dev-environment: https-proxy-upstream-tlsv13

Makefile

@@ -23,7 +23,6 @@ DEVEL_DOCKER_COMPOSE_VOLMOUNT_MAC_FILE ?= docker-compose-devel-volmount-mac.yml
 DEVEL_DOCKER_COMPOSE_VOLMOUNT_DEFAULT_FILE ?= docker-compose-devel-volmount-default.yml
 
 PROVE_DOCKER_COMPOSE_FILE ?= docker-compose.prove.yml
-FORWARD_PROXY_DOCKER_COMPOSE_FILE ?= docker-compose.forward-proxy.yml
 
 DOCKER_VOLUME_NAME ?= apicast-local-volume
 
@@ -172,10 +171,6 @@ opentelemetry-gateway: ## run gateway instrumented with opentelemetry
 opentracing-gateway: ## run gateway instrumented with opentracing
 	$(DOCKER) compose run opentracing-instrumented-gateway
 
-# Environment described in ./examples/forward-proxy
-forward-proxy-gateway: ## run gateway configured to run along with a forward proxy
-	$(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) run gateway
-
 test-runtime-image: export IMAGE_NAME ?= $(RUNTIME_IMAGE)
 test-runtime-image: clean-containers ## Smoke test the runtime image. Pass any docker image in IMAGE_NAME parameter.
 	$(DOCKER) compose --version
@@ -242,7 +237,6 @@ clean-containers:
 	$(DOCKER) compose down --volumes --remove-orphans
 	$(DOCKER) compose -f $(PROVE_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
 	$(DOCKER) compose -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) down --volumes --remove-orphans
-	$(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
 
 clean-deps: ## Remove all local dependency folders
 	- rm -rf $(PROJECT_PATH)/lua_modules $(PROJECT_PATH)/local $(PROJECT_PATH)/.cpanm $(PROJECT_PATH)/vendor/cache $(PROJECT_PATH)/.cache :

dev-environments/https-proxy-upstream-tlsv1.3/Makefile

@@ -0,0 +1,18 @@
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+.DEFAULT_GOAL := gateway
+MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
+WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
+DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
+
+gateway: ## run gateway configured to access upstream powered with TLS
+	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+
+clean:
+	$(DOCKER) compose down --volumes --remove-orphans
+	$(DOCKER) compose -f docker-compose.yml down --volumes --remove-orphans
+
+certs:
+	$(MAKE) clean -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile
+	$(MAKE) ca -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile
+	$(MAKE) clientcerts -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile DOMAIN=example.com

dev-environments/https-proxy-upstream-tlsv1.3/README.md

@@ -0,0 +1,59 @@
+# PROXY with upstream using TLSv1.3
+
+APIcast --> tiny proxy (connect to 443 but no cert installed) --> upstream (TLSv1.3)
+
+APIcast configured with TLSv1.3 powered upstream through a proxy. TLS termination endpoint is `socat`.
+
+APicast starts SSL tunnel (via HTTP CONNECT method) against proxy to access upstream configured with TLSv1.3
+
+## Create the SSL Certificates
+
+```sh
+make certs
+```
+
+## Run the gateway
+
+Running local `apicast-test` docker image
+
+```sh
+make gateway
+```
+
+Running custom apicast image
+
+```sh
+make gateway IMAGE_NAME=quay.io/3scale/apicast:latest
+```
+
+Traffic between the proxy and upstream can be inspected looking at logs from `example.com` service
+
+```
+docker compose -p https-proxy-upstream-tlsv13 logs -f example.com
+```
+
+Proxy can be inspected looking at logs from `proxy` service
+
+```
+docker compose -p https-proxy-upstream-tlsv13 logs -f proxy
+```
+
+## Testing
+
+`GET` request
+
+```sh
+curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123"
+```
+
+`POST` request
+
+```sh
+curl --resolve post.example.com:8080:127.0.0.1 -v -X POST "http://post.example.com:8080/?user_key=123"
+```
+
+## Clean env
+
+```sh
+make clean
+```

dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json

@@ -0,0 +1,70 @@
+{
+  "services": [
+    {
+      "id": "1",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["get.example.com"],
+        "api_backend": "https://example.com/get",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.http_proxy",
+            "configuration": {
+              "https_proxy": "http://proxy:443/"
+            }
+          },
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "GET",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    },
+    {
+      "id": "2",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["post.example.com"],
+        "api_backend": "https://example.com/post",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.http_proxy",
+            "configuration": {
+              "https_proxy": "http://proxy:443/"
+            }
+          },
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "POST",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    }
+  ]
+}

dev-environments/https-proxy-upstream-tlsv1.3/cert/Makefile

@@ -0,0 +1,16 @@
+clean:
+	- rm *.crt *.key *.pem *.csr
+
+ca:
+	openssl genrsa -out rootCA.key 2048
+	openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
+
+clientcerts:
+	openssl req -subj '/CN=$(DOMAIN)'  -newkey rsa:4096 -nodes \
+			-sha256 \
+			-days 3650 \
+			-keyout $(DOMAIN).key \
+			-out $(DOMAIN).csr
+	chmod +r $(DOMAIN).key
+	openssl x509 -req -in $(DOMAIN).csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $(DOMAIN).crt -days 500 -sha256
+	cat $(DOMAIN).key $(DOMAIN).crt >$(DOMAIN).pem

dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml

@@ -0,0 +1,45 @@
+---
+version: '3.8'
+services:
+  gateway:
+    image: ${IMAGE_NAME:-apicast-test}
+    depends_on:
+    - proxy
+    - example.com
+    - two.upstream
+    environment:
+      THREESCALE_CONFIG_FILE: /tmp/config.json
+      THREESCALE_DEPLOYMENT_ENV: staging
+      APICAST_CONFIGURATION_LOADER: lazy
+      APICAST_WORKERS: 1
+      APICAST_LOG_LEVEL: debug
+      APICAST_CONFIGURATION_CACHE: "0"
+    expose:
+      - "8080"
+      - "8090"
+    ports:
+      - "8080:8080"
+      - "8090:8090"
+    volumes:
+      - ./apicast-config.json:/tmp/config.json
+  proxy:
+    build:
+      dockerfile: ./tinyproxy.Dockerfile
+    expose:
+      - "3128:3128"
+      - "443:443"
+    volumes:
+      - ./tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf
+  example.com:
+    image: alpine/socat:1.7.4.4
+    container_name: example.com
+    command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80"
+    expose:
+      - "443"
+    restart: unless-stopped
+    volumes:
+      - ./cert/example.com.pem:/etc/pki/example.com.pem
+  two.upstream:
+    image: kennethreitz/httpbin
+    expose:
+      - "80"

dev-environments/upstream-tlsv1.3/README.md

@@ -24,7 +24,7 @@ Running custom apicast image
 make gateway IMAGE_NAME=quay.io/3scale/apicast:latest
 ```
 
-Traffic between the proxy and upstream can be inspected looking at logs from `example.com` service
+Traffic between the gateway and upstream can be inspected looking at logs from `example.com` service
 
 ```
 docker compose -p upstream-tlsv13 logs -f example.com