Baoyuantop commented on issue #12606: URL: https://github.com/apache/apisix/issues/12606#issuecomment-3327394422
1. Use different hostnames (SNI) to differentiate security policies: for example, enable client-side mTLS for `mtls.test.com` and disable it for `open.test.com`, create and bind separate SSL resources for each. 2. If the same hostname is required, traffic can only be permitted based on the path: configure a URI prefix or regular expression that allows for certificate exemptions in the corresponding SSL resource using the `client.skip_mtls_uri_regex` parameter, "differentiating by port for the same hostname" is not possible. 3. Workaround at the infrastructure layer: At L4/Nginx/load balancer, traffic is split by port to two gateways (two APISIX instances or different cluster configurations), one with client-side mTLS enabled and the other without. This approach allows for different port policies for the same domain. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
