AlinsRan opened a new pull request, #13596:
URL: https://github.com/apache/apisix/pull/13596

   ### Description
   
   Fixes #12472
   
   The stream (L4 TCP/TLS) subsystem could not present a client certificate 
(mTLS) when APISIX proxies to a TLS upstream, unlike the http subsystem which 
honors upstream `tls.client_cert`/`client_key`/`client_cert_id`. This was 
confirmed by a maintainer in the issue: `apisix/upstream.lua` set the stream 
upstream TLS (SNI/enable) but never applied the client certificate.
   
   #### Root cause
   
   The http subsystem injects the client cert per-request through the 
apisix-nginx-module C API `ngx_http_apisix_upstream_set_cert_and_key` (applied 
via `SSL_use_certificate` during the upstream handshake). The stream subsystem 
only exposes `ngx_stream_apisix_upstream_enable_tls` (a boolean flag) — there 
is **no** stream counterpart that sets the client cert, so the http mechanism 
cannot be reused as-is.
   
   #### Approach (self-contained, no nginx/openresty-C changes)
   
   Use the native nginx **stream** `proxy_ssl_certificate` / 
`proxy_ssl_certificate_key` directives, which support variables and inline PEM 
via the `data:` scheme (nginx >= 1.21.4, satisfied by APISIX-Runtime):
   
   - `apisix/cli/ngx_tpl.lua`: declare `$upstream_mtls_cert` / 
`$upstream_mtls_key` (empty by default) and add 
`proxy_ssl_certificate`/`proxy_ssl_certificate_key` in the stream server block 
(guarded by `use_apisix_base`). An empty value means no client certificate is 
presented.
   - `apisix/upstream.lua`: in the stream `scheme == "tls"` branch, fill those 
vars from `up_conf.tls.client_cert`/`client_key` (inline) or from the ssl 
object referenced by `tls.client_cert_id`, using the `data:` inline PEM form 
(no temp files).
   - `apisix/init.lua`: extract the `client_cert_id` -> `api_ctx.upstream_ssl` 
resolution into a shared `resolve_upstream_client_cert` helper and call it from 
`stream_preread_phase` too (previously it ran only on the http path).
   - Tests: `t/stream-node/upstream-mtls.t` (inline cert success/failure + 
`client_cert_id`).
   - Docs: note stream support in `docs/en/latest/mtls.md`.
   
   No schema change needed — `tls.client_cert`/`client_key`/`client_cert_id` 
already exist on the upstream schema.
   
   > bug-triage-2026-06


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to