-
Notifications
You must be signed in to change notification settings - Fork 170
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
12 changed files
with
179 additions
and
155 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
SHELL = /usr/bin/env bash -o pipefail | ||
.SHELLFLAGS = -ec | ||
.DEFAULT_GOAL := gateway | ||
MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) | ||
WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH))) | ||
DOCKER ?= $(shell which docker 2> /dev/null || echo "docker") | ||
|
||
gateway: ## run gateway configured to access upstream powered with TLS | ||
$(DOCKER) compose -f docker-compose.yml run --service-ports gateway | ||
|
||
clean: | ||
$(DOCKER) compose down --volumes --remove-orphans | ||
$(DOCKER) compose -f docker-compose.yml down --volumes --remove-orphans | ||
|
||
certs: | ||
$(MAKE) clean -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile | ||
$(MAKE) ca -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile | ||
$(MAKE) clientcerts -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile DOMAIN=example.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# Upstream using TLSv1.3 | ||
|
||
APIcast --> upstream (TLSv1.3) | ||
|
||
APIcast configured with TLSv1.3 powered upstream . TLS termination endpoint is `socat`. | ||
|
||
## Create the SSL Certificates | ||
|
||
```sh | ||
make certs | ||
``` | ||
|
||
## Run the gateway | ||
|
||
Running local `apicast-test` docker image | ||
|
||
```sh | ||
make gateway | ||
``` | ||
|
||
Running custom apicast image | ||
|
||
```sh | ||
make gateway IMAGE_NAME=quay.io/3scale/apicast:latest | ||
``` | ||
|
||
Traffic between the proxy and upstream can be inspected looking at logs from `example.com` service | ||
|
||
``` | ||
docker compose -p upstream-tlsv13 logs -f example.com | ||
``` | ||
|
||
## Testing | ||
|
||
`GET` request | ||
|
||
```sh | ||
curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123" | ||
``` | ||
|
||
`POST` request | ||
|
||
```sh | ||
curl --resolve post.example.com:8080:127.0.0.1 -v -X POST "http://post.example.com:8080/?user_key=123" | ||
``` | ||
|
||
## Clean env | ||
|
||
```sh | ||
make clean | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
{ | ||
"services": [ | ||
{ | ||
"id": "1", | ||
"backend_version": "1", | ||
"proxy": { | ||
"hosts": ["get.example.com"], | ||
"api_backend": "https://example.com/get", | ||
"backend": { | ||
"endpoint": "http://127.0.0.1:8081", | ||
"host": "backend" | ||
}, | ||
"policy_chain": [ | ||
{ | ||
"name": "apicast.policy.apicast" | ||
} | ||
], | ||
"proxy_rules": [ | ||
{ | ||
"http_method": "GET", | ||
"pattern": "/", | ||
"metric_system_name": "hits", | ||
"delta": 1, | ||
"parameters": [], | ||
"querystring_parameters": {} | ||
} | ||
] | ||
} | ||
}, | ||
{ | ||
"id": "2", | ||
"backend_version": "1", | ||
"proxy": { | ||
"hosts": ["post.example.com"], | ||
"api_backend": "https://example.com/post", | ||
"backend": { | ||
"endpoint": "http://127.0.0.1:8081", | ||
"host": "backend" | ||
}, | ||
"policy_chain": [ | ||
{ | ||
"name": "apicast.policy.apicast" | ||
} | ||
], | ||
"proxy_rules": [ | ||
{ | ||
"http_method": "POST", | ||
"pattern": "/", | ||
"metric_system_name": "hits", | ||
"delta": 1, | ||
"parameters": [], | ||
"querystring_parameters": {} | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
clean: | ||
- rm *.crt *.key *.pem *.csr | ||
|
||
ca: | ||
openssl genrsa -out rootCA.key 2048 | ||
openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem | ||
|
||
clientcerts: | ||
openssl req -subj '/CN=$(DOMAIN)' -newkey rsa:4096 -nodes \ | ||
-sha256 \ | ||
-days 3650 \ | ||
-keyout $(DOMAIN).key \ | ||
-out $(DOMAIN).csr | ||
chmod +r $(DOMAIN).key | ||
openssl x509 -req -in $(DOMAIN).csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $(DOMAIN).crt -days 500 -sha256 | ||
cat $(DOMAIN).key $(DOMAIN).crt >$(DOMAIN).pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
--- | ||
version: '3.8' | ||
services: | ||
gateway: | ||
image: ${IMAGE_NAME:-apicast-test} | ||
depends_on: | ||
- example.com | ||
- two.upstream | ||
environment: | ||
THREESCALE_CONFIG_FILE: /tmp/config.json | ||
THREESCALE_DEPLOYMENT_ENV: staging | ||
APICAST_CONFIGURATION_LOADER: lazy | ||
APICAST_WORKERS: 1 | ||
APICAST_LOG_LEVEL: debug | ||
APICAST_CONFIGURATION_CACHE: "0" | ||
expose: | ||
- "8080" | ||
- "8090" | ||
ports: | ||
- "8080:8080" | ||
- "8090:8090" | ||
volumes: | ||
- ./apicast-config.json:/tmp/config.json | ||
example.com: | ||
image: alpine/socat:1.7.4.4 | ||
container_name: example.com | ||
command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80" | ||
expose: | ||
- "443" | ||
restart: unless-stopped | ||
volumes: | ||
- ./cert/example.com.pem:/etc/pki/example.com.pem | ||
two.upstream: | ||
image: kennethreitz/httpbin | ||
expose: | ||
- "80" |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.