and verify Keycloak is accessible at startup + +## Create site and certificates for "https://k6k.h.net"; +> Work on **hserv** +> +> Note that keycloak will be abbreviated in **k6k** + +Verify that the keycloak address was added in **"/etc/hosts"** file on any machine that will access the service and is reported in the DNS server hosted on **hserv**. + +The address used is the exsternal address o the **hsrv** machine + +In the **"/etc/hosts"** fle add the line +``` +192.168.100.20 k6k k6k.h.net +``` + +In the DNS server on **hserv** add the k6k entry in the **“h.net”** DNS zone with address **“192.168.100.20”** + + + +Create the certificate for **"k6k.h.net"** + +In **"~/H/hservcerts"** create a file called **"k6kssl.cnf"** containing +``` +[req] +default_bits = 2048 +distinguished_name = req_distinguished_name +prompt = no + +[req_distinguished_name] +C = IT +ST = Italy +L = Rome +O = Busico Mirto +OU = Laboratory +CN = k6k.h.net + +[v3_ca] +subjectAltName = @alt_names + +[alt_names] +DNS.1 = k6k +# other names +DNS.2 = k6k.h.net +DNS.3 = k6k.ext.h.net +DNS.4 = k6k.int.h.net +``` +Create the server private key and csr certificate request +``` +cd ~/H/hservcerts +sudo openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout k6k.key -out k6k.csr -config k6kssl.cnf +``` + +Create the certificate signed by the **"hservca"** certification authority +``` +sudo openssl x509 -req -in k6k.csr -CA hservca.pem -CAkey hservca.key -CAcreateserial -out k6k.crt -sha256 -days 3650 -extfile k6kssl.cnf -extensions v3_ca +``` +Now you have the key file **k6k.key** and the certificate file **k6k.cert** to be used in the nginx reverse proxy + +Change the access rights for k6k.key file to permit nginx access +``` +cd ~/H/hservcerts +sudo chmod a+r k6k.key +``` +Create the root directory for k6k under nginx and create an index.html file in that directory +``` +sudo mkdir /usr/share/nginx/k6k +sudo chmod 777 /usr/share/nginx/k6k +vi /usr/share/nginx/k6k/index.html +``` +Put in index.html filke the "K6K" base document +``` +<!DOCTYPE html> +<html> +<text> + +<h1>K6K default page</h1> + +</text> +</html> +``` +In the directory **“/etc/nginx/conf.d”** create the file **“k6k.conf”** +``` +cd /etc/nginx/conf.d +sudo vi k6k.conf +``` +The file contains +``` +server { + + listen 443 ssl http2; + server_name k6k.h.net; + root /usr/share/nginx/k6k; + + access_log /var/log/nginx/k6k.access.log; + error_log /var/log/nginx/k6k.error.log; + + ssl_certificate /home/sysop/H/hservcerts/k6k.crt; + ssl_certificate_key /home/sysop/H/hservcerts/k6k.key; + + + location / { + index index.html index.htm; + } + + error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} +``` +Restart Nginx +``` +sudo systemctl restart nginx +``` +Try to access “https://k6k.h.net” from a browser: the k6k base document will be showed + +## Add keycloak reverse proxy + +In the directory **“/etc/nginx/conf.d”** change the file **“k6k.conf”** to proxy keycloak +``` +cd /etc/nginx/conf.d +sudo vi k6k.conf +``` +The file now contains +``` +server { + + listen 443 ssl http2; + server_name k6k.h.net; + root /usr/share/nginx/k6k; + + access_log /var/log/nginx/k6k.access.log; + error_log /var/log/nginx/k6k.error.log; + + ssl_certificate /home/sysop/H/hservcerts/k6k.crt; + ssl_certificate_key /home/sysop/H/hservcerts/k6k.key; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + proxy_pass http://127.0.0.1:8080; + } + + error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} +``` +Restart Nginx +``` +sudo systemctl restart nginx +``` +Rebuild keycloak for production +``` +cd ~/H/keycloak-20.0.1/bin/ +./kc.sh --verbose build +``` + +Change in **“/usr/lib/systemd/system”** the file named **“keycloak.service”** with this content +``` +[Unit] +Description=keycloak service +After=network.service + +[Service] +ExecStart=/home/sysop/H/keycloak-20.0.1/bin/kc.sh start --proxy edge --hostname-strict=false >/var/log/keycloak.log 2>&1 +PIDFile=/var/run/keycloak.pid + +[Install] +WantedBy=multi-user.target +``` +Enable and activate the service +``` +sudo systemctl daemon-reload +sudo systemctl restart keycloak +``` + +# Apisix api gateway + +## Addresses for apisix-dashboard + +The address used is the exsternal address o the **hsrv** machine + +In the **"/etc/hosts"** file of any machine accessing the cluster through the nginx reverse proxy add the line +``` +192.168.100.20 apisix apisix.h.net +``` + +In the DNS server on **hserv** add the apisix entry in the **“h.net”** DNS zone with address **“192.168.100.20”** + + + +## Apisix deployment + +> Work on **hdev** + +create a namespace for apisix +``` +kubectl create ns apisix +``` +Add apisix helm repo +``` +mkdir ~/H/software/apisisx +cd ~/H/software/apisisx +helm repo add apisix https://charts.apiseven.com +helm repo update +helm repo list +``` + +> work on **hserv** + +On **“hserv”** create the CA kubernetes secret (make readable hservca.key) +``` +cd ~/H/hservcerts +ls -lh hservca.* +kubectl -n apisix create secret generic hservcacert --from-file=cert=./hservca.pem +kubectl describe secret hservcacert -n apisix +``` + +> work on **hdev** + +Get the core_dns service address and port (in this example 10.43.0.10:53) +``` +sysop@hdev:~/H/software/apisisx$ kubectl get svc -n kube-system +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +kube-dns ClusterIP 10.43.0.10 <none> 53/UDP,53/TCP,9153/TCP 97d +metrics-server ClusterIP 10.43.64.71 <none> 443/TCP 97d +docker-registry LoadBalancer 10.43.183.18 192.168.101.21,192.168.101.22,192.168.101.23,192.168.101.24 5000:31397/TCP 92d +sysop@hdev:~/H/software/apisisx$ +``` +Get the apisic helm chart the default values and put the output in a file named **apisix-values.yaml** then edit this file +``` +cd ~/H/software/apisisx +helm show values apisix/apisix > apisix-values.yaml +vi apisix-values.yaml +``` +You have to change: +- the gateway type to **LoadBalancer** (my home lab is powered off every day and with the default gateway type of NodePort the Apisix gateway starts every day on a different node changing IP address) +- set the **tls** section to use the kubernetes secret with the private CA reference +- set the discovery section to use the kube-dns address found before (doing this enables apisix upstream definition to use the service name instead of the IP address) +- set a session secret in the httpSrv section as a workaround cited in the [#8068](https://github.com/apache/apisix/pull/8068) feature request +- enable (set to true) apisix dashboard and ingress-controller + +The relevant tiles changed are: + +``` +gateway: + type: LoadBalancer +... + tls: + enabled: true + servicePort: 443 + containerPort: 9443 + existingCASecret: "hservcacert" + certCAFilename: "cert" +... +discovery: + enabled: true + registry: + dns: + servers: + - "10.43.0.10:53" +... + httpSrv: | + set $session_secret 0123456789a5bac9bb3c868ec8b202e93; +... + +dashboard: + enabled: true + +ingress-controller: + enabled: true +``` + +Install apisix using the new values.yaml file +``` +helm install apisix apisix/apisix -f apisix-values.yaml \ +--set ingress-controller.config.apisix.serviceNamespace=apisix \ +--set ingress-controller.config.apisix.serviceName=apisix-admin \ +--set ingress-controller.config.kubernetes.apisixRouteVersion=apisix.apache.org/v2beta3 \ +--namespace apisix +``` + +Wait for the pods to start (it can take some time) +``` +kubectl -n apisix wait --for=condition=Ready pods --all +kubectl get pods -n apisix +``` + +When all the Apisix pods will be in **Running** state the installation is completed + +## Accessing apisix dashboard +> Work on **hdev** + +Port forward apisix-dashboard +``` +kubectl -n apisix port-forward service/apisix-dashboard 9090:80 +``` +The command output should be something like +``` +sysop@hdev:~$ kubectl -n apisix port-forward service/apisix-dashboard 9090:80 +Forwarding from 127.0.0.1:8080 -> 9000 +Forwarding from [::1]:8080 -> 9000 +``` + +Then access the dashboard on **“hdev”** pointing the web browser to the url “http://localhost:9090” +Login with **“admin / admin”** + + + +Verify the dashboard version + + + + +## Create Apisix resources for apisix-dashboard + +### Create the certificate for **"apisix.h.net"** + +> Work on **hserv** + +In the “~/H/hservcerts/” folder create the key and certificate for apisix.h.net + +Create a file called **"apisixssl.cnf"** containing +``` +[req] +default_bits = 2048 +distinguished_name = req_distinguished_name +prompt = no + +[req_distinguished_name] +C = IT +ST = Italy +L = Rome +O = Busico Mirto +OU = Laboratory +CN = apisix.h.net + +[v3_ca] +subjectAltName = @alt_names + +[alt_names] +DNS.1 = apisix +# other names +DNS.2 = apisix.h.net +DNS.3 = apisix.ext.h.net +DNS.4 = apisix.int.h.net +``` +Create the server private key and csr +``` +sudo openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout apisix.key -out apisix.csr -config apisixssl.cnf +``` + +Create the certificate file. +``` +sudo openssl x509 -req -in apisix.csr -CA hservca.pem -CAkey hservca.key -CAcreateserial -out apisix.crt -sha256 -days 3650 -extfile apisixssl.cnf -extensions v3_ca +``` +Change the access rights for apisix key to permit nginx access +``` +sudo chmod a+r apisix.key +``` + +### Apply certificates Nginx and enable HTTPS +> Work on **hserv** + +Create the root directory for apisix under nginx and create an index.html file in that directory +``` +sudo mkdir /usr/share/nginx/apisix +sudo chmod 777 /usr/share/nginx/apisix +vi /usr/share/nginx/apisix/index.html +``` +Create a **index.html** file containing +``` +<!DOCTYPE html> +<html> +<text> + +<h1>apisix https default page</h1> + +</text> +</html> +``` +In the directory **“/etc/nginx/conf.d”** create the file named **“apisix.conf”** +``` +cd /etc/nginx/conf.d +sudo vi apisix.conf +``` +Put in the **“apisix.conf”** file this content +``` +server { + + listen 443 ssl http2; + server_name apisix.h.net; + root /usr/share/nginx/apisix; + + access_log /var/log/nginx/apisix.access.log; + error_log /var/log/nginx/apisix.error.log; + + ssl_certificate /home/sysop/H/hservcerts/apisix.crt; + ssl_certificate_key /home/sysop/H/hservcerts/apisix.key; + + + location / { + index index.html index.htm; + } + + error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} +``` +Restart Nginx +``` +sudo systemctl restart nginx +``` +Add the apisix line in “/etc/hosts” on any machine that will access apisix-dashboard +``` +192.168.100.20 apisix.h.net +``` +Add the apisix A record in the DNS in “h.net” zone + + + + +Access “https://apisix.h.net” from a browser and the apisix default page should be presented + +### Create the load balancer definition +> Work on **hserv** + +In the directory **“/etc/nginx/conf.d”** modify the file **“apisix.conf”** +``` +cd /etc/nginx/conf.d +sudo vi apisix.conf +``` + +Put in the file this content +``` +upstream hcluster { + ip_hash; + server 192.168.101.22:443; + server 192.168.101.23:443; + server 192.168.101.24:443; +} + + +server { + + listen 443 ssl http2; + server_name apisix.h.net; + root /usr/share/nginx/apisix; + + access_log /var/log/nginx/apisix.access.log; + error_log /var/log/nginx/apisix.error.log; + + ssl_certificate /home/sysop/H/hservcerts/apisix.crt; + ssl_certificate_key /home/sysop/H/hservcerts/apisix.key; + + proxy_busy_buffers_size 512k; + proxy_buffers 4 512k; + proxy_buffer_size 256k; + + proxy_set_header Host $host; + proxy_ssl_server_name on; + proxy_ssl_name apisix.h.net; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + proxy_pass https://hcluster; + } + + error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} +``` + +> **Note:** +> +> the lines +``` +upstream hcluster { + ip_hash; + server 192.168.101.22:443; + server 192.168.101.23:443; + server 192.168.101.24:443; +} +``` +> use the internal address of the three kubernetes worker nodes and it is necessary to specify the 443 port to enable https traffic +> +> The lines +``` + proxy_busy_buffers_size 512k; + proxy_buffers 4 512k; + proxy_buffer_size 256k; +``` +> are required because, after the Keycloak authentication, the apisix server replyes with the state in the URL. +> +> With the default values nginx replies with a "response too big" error + +Restart Nginx +``` +sudo systemctl restart nginx +``` + +Access “https://apisix.h.net” from a browser. You should receive page not found error because there is no route in Apisix + +### Create “apisix-dashboard” route and upstream with apisix-dashboard +> Work on **hdev** + +port forward apisix-dashboard and access it at “http://localhost:9090” and login with **“admin” / "admin“** +``` +kubectl -n apisix port-forward service/apisix-dashboard 9090:80 +``` +Find the apisix-dashboard service name and port +``` +sysop@hdev:~/H/hservcerts$ kubectl get svc -n apisix +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +apisix-etcd-headless ClusterIP None <none> 2379/TCP,2380/TCP 12h +apisix-etcd ClusterIP 10.43.75.4 <none> 2379/TCP,2380/TCP 12h +apisix-ingress-controller ClusterIP 10.43.170.105 <none> 80/TCP 12h +apisix-dashboard ClusterIP 10.43.48.202 <none> 80/TCP 12h +apisix-admin ClusterIP 10.43.169.123 <none> 9180/TCP 12h +apisix-gateway LoadBalancer 10.43.161.47 192.168.101.21,192.168.101.22,192.168.101.23,192.168.101.24 80:30508/TCP,443:32653/TCP 12h +sysop@hdev:~/H/hservcerts$ +``` + +Create an upstream + + + +Set the name to **“apisix-dashboard”**, upstream type to **“service discovery”**, discovery type to **“dns”** and servicename to **“apisix-dashboard.apisix.svc.cluster.local:80”**. + + + +Then click “Next” and after click “Submit” + +Click “View” to see the json upstream definition + + + +Note the upstream name to be used in the next route definition + + + +Now click “Create” on the “Route” page + + + +Create a route ("Define api request" - on top): set name to “apisix-dashboard” and add a description + + + +Create a route ("Define api request" - below): set host to **“apisix.h.net”** and path to **“/*”**. Then click **“Next”** + + + +Select the previous defined “apisix” upstream from the dropdown list. Then click “Next” + + + +For now don’t use plugins and click “Next”. Then click “Submit” + + + +### Enable https in apisix + +> Work on **hserv** + +Copy the certificates from hserv to hdev. From hserv: +``` +sysop@hserv:~$ cd ~/H +sysop@hserv:~/H$ rsync -vau --stats ./hservcerts/* hdev.int.h.net://home/sysop/H/hservcerts/ +``` +> Work on **hdev** + +Port forward apisix-dashboard and access it ah “http://localhost:9090” and login with **“admin” / "admin“** +``` +kubectl -n apisix port-forward service/apisix-dashboard 9090:80 +``` + +Select the “SSL” page and click Create + + + +Select **“Way: Upload”**, then click **“upload certificate”** and **“upload key”**. Clik “Next” (Take certificate and key files from **~/H/hservcerts**) + + + +Preview the SSL resource and click “Submit” + + + +The ssl resource appear in the list (note the SNI values) + + + +Configure the “apisix-dashboard” route to enable http to https redirection + + + +Set the **“Redirect”** field to **“Enable HTTPS”**. Then click “Next” until you see “Submit”. Click “Submit” + + + +View the route configuration and verify that the redirect plugin is enabled + + + +Now from any machine you can access the apisix-dashboard at the url **“https://apisix.h.net”** nd verify that the apisix-dashboard login page is showed Review Comment: ```suggestion Now from any machine you can access the apisix-dashboard at the url **“https://apisix.h.net”** and verify that the apisix-dashboard login page is showed ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
