配置上游 HTTPS
TLS (传输层安全性协议) 是一种加密协议,旨在保护两方(例如 Web 浏览器和 Web 服务器)之间的通信。如果 API 网关和上游服务之间的流量不被认为是安全或私有的,服务通常需要 TLS。
本指南将向你展示如何在 APISIX 和上游服务之间配置 TLS。
前置条件
创建一个启用了 TLS 的路由
创建一个路由到示例上游 httpbin.org,使用其默认的 HTTPS 端口 443:
- Admin API
- ADC
- Ingress Controller
curl -i "http://127.0.0.1:9180/apisix/admin/routes" -X PUT -d '
{
"id": "quickstart-tls-upstream",
"uri": "/ip",
"upstream": {
// Annotate 1
"scheme": "https",
"nodes": {
// Annotate 2
"httpbin.org:443":1
},
"type": "roundrobin"
}
}'
❶ 将 scheme 配置为 https
❷ 将端口配置为 443
adc.yaml
services:
- name: httpbin Service
routes:
- uris:
- /ip
name: quickstart-tls-upstream
upstream:
type: roundrobin
// Annotate 1
scheme: https
nodes:
// Annotate 2
- host: httpbin.org
port: 443
weight: 1
❶ 将 scheme 配置为 https
❷ 将端口配置为 443
将配置同步到 APISIX:
adc sync -f adc.yaml
- Gateway API
- APISIX CRD
https-route.yaml
apiVersion: v1
kind: Service
metadata:
namespace: ingress-apisix
name: httpbin-external-domain
spec:
type: ExternalName
externalName: httpbin.org
---
apiVersion: apisix.apache.org/v1alpha1
kind: BackendTrafficPolicy
metadata:
namespace: ingress-apisix
name: passhost-node
spec:
targetRefs:
- name: httpbin-external-domain
kind: Service
group: ""
passHost: node
scheme: https
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: ingress-apisix
name: quickstart-tls-upstream
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
backendRefs:
- name: httpbin-external-domain
port: 443
https-route.yaml
apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
namespace: ingress-apisix
name: httpbin-external-domain
spec:
ingressClassName: apisix
scheme: https
passHost: node
externalNodes:
- type: Domain
name: httpbin.org
port: 443
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: ingress-apisix
name: quickstart-tls-upstream
spec:
ingressClassName: apisix
http:
- name: quickstart-tls-upstream
match:
paths:
- /ip
upstreams:
- name: httpbin-external-domain
将配置应用到你的集群:
kubectl apply -f https-route.yaml
测试 APISIX 和上游之间的 TLS
向路由发送请求:
curl -i "http://127.0.0.1:9080/ip"
HTTP/1.1 200 OK 响应验证了 APISIX 已成功通过 HTTPS 与上游服务建立连接并通信。
下一步
APISIX 还支持客户端和 APISIX 之间的 TLS 连接。请参阅 配置客户端和 APISIX 之间的 HTTPS。