AlinsRan opened a new issue, #9885:
URL: https://github.com/apache/apisix/issues/9885
### Description
II. Background
In the communication between the end point product and the server, we need
to consider the TLS protocol compatibility of multiple end point products. For
example, some old products, old Android mobile phones, TVs and other end point
devices still use the lower-level TLSv1.1 protocol version, while new products
use the higher-level TLS protocol version. If the new product supports TLSv1.1,
it may bring some security risks. In order to ensure that the product can
establish secure communication, we need to adapt between protocol versions.
2.1 Problem to be solved
At present, APISIX can only configure the version of TLS through the
config.yaml file, and it takes effect for all hosts, which lacks flexibility.
OpenResty has a feature that can specify the characteristics of the TLS
protocol version according to the host in the ssl_client_hello_by_lua_block
stage. APISIX can use this feature to allow users to dynamically set different
TLS versions for each host according to their own needs.
2.2 The benefits of solving this problem
- It provides users with more flexibility to dynamically set different TLS
protocols for each host according to their needs
- Enhanced APISIX dynamic configuration capabilities
III. Goals
[] In APISIX, different TLS protocol versions can be dynamically configured
for each host.
V. Detailed design
In APISIX, a new tls protocol selection phase http_ssl_protocols_phase () is
added, which is responsible for specifying the corresponding TLS protocol
version in the configuration according to the SSL object matched by the SNI in
the Client Hello phase of the SSL handshake.
The execution order of each stage of APISIX is as follows:
http_ssl_protocols_phase() -> http_ssl_phase() -> http_access_phase() -> ...
- ngx _ tpl.lua
{% if ssl.enable then %}
+ ssl_client_hello_by_lua_block {
+ apisix.http_ssl_protocols_phase()
+ }
+
ssl_certificate_by_lua_block {
apisix.http_ssl_phase()
}
{% end %}
Function configuration
The host-level dynamic configuration protocol conforms to the design of ssl
resources and takes effect globally in APISIX.
Simply add ssl_protocols configuration in the ssl resource, specify the
protocol version of TLS for the domain name in the snis list, the default value
["TLSv1.2", "TLSv1.3"]
As shown in the following example, for test.com domain name, the TLS
protocol version is specified as TLSv1.2, TLSv1.3.
# curl http://127.0.0.1:9180/admin/apisix/ssls/1
{
"cert": "$cert",
"key": "$key",
"snis": ["test.com"],
"ssl_protocols": [
"TLSv1.2",
"TLSv1.3"
]
}
Configuration instructions
- Static configuration
The [ssl_protocols
](https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L106)parameters
in the static configuration will apply to all apisix nodes, but cannot be
dynamically modified.
apisix:
ssl:
ssl_protocols: TLSv1.2 TLSv1.3 # 当
- Dynamic resource allocation
Dynamic resource configuration is to create and manage ssl resources through
the admin API interface of apisix. The new ssl. ssl_protocols configuration
item can control fine grain for the host and dynamically specify the TLS
protocol version of each host.
# curl http://127.0.0.1:9180/admin/apisix/ssls/1
{
"cert": "$cert",
"key": "$key",
"snis": ["test.com"],
"ssl_protocols": [
"TLSv1.2",
"TLSv1.3"
]
}
The configuration will be subject to the ssl resource, and the static
configuration will be overwritten . For example, if you set ssl_protocols:
TLSv1.2 TLSv1.3 in config.yaml, but set ssl.ssl_protocols: [TLSv1.3] in the
resource configuration, then the final apisix will use the TLSv1.3 protocol.
Therefore, when using the ssl configuration of apisix, you need to pay
attention to the following points:
- SSL resource configuration will override static configuration globally,
subject to resource configuration.
- The ssl resource configuration can be dynamically modified, and the static
configuration needs to be restarted apisix to take effect.
- SSL resource configuration can be controlled according to sni fine grain,
static configuration only acts on apisix global.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
