跳到主要内容

配置客户端与网关之间的 HTTPS

本文介绍如何通过 Ingress Controller 配置网关接收来自客户端的 HTTPS 请求。

前提条件

  1. 完成设置 Ingress Controller 和网关

在网关上启用 SSL

确保你的网关已启用 SSL。

helm upgrade apisix apisix/apisix \
--set ... \ # add other parameters
--set "apisix.ssl.enabled=true" \
--set "apisix.ssl.containerPort=9443"

生成证书和密钥

生成证书颁发机构(CA)的密钥和证书:

openssl genrsa -out ca.key 2048 && \
openssl req -new -sha256 -key ca.key -out ca.csr -subj "/CN=ROOTCA" && \
openssl x509 -req -days 36500 -sha256 -extensions v3_ca -signkey ca.key -in ca.csr -out ca.crt

为网关生成通用名称为 test.com 的密钥和证书,并使用 CA 证书进行签名:

openssl genrsa -out server.key 2048 && \
openssl req -new -sha256 -key server.key -out server.csr -subj "/CN=test.com" && \
openssl x509 -req -days 36500 -sha256 -extensions v3_req \
-CA ca.crt -CAkey ca.key -CAserial ca.srl -CAcreateserial \
-in server.csr -out server.crt

配置下游 HTTPS

创建 Kubernetes TLS Secret:

kubectl create secret tls test-tls-secret \
--cert=server.crt \
--key=server.key \
--namespace=aic

按如下方式更新 Gateway manifest 文件:

gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: aic
name: apisix
spec:
gatewayClassName: apisix
listeners:
- name: http
protocol: HTTP
port: 80
- name: https
protocol: HTTPS
port: 443
hostname: test.com
tls:
certificateRefs:
- kind: Secret
group: ""
name: test-tls-secret
infrastructure:
parametersRef:
group: apisix.apache.org
kind: GatewayProxy
name: apisix-config
备注

Gateway 监听器中的 port 是必填字段,但实际会被忽略。这是由于数据面的限制:它无法动态打开新端口。由于 Ingress Controller 不管理数据面部署,因此无法自动更新配置或重启数据面来应用端口变更。

将配置应用到集群:

kubectl apply -f gateway.yaml

创建路由

创建一个示例路由,将路径为 /ip 的所有请求转发到上游服务 httpbin.org

httpbin-route.yaml
apiVersion: v1
kind: Service
metadata:
namespace: aic
name: httpbin-external-domain
spec:
type: ExternalName
externalName: httpbin.org
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: aic
name: quickstart-client-ip
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
backendRefs:
- name: httpbin-external-domain
port: 80

将配置应用到集群:

kubectl apply -f httpbin-route.yaml

验证

如需验证客户端与网关之间的 HTTPS 连接,先将网关的 SSL 端口转发到本地:

kubectl port-forward svc/<your-gateway-svc-name> 9443:443 &

由于证书仅对 CN test.com 有效,应使用 test.com 作为网关域名。向路由发送请求:

curl -ikv --resolve "test.com:9443:127.0.0.1" "https://test.com:9443/ip"

类似如下的 TLS 握手过程表示客户端与网关之间的 TLS 已启用:

* Added test.com:9443:127.0.0.1 to DNS cache
* Hostname test.com was found in DNS cache
* Trying 127.0.0.1:9443...
* Connected to test.com (127.0.0.1) port 9443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=test.com
* start date: Dec 31 07:47:54 2025 GMT
* expire date: Dec 31 07:47:54 2125 GMT
* issuer: CN=ROOTCA
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x556274d632e0)
> GET /ip HTTP/2
> Host: test.com:9443
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
...