配置客户端与网关之间的 HTTPS
本文介绍如何通过 Ingress Controller 配置网关接收来自客户端的 HTTPS 请求。
前提条件
在网关上启用 SSL
确保你的网关已启用 SSL。
- APISIX 网关
- API7 网关
helm upgrade apisix apisix/apisix \
--set ... \ # add other parameters
--set "apisix.ssl.enabled=true" \
--set "apisix.ssl.containerPort=9443"
默认情况下,API7 网关已在 container port 9443 和 service port 443 上启用 SSL,因此此步骤无需额外配置。
生成证书和密钥
生成证书颁发机构(CA)的密钥和证书:
openssl genrsa -out ca.key 2048 && \
openssl req -new -sha256 -key ca.key -out ca.csr -subj "/CN=ROOTCA" && \
openssl x509 -req -days 36500 -sha256 -extensions v3_ca -signkey ca.key -in ca.csr -out ca.crt
为网关生成通用名称为 test.com 的密钥和证书,并使用 CA 证书进行签名:
openssl genrsa -out server.key 2048 && \
openssl req -new -sha256 -key server.key -out server.csr -subj "/CN=test.com" && \
openssl x509 -req -days 36500 -sha256 -extensions v3_req \
-CA ca.crt -CAkey ca.key -CAserial ca.srl -CAcreateserial \
-in server.csr -out server.crt
配置下游 HTTPS
创建 Kubernetes TLS Secret:
kubectl create secret tls test-tls-secret \
--cert=server.crt \
--key=server.key \
--namespace=aic
- Gateway API
- APISIX CRD
按如下方式更 新 Gateway manifest 文件:
gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: aic
name: apisix
spec:
gatewayClassName: apisix
listeners:
- name: http
protocol: HTTP
port: 80
- name: https
protocol: HTTPS
port: 443
hostname: test.com
tls:
certificateRefs:
- kind: Secret
group: ""
name: test-tls-secret
infrastructure:
parametersRef:
group: apisix.apache.org
kind: GatewayProxy
name: apisix-config
备注
Gateway 监听器中的 port 是必填字段,但实际会被忽略。这是由于数据面的限制:它无法动态打开新端口。由于 Ingress Controller 不管理数据面部署,因此无法自动更新配置或重启数据面来应用端口变更。
将配置应用到集群:
kubectl apply -f gateway.yaml
创建 Kubernetes manifest 文件,定义 TLS 配置:
tls.yaml
apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
namespace: aic
name: test-tls
spec:
ingressClassName: apisix
hosts:
- test.com
secret:
name: test-tls-secret
namespace: aic
将配置应用到集群:
kubectl apply -f tls.yaml
创建路由
创建一个示例路由,将路径为 /ip 的所有请求转发到上游服务 httpbin.org:
- Gateway API
- APISIX CRD
httpbin-route.yaml
apiVersion: v1
kind: Service
metadata:
namespace: aic
name: httpbin-external-domain
spec:
type: ExternalName
externalName: httpbin.org
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: aic
name: quickstart-client-ip
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
backendRefs:
- name: httpbin-external-domain
port: 80
httpbin-route.yaml
apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
namespace: aic
name: httpbin-external-domain
spec:
ingressClassName: apisix
externalNodes:
- type: Domain
name: httpbin.org
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: aic
name: quickstart-client-ip
spec:
ingressClassName: apisix
http:
- name: quickstart-client-ip
match:
paths:
- /ip
upstreams:
- name: httpbin-external-domain
将配置应用到集群:
kubectl apply -f httpbin-route.yaml
验证
如需验证客户端与网关之间的 HTTPS 连接,先将网关的 SSL 端口转发到本地:
kubectl port-forward svc/<your-gateway-svc-name> 9443:443 &
由于证书仅对 CN test.com 有效,应 使用 test.com 作为网关域名。向路由发送请求:
curl -ikv --resolve "test.com:9443:127.0.0.1" "https://test.com:9443/ip"
类似如下的 TLS 握手过程表示客户端与网关之间的 TLS 已启用:
* Added test.com:9443:127.0.0.1 to DNS cache
* Hostname test.com was found in DNS cache
* Trying 127.0.0.1:9443...
* Connected to test.com (127.0.0.1) port 9443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=test.com
* start date: Dec 31 07:47:54 2025 GMT
* expire date: Dec 31 07:47:54 2125 GMT
* issuer: CN=ROOTCA
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x556274d632e0)
> GET /ip HTTP/2
> Host: test.com:9443
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
...