This is an automated email from the ASF dual-hosted git repository.
membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new b7325f0 fix: enable ssl as default, using placeholder certificate
(#3013)
b7325f0 is described below
commit b7325f033ea721307c6b52beb52c85beaf710f28
Author: Shuyang Wu <[email protected]>
AuthorDate: Fri Dec 11 17:44:41 2020 +0800
fix: enable ssl as default, using placeholder certificate (#3013)
---
.travis/apisix_cli_test.sh | 21 -------------
.travis/common.sh | 13 ---------
.travis/linux_apisix_current_luarocks_runner.sh | 1 -
.travis/linux_openresty_runner.sh | 2 --
apisix/cli/ops.lua | 10 ++-----
conf/cert/ssl_PLACE_HOLDER.crt | 27 +++++++++++++++++
conf/cert/ssl_PLACE_HOLDER.key | 39 +++++++++++++++++++++++++
conf/config-default.yaml | 5 +---
8 files changed, 70 insertions(+), 48 deletions(-)
diff --git a/.travis/apisix_cli_test.sh b/.travis/apisix_cli_test.sh
index b793284..de1ad58 100755
--- a/.travis/apisix_cli_test.sh
+++ b/.travis/apisix_cli_test.sh
@@ -67,9 +67,6 @@ echo "passed: nginx.conf file contains reuseport
configuration"
echo "
apisix:
ssl:
- enable: true
- ssl_cert: '../t/certs/apisix.crt'
- ssl_cert_key: '../t/certs/apisix.key'
listen_port: 8443
" > conf/config.yaml
@@ -98,9 +95,6 @@ apisix:
- 9081
- 9082
ssl:
- enable: true
- ssl_cert: '../t/certs/apisix.crt'
- ssl_cert_key: '../t/certs/apisix.key'
listen_port:
- 9443
- 9444
@@ -387,10 +381,6 @@ git checkout conf/config.yaml
echo "
apisix:
- ssl:
- enable: true
- ssl_cert: '../t/certs/apisix.crt'
- ssl_cert_key: '../t/certs/apisix.key'
admin_api_mtls:
admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt'
admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key'
@@ -765,14 +755,6 @@ echo "passed: using env to set worker processes"
# set worker processes with env
git checkout conf/config.yaml
-echo '
-apisix:
- ssl:
- enable: true
- ssl_cert: "../t/certs/apisix.crt"
- ssl_cert_key: "../t/certs/apisix.key"
-' > conf/config.yaml
-
make init
count=`grep -c "ssl_session_tickets off;" conf/nginx.conf || true `
@@ -784,9 +766,6 @@ fi
echo '
apisix:
ssl:
- enable: true
- ssl_cert: "../t/certs/apisix.crt"
- ssl_cert_key: "../t/certs/apisix.key"
ssl_session_tickets: true
' > conf/config.yaml
diff --git a/.travis/common.sh b/.travis/common.sh
index 299b2bf..62760a6 100644
--- a/.travis/common.sh
+++ b/.travis/common.sh
@@ -34,16 +34,3 @@ create_lua_deps() {
sudo cp -r deps build-cache/
sudo cp rockspec/apisix-master-0.rockspec build-cache/
}
-
-enable_ssl() {
- echo "
- apisix:
- ssl:
- enable: true
- ssl_cert: '../t/certs/apisix.crt'
- ssl_cert_key: '../t/certs/apisix.key'
- admin_api_mtls:
- admin_ssl_cert: '../t/certs/mtls_client.crt'
- admin_ssl_cert_key: '../t/certs/mtls_client.key'
- " > conf/config.yaml
-}
diff --git a/.travis/linux_apisix_current_luarocks_runner.sh
b/.travis/linux_apisix_current_luarocks_runner.sh
index 1947246..c3c64fa 100755
--- a/.travis/linux_apisix_current_luarocks_runner.sh
+++ b/.travis/linux_apisix_current_luarocks_runner.sh
@@ -27,7 +27,6 @@ do_install() {
script() {
export_or_prefix
openresty -V
- enable_ssl
sudo rm -rf /usr/local/apisix
diff --git a/.travis/linux_openresty_runner.sh
b/.travis/linux_openresty_runner.sh
index 1be27ee..f451bbe 100755
--- a/.travis/linux_openresty_runner.sh
+++ b/.travis/linux_openresty_runner.sh
@@ -101,8 +101,6 @@ script() {
export_or_prefix
openresty -V
- enable_ssl
-
./build-cache/grpc_server_example &
./bin/apisix help
diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
index f2523a5..c3e72cb 100644
--- a/apisix/cli/ops.lua
+++ b/apisix/cli/ops.lua
@@ -223,13 +223,9 @@ Please modify "admin_key" in conf/config.yaml .
util.die("missing ssl cert for https admin")
end
- local ssl = yaml_conf.apisix.ssl
- if ssl and ssl.enable and not (
- ssl.ssl_cert and ssl.ssl_cert ~= "" and
- ssl.ssl_cert_key and ssl.ssl_cert_key ~= "")
- then
- util.die("missing ssl cert for ssl")
- end
+ -- enable ssl with place holder crt&key
+ yaml_conf.apisix.ssl.ssl_cert = "cert/ssl_PLACE_HOLDER.crt"
+ yaml_conf.apisix.ssl.ssl_cert_key = "cert/ssl_PLACE_HOLDER.key"
-- Using template.render
local sys_conf = {
diff --git a/conf/cert/ssl_PLACE_HOLDER.crt b/conf/cert/ssl_PLACE_HOLDER.crt
new file mode 100644
index 0000000..503f277
--- /dev/null
+++ b/conf/cert/ssl_PLACE_HOLDER.crt
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEojCCAwqgAwIBAgIJAK253pMhgCkxMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTEPMA0G
+A1UECgwGaXJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTAgFw0xOTA2MjQyMjE4MDVa
+GA8yMTE5MDUzMTIyMTgwNVowVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5n
+RG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxETAPBgNVBAMM
+CHRlc3QuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyCM0rqJe
+cvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5jhZB3W6BkWUWR4oNFLLSqcVb
+VDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfoeLj0efMiOepOSZflj9Ob4yKR
+2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5smPtW1Oc/BV5terhscJdOgmRr
+abf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt6iMWEGeQU6mwPENgvj1olji2
+WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiyVt1TmtMWn1ztk6FfLRqwJWR/
+Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1onpRVeXhrBajbCRDRBMwaNw/1
+/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2fzaqpIfyUbPST4GdqNG9NyIh
+/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI1cGrGwyXbrieNp63AgMBAAGj
+cTBvMB0GA1UdDgQWBBSZtSvV8mBwl0bpkvFtgyiOUUcbszAfBgNVHSMEGDAWgBSZ
+tSvV8mBwl0bpkvFtgyiOUUcbszAMBgNVHRMEBTADAQH/MB8GA1UdEQQYMBaCCHRl
+c3QuY29tggoqLnRlc3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQAHGEul/x7ViVgC
+tC8CbXEslYEkj1XVr2Y4hXZXAXKd3W7V3TC8rqWWBbr6L/tsSVFt126V5WyRmOaY
+1A5pju8VhnkhYxYfZALQxJN2tZPFVeME9iGJ9BE1wPtpMgITX8Rt9kbNlENfAgOl
+PYzrUZN1YUQjX+X8t8/1VkSmyZysr6ngJ46/M8F16gfYXc9zFj846Z9VST0zCKob
+rJs3GtHOkS9zGGldqKKCj+Awl0jvTstI4qtS1ED92tcnJh5j/SSXCAB5FgnpKZWy
+hme45nBQj86rJ8FhN+/aQ9H9/2Ib6Q4wbpaIvf4lQdLUEcWAeZGW6Rk0JURwEog1
+7/mMgkapDglgeFx9f/XztSTrkHTaX4Obr+nYrZ2V4KOB4llZnK5GeNjDrOOJDk2y
+IJFgBOZJWyS93dQfuKEj42hA79MuX64lMSCVQSjX+ipR289GQZqFrIhiJxLyA+Ve
+U/OOcSRr39Kuis/JJ+DkgHYa/PWHZhnJQBxcqXXk1bJGw9BNbhM=
+-----END CERTIFICATE-----
diff --git a/conf/cert/ssl_PLACE_HOLDER.key b/conf/cert/ssl_PLACE_HOLDER.key
new file mode 100644
index 0000000..7105067
--- /dev/null
+++ b/conf/cert/ssl_PLACE_HOLDER.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAyCM0rqJecvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5
+jhZB3W6BkWUWR4oNFLLSqcVbVDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfo
+eLj0efMiOepOSZflj9Ob4yKR2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5s
+mPtW1Oc/BV5terhscJdOgmRrabf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt
+6iMWEGeQU6mwPENgvj1olji2WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiy
+Vt1TmtMWn1ztk6FfLRqwJWR/Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1o
+npRVeXhrBajbCRDRBMwaNw/1/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2
+fzaqpIfyUbPST4GdqNG9NyIh/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI
+1cGrGwyXbrieNp63AgMBAAECggGBAJM8g0duoHmIYoAJzbmKe4ew0C5fZtFUQNmu
+O2xJITUiLT3ga4LCkRYsdBnY+nkK8PCnViAb10KtIT+bKipoLsNWI9Xcq4Cg4G3t
+11XQMgPPgxYXA6m8t+73ldhxrcKqgvI6xVZmWlKDPn+CY/Wqj5PA476B5wEmYbNC
+GIcd1FLl3E9Qm4g4b/sVXOHARF6iSvTR+6ol4nfWKlaXSlx2gNkHuG8RVpyDsp9c
+z9zUqAdZ3QyFQhKcWWEcL6u9DLBpB/gUjyB3qWhDMe7jcCBZR1ALyRyEjmDwZzv2
+jlv8qlLFfn9R29UI0pbuL1eRAz97scFOFme1s9oSU9a12YHfEd2wJOM9bqiKju8y
+DZzePhEYuTZ8qxwiPJGy7XvRYTGHAs8+iDlG4vVpA0qD++1FTpv06cg/fOdnwshE
+OJlEC0ozMvnM2rZ2oYejdG3aAnUHmSNa5tkJwXnmj/EMw1TEXf+H6+xknAkw05nh
+zsxXrbuFUe7VRfgB5ElMA/V4NsScgQKBwQDmMRtnS32UZjw4A8DsHOKFzugfWzJ8
+Gc+3sTgs+4dNIAvo0sjibQ3xl01h0BB2Pr1KtkgBYB8LJW/FuYdCRS/KlXH7PHgX
+84gYWImhNhcNOL3coO8NXvd6+m+a/Z7xghbQtaraui6cDWPiCNd/sdLMZQ/7LopM
+RbM32nrgBKMOJpMok1Z6zsPzT83SjkcSxjVzgULNYEp03uf1PWmHuvjO1yELwX9/
+goACViF+jst12RUEiEQIYwr4y637GQBy+9cCgcEA3pN9W5OjSPDVsTcVERig8++O
+BFURiUa7nXRHzKp2wT6jlMVcu8Pb2fjclxRyaMGYKZBRuXDlc/RNO3uTytGYNdC2
+IptU5N4M7iZHXj190xtDxRnYQWWo/PR6EcJj3f/tc3Itm1rX0JfuI3JzJQgDb9Z2
+s/9/ub8RRvmQV9LM/utgyOwNdf5dyVoPcTY2739X4ZzXNH+CybfNa+LWpiJIVEs2
+txXbgZrhmlaWzwA525nZ0UlKdfktdcXeqke9eBghAoHARVTHFy6CjV7ZhlmDEtqE
+U58FBOS36O7xRDdpXwsHLnCXhbFu9du41mom0W4UdzjgVI9gUqG71+SXrKr7lTc3
+dMHcSbplxXkBJawND/Q1rzLG5JvIRHO1AGJLmRgIdl8jNgtxgV2QSkoyKlNVbM2H
+Wy6ZSKM03lIj74+rcKuU3N87dX4jDuwV0sPXjzJxL7NpR/fHwgndgyPcI14y2cGz
+zMC44EyQdTw+B/YfMnoZx83xaaMNMqV6GYNnTHi0TO2TAoHBAKmdrh9WkE2qsr59
+IoHHygh7Wzez+Ewr6hfgoEK4+QzlBlX+XV/9rxIaE0jS3Sk1txadk5oFDebimuSk
+lQkv1pXUOqh+xSAwk5v88dBAfh2dnnSa8HFN3oz+ZfQYtnBcc4DR1y2X+fVNgr3i
+nxruU2gsAIPFRnmvwKPc1YIH9A6kIzqaoNt1f9VM243D6fNzkO4uztWEApBkkJgR
+4s/yOjp6ovS9JG1NMXWjXQPcwTq3sQVLnAHxZRJmOvx69UmK4QKBwFYXXjeXiU3d
+bcrPfe6qNGjfzK+BkhWznuFUMbuxyZWDYQD5yb6ukUosrj7pmZv3BxKcKCvmONU+
+CHgIXB+hG+R9S2mCcH1qBQoP/RSm+TUzS/Bl2UeuhnFZh2jSZQy3OwryUi6nhF0u
+LDzMI/6aO1ggsI23Ri0Y9ZtqVKczTkxzdQKR9xvoNBUufjimRlS80sJCEB3Qm20S
+wzarryret/7GFW1/3cz+hTj9/d45i25zArr3Pocfpur5mfz3fJO8jg==
+-----END RSA PRIVATE KEY-----
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 28e930f..bff7e34 100644
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -101,15 +101,12 @@ apisix:
dns_resolver_valid: 30 # valid time for dns result 30 seconds
resolver_timeout: 5 # resolver timeout
ssl:
- enable: false # ssl is disabled by default
- # enable it to use your own cert and key
+ enable: true
enable_http2: true
listen_port: 9443
# ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with
trusted CA certificates in the PEM format
# used to verify the
certificate when APISIX needs to do SSL/TLS handshaking
# with external services (e.g.
etcd)
- # ssl_cert: /path/to/ssl_cert
- # ssl_cert_key: /path/to/ssl_cert_key
ssl_protocols: "TLSv1.2 TLSv1.3"
ssl_ciphers:
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ssl_session_tickets: false # disable ssl_session_tickets by
default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
