From bb0687b9643ce560226941ce9e5d91375e7d90a3 Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Sat, 21 Oct 2023 11:47:56 +0200 Subject: [PATCH] dev-environment: upstream-tlsv1.3 --- Makefile | 6 -- dev-environments/upstream-tlsv1.3/Makefile | 18 ++++++ dev-environments/upstream-tlsv1.3/README.md | 51 ++++++++++++++++ .../upstream-tlsv1.3/apicast-config.json | 58 +++++++++++++++++++ .../upstream-tlsv1.3/cert/Makefile | 16 +++++ .../upstream-tlsv1.3/docker-compose.yml | 36 ++++++++++++ docker-compose.upstream-tls.yml | 30 ---------- examples/tlsv1.3-upstream/README.md | 11 ---- examples/tlsv1.3-upstream/apicast-config.json | 30 ---------- examples/tlsv1.3-upstream/proxy-nginx.conf | 27 --------- .../upstream-cert/one.upstream.crt | 23 -------- .../upstream-cert/one.upstream.key | 28 --------- 12 files changed, 179 insertions(+), 155 deletions(-) create mode 100644 dev-environments/upstream-tlsv1.3/Makefile create mode 100644 dev-environments/upstream-tlsv1.3/README.md create mode 100644 dev-environments/upstream-tlsv1.3/apicast-config.json create mode 100644 dev-environments/upstream-tlsv1.3/cert/Makefile create mode 100644 dev-environments/upstream-tlsv1.3/docker-compose.yml delete mode 100644 docker-compose.upstream-tls.yml delete mode 100644 examples/tlsv1.3-upstream/README.md delete mode 100644 examples/tlsv1.3-upstream/apicast-config.json delete mode 100644 examples/tlsv1.3-upstream/proxy-nginx.conf delete mode 100644 examples/tlsv1.3-upstream/upstream-cert/one.upstream.crt delete mode 100644 examples/tlsv1.3-upstream/upstream-cert/one.upstream.key diff --git a/Makefile b/Makefile index c9c265549..0edb1a97a 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,6 @@ DEVEL_DOCKER_COMPOSE_VOLMOUNT_DEFAULT_FILE ?= docker-compose-devel-volmount-defa PROVE_DOCKER_COMPOSE_FILE ?= docker-compose.prove.yml FORWARD_PROXY_DOCKER_COMPOSE_FILE ?= docker-compose.forward-proxy.yml -UPSTREAM_TLS_DOCKER_COMPOSE_FILE ?= docker-compose.upstream-tls.yml DOCKER_VOLUME_NAME ?= apicast-local-volume @@ -177,10 +176,6 @@ opentracing-gateway: ## run gateway instrumented with opentracing forward-proxy-gateway: ## run gateway configured to run along with a forward proxy $(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) run gateway -# Environment described in ./examples/tlsv1.3-upstream -upstream-tls-gateway: ## run gateway configured to access upstream powered with TLS - $(DOCKER) compose -f $(UPSTREAM_TLS_DOCKER_COMPOSE_FILE) run gateway - test-runtime-image: export IMAGE_NAME ?= $(RUNTIME_IMAGE) test-runtime-image: clean-containers ## Smoke test the runtime image. Pass any docker image in IMAGE_NAME parameter. $(DOCKER) compose --version @@ -248,7 +243,6 @@ clean-containers: $(DOCKER) compose -f $(PROVE_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans $(DOCKER) compose -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) down --volumes --remove-orphans $(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans - $(DOCKER) compose -f $(UPSTREAM_TLS_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans clean-deps: ## Remove all local dependency folders - rm -rf $(PROJECT_PATH)/lua_modules $(PROJECT_PATH)/local $(PROJECT_PATH)/.cpanm $(PROJECT_PATH)/vendor/cache $(PROJECT_PATH)/.cache : diff --git a/dev-environments/upstream-tlsv1.3/Makefile b/dev-environments/upstream-tlsv1.3/Makefile new file mode 100644 index 000000000..fe6780662 --- /dev/null +++ b/dev-environments/upstream-tlsv1.3/Makefile @@ -0,0 +1,18 @@ +SHELL = /usr/bin/env bash -o pipefail +.SHELLFLAGS = -ec +.DEFAULT_GOAL := gateway +MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) +WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH))) +DOCKER ?= $(shell which docker 2> /dev/null || echo "docker") + +gateway: ## run gateway configured to access upstream powered with TLS + $(DOCKER) compose -f docker-compose.yml run --service-ports gateway + +clean: + $(DOCKER) compose down --volumes --remove-orphans + $(DOCKER) compose -f docker-compose.yml down --volumes --remove-orphans + +certs: + $(MAKE) clean -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile + $(MAKE) ca -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile + $(MAKE) clientcerts -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile DOMAIN=example.com diff --git a/dev-environments/upstream-tlsv1.3/README.md b/dev-environments/upstream-tlsv1.3/README.md new file mode 100644 index 000000000..7672d261c --- /dev/null +++ b/dev-environments/upstream-tlsv1.3/README.md @@ -0,0 +1,51 @@ +# Upstream using TLSv1.3 + +APIcast --> upstream (TLSv1.3) + +APIcast configured with TLSv1.3 powered upstream . TLS termination endpoint is `socat`. + +## Create the SSL Certificates + +```sh +make certs +``` + +## Run the gateway + +Running local `apicast-test` docker image + +```sh +make gateway +``` + +Running custom apicast image + +```sh +make gateway IMAGE_NAME=quay.io/3scale/apicast:latest +``` + +Traffic between the proxy and upstream can be inspected looking at logs from `example.com` service + +``` +docker compose -p upstream-tlsv13 logs -f example.com +``` + +## Testing + +`GET` request + +```sh +curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123" +``` + +`POST` request + +```sh +curl --resolve post.example.com:8080:127.0.0.1 -v -X POST "http://post.example.com:8080/?user_key=123" +``` + +## Clean env + +```sh +make clean +``` diff --git a/dev-environments/upstream-tlsv1.3/apicast-config.json b/dev-environments/upstream-tlsv1.3/apicast-config.json new file mode 100644 index 000000000..f6f2c5923 --- /dev/null +++ b/dev-environments/upstream-tlsv1.3/apicast-config.json @@ -0,0 +1,58 @@ +{ + "services": [ + { + "id": "1", + "backend_version": "1", + "proxy": { + "hosts": ["get.example.com"], + "api_backend": "https://example.com/get", + "backend": { + "endpoint": "http://127.0.0.1:8081", + "host": "backend" + }, + "policy_chain": [ + { + "name": "apicast.policy.apicast" + } + ], + "proxy_rules": [ + { + "http_method": "GET", + "pattern": "/", + "metric_system_name": "hits", + "delta": 1, + "parameters": [], + "querystring_parameters": {} + } + ] + } + }, + { + "id": "2", + "backend_version": "1", + "proxy": { + "hosts": ["post.example.com"], + "api_backend": "https://example.com/post", + "backend": { + "endpoint": "http://127.0.0.1:8081", + "host": "backend" + }, + "policy_chain": [ + { + "name": "apicast.policy.apicast" + } + ], + "proxy_rules": [ + { + "http_method": "POST", + "pattern": "/", + "metric_system_name": "hits", + "delta": 1, + "parameters": [], + "querystring_parameters": {} + } + ] + } + } + ] +} diff --git a/dev-environments/upstream-tlsv1.3/cert/Makefile b/dev-environments/upstream-tlsv1.3/cert/Makefile new file mode 100644 index 000000000..e9efe9b61 --- /dev/null +++ b/dev-environments/upstream-tlsv1.3/cert/Makefile @@ -0,0 +1,16 @@ +clean: + - rm *.crt *.key *.pem *.csr + +ca: + openssl genrsa -out rootCA.key 2048 + openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem + +clientcerts: + openssl req -subj '/CN=$(DOMAIN)' -newkey rsa:4096 -nodes \ + -sha256 \ + -days 3650 \ + -keyout $(DOMAIN).key \ + -out $(DOMAIN).csr + chmod +r $(DOMAIN).key + openssl x509 -req -in $(DOMAIN).csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $(DOMAIN).crt -days 500 -sha256 + cat $(DOMAIN).key $(DOMAIN).crt >$(DOMAIN).pem diff --git a/dev-environments/upstream-tlsv1.3/docker-compose.yml b/dev-environments/upstream-tlsv1.3/docker-compose.yml new file mode 100644 index 000000000..33061e8a8 --- /dev/null +++ b/dev-environments/upstream-tlsv1.3/docker-compose.yml @@ -0,0 +1,36 @@ +--- +version: '3.8' +services: + gateway: + image: ${IMAGE_NAME:-apicast-test} + depends_on: + - example.com + - two.upstream + environment: + THREESCALE_CONFIG_FILE: /tmp/config.json + THREESCALE_DEPLOYMENT_ENV: staging + APICAST_CONFIGURATION_LOADER: lazy + APICAST_WORKERS: 1 + APICAST_LOG_LEVEL: debug + APICAST_CONFIGURATION_CACHE: "0" + expose: + - "8080" + - "8090" + ports: + - "8080:8080" + - "8090:8090" + volumes: + - ./apicast-config.json:/tmp/config.json + example.com: + image: alpine/socat:1.7.4.4 + container_name: example.com + command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80" + expose: + - "443" + restart: unless-stopped + volumes: + - ./cert/example.com.pem:/etc/pki/example.com.pem + two.upstream: + image: kennethreitz/httpbin + expose: + - "80" diff --git a/docker-compose.upstream-tls.yml b/docker-compose.upstream-tls.yml deleted file mode 100644 index 94fe05f93..000000000 --- a/docker-compose.upstream-tls.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -version: '3.8' -services: - gateway: - image: ${IMAGE_NAME:-apicast-test} - depends_on: - - one.upstream - environment: - THREESCALE_CONFIG_FILE: /tmp/config.json - THREESCALE_DEPLOYMENT_ENV: staging - APICAST_CONFIGURATION_LOADER: lazy - APICAST_WORKERS: 1 - APICAST_LOG_LEVEL: debug - APICAST_CONFIGURATION_CACHE: "0" - expose: - - "8080" - - "8090" - ports: - - "8080:8080" - - "8090:8090" - volumes: - - ./examples/tlsv1.3-upstream/apicast-config.json:/tmp/config.json - one.upstream: - image: nginx:1.23.4 - expose: - - "443" - volumes: - - ./examples/tlsv1.3-upstream/proxy-nginx.conf:/etc/nginx/nginx.conf - - ./examples/tlsv1.3-upstream/upstream-cert/one.upstream.key:/etc/pki/tls.key - - ./examples/tlsv1.3-upstream/upstream-cert/one.upstream.crt:/etc/pki/tls.crt diff --git a/examples/tlsv1.3-upstream/README.md b/examples/tlsv1.3-upstream/README.md deleted file mode 100644 index f172e083c..000000000 --- a/examples/tlsv1.3-upstream/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# upstream using TLSv1.3 - -APIcast --> upstream (TLSv1.3) - -APicast configured to access TLSv1.3 powered upstream - -``` -curl -v -H "Host: one" http://${APICAST_IP}:8080/?user_key=foo -``` - -NOTE: using `one.upstream` as upstream hostname becase when APIcast resolves `upstream` it returns `0.0.0.1` diff --git a/examples/tlsv1.3-upstream/apicast-config.json b/examples/tlsv1.3-upstream/apicast-config.json deleted file mode 100644 index 5fef0316d..000000000 --- a/examples/tlsv1.3-upstream/apicast-config.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "services": [ - { - "backend_version": "1", - "proxy": { - "hosts": ["one"], - "api_backend": "https://one.upstream:443/", - "backend": { - "endpoint": "http://127.0.0.1:8081", - "host": "backend" - }, - "policy_chain": [ - { - "name": "apicast.policy.apicast" - } - ], - "proxy_rules": [ - { - "http_method": "GET", - "pattern": "/", - "metric_system_name": "hits", - "delta": 1, - "parameters": [], - "querystring_parameters": {} - } - ] - } - } - ] -} diff --git a/examples/tlsv1.3-upstream/proxy-nginx.conf b/examples/tlsv1.3-upstream/proxy-nginx.conf deleted file mode 100644 index 9a91348f3..000000000 --- a/examples/tlsv1.3-upstream/proxy-nginx.conf +++ /dev/null @@ -1,27 +0,0 @@ -worker_processes auto; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - -events { worker_connections 1024; } - -http { - server { - listen 443 ssl; - - server_name one.upstream; - - resolver 8.8.8.8; - - access_log /dev/stdout; - error_log /dev/stdout info; - - ssl_certificate /etc/pki/tls.crt; - ssl_certificate_key /etc/pki/tls.key; - ssl_protocols TLSv1.3; - - location ~ ^/(.*)$ { - proxy_pass https://postman-echo.com/get/$1$is_args$args; - } - } -} diff --git a/examples/tlsv1.3-upstream/upstream-cert/one.upstream.crt b/examples/tlsv1.3-upstream/upstream-cert/one.upstream.crt deleted file mode 100644 index 77b4f39ff..000000000 --- a/examples/tlsv1.3-upstream/upstream-cert/one.upstream.crt +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID5TCCAs2gAwIBAgIUEW7oIi1pFN2GT/MXNPt0YfRmJBowDQYJKoZIhvcNAQEL -BQAwgYExCzAJBgNVBAYTAkVTMRIwEAYDVQQIDAlCYXJjZWxvbmExEjAQBgNVBAcM -CUJhcmNlbG9uYTEhMB8GA1UECgwYUmVkSGF0LTNzY2FsZS1EZXZ0ZXN0aW5nMRAw -DgYDVQQLDAdBUEljYXN0MRUwEwYDVQQDDAxvbmUudXBzdHJlYW0wHhcNMjMwMzMx -MDk0NjU0WhcNMzMwMzI4MDk0NjU0WjCBgTELMAkGA1UEBhMCRVMxEjAQBgNVBAgM -CUJhcmNlbG9uYTESMBAGA1UEBwwJQmFyY2Vsb25hMSEwHwYDVQQKDBhSZWRIYXQt -M3NjYWxlLURldnRlc3RpbmcxEDAOBgNVBAsMB0FQSWNhc3QxFTATBgNVBAMMDG9u -ZS51cHN0cmVhbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWwMSy2 -Bh0fBUqHPMr3Twh29rtKTTd5V4dRHf+DAuSSS68ypMV7/SV+uMs2MXYgFTbew0sy -LfXdioMSOCHVDQqFsItKdN3SEnUhdIusWynkUID0hBW2orrkOyUW7kktL7sh5jWO -MdpB6/SyrH2j+wy2sONjEGMpFY/hJ6AaTFjhmPM8SgbzwpSAORJKVvzyCQ/Cfjt5 -cmACY6X0zijhctg6+GOYo1hQDMhU2sN4cm2fgKah+WJgQMgyZ9OwZInfOrF0guem -IOkh2jUA0N/r+m0niPaiexd0L6zhxqCMjuylRbj1ObP8gpqqWiofUcr+OrP5x4n7 -nIYgWcB3iQqUHOsCAwEAAaNTMFEwHQYDVR0OBBYEFMjravcu5CLPgA/gFdNg5cI2 -g1/zMB8GA1UdIwQYMBaAFMjravcu5CLPgA/gFdNg5cI2g1/zMA8GA1UdEwEB/wQF -MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAMAOl0v4fcW8EHpCUWLeidbnc4+B+94H -5kIpa8YEETeVmVD/ZYFuEf6QgWGBydLTR0HQ/nlF+HWD+guf2n1tP5p9kJKad8nL -Kf/rurWCe8C1F+YcRkWtNZZ/IcOBmm67LoyVM1ZbrTbMcLcOPZXI/KlfIf4m1zrG -LC9QYxoZ3yjk8JKUOxHkSfyKEFhPtOMZPwI4nw7CjvjzALOYPHAGGqDdQvRC29ui -EL008p658bZlwPCD+1BDXaw2BhhN3tgbExk7RJTsEe9MEsIGpsbrNhVdho7nrq8L -QpxZc1dbljzN3NnrEy+XlPswK3gFzgcYbQTy/MdpWI8amDkWCXfu9hI= ------END CERTIFICATE----- diff --git a/examples/tlsv1.3-upstream/upstream-cert/one.upstream.key b/examples/tlsv1.3-upstream/upstream-cert/one.upstream.key deleted file mode 100644 index b5aa599f6..000000000 --- a/examples/tlsv1.3-upstream/upstream-cert/one.upstream.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFsDEstgYdHwVK -hzzK908Idva7Sk03eVeHUR3/gwLkkkuvMqTFe/0lfrjLNjF2IBU23sNLMi313YqD -Ejgh1Q0KhbCLSnTd0hJ1IXSLrFsp5FCA9IQVtqK65DslFu5JLS+7IeY1jjHaQev0 -sqx9o/sMtrDjYxBjKRWP4SegGkxY4ZjzPEoG88KUgDkSSlb88gkPwn47eXJgAmOl -9M4o4XLYOvhjmKNYUAzIVNrDeHJtn4CmofliYEDIMmfTsGSJ3zqxdILnpiDpIdo1 -ANDf6/ptJ4j2onsXdC+s4cagjI7spUW49Tmz/IKaqloqH1HK/jqz+ceJ+5yGIFnA -d4kKlBzrAgMBAAECggEAOWG2NGM1jRhnAcYViFiW0T8uyRh9J2AKXxXVnkgZ+9zX -KSiLGWOvDEYnP50gaEhRwBaTG22aV6aRwQ/1ySQ9X9OEdjoLiCOlBejLGovR/mvu -TjArct4LiDIdVNu+GPGLzEa/usXmhJLj+agvV1zUz1DsMWSc6huPza6uQNPBW37F -DMgpm9ZTV1CF8KCGuIi4hwf3ECWMIHkFOUEKY8GMFB3oos6tLi7s4UA1DEcs6sRA -hb/NPhaOUTrrcLWyIgG66PKeNyWrnraG10nMwY1SVJg2hjael5FS5W0lw1Znihwx -8UzlSrCNNjST08TG91d/t/jF8isJEuNqDTQ74MhQ+QKBgQDLDgDeI6gOdq0MgiJv -sfdr3mLrgjeOrfngnXCatV8HN18K0YvGJz6LefQwuBrInJ5SW9ZVzijT6QU3nP8e -xAjIHUYgj0KBUR/0MkqRvbUDYG+g0Ro9J8ECOj0kVkvcplQGMuPfpUepKDnKJRIl -QHy01eWNWwtvoBtuOS29AByRzQKBgQD5O/nB7zhIO8GHK3KrB6VLF7eHho4fNCoN -QB5p/yvPlLh/fititFEhfLXRj+6ArY45UFJ0i/8q/L09n0gQlGkYCrTxRBVfLnj5 -umkAJffg3AyUQszSzKvkDfe+h9TdK4AXtcbDUDSn1ThFFZUcVjRKRZYvuk2eyhod -wbCEJrmRlwKBgQC5kI6Sc5t9vE7hA3xc/xLR7WYRO+tx5ORatQbXG7FAcwXUaTOH -Xw31gPn8HAO+GgNF2M/DkqgVIPq3nC45+4Ta/IW9864fZ/f/voYPMoNeFp9tJCsK -gG4OjxKZRpQFjat0DsXY+L7IhA5sAfzXNlvBF0i1KeMFnBf1XyPBeXyicQKBgA2+ -bvFw3auuD+gCT1p7G3RepHJGy0ORPthoNsUlmybhTqNJM99HjknIdMZPp5lU+MjU -Uxe2OKYINe9V/0VaycjXnk7HsF4FVAqBaxTlAxxVRiRO4rilLL1wv760AtsHcRLd -pU5T9/NhYK7+l7BuWIfX+oY7QdiF0JbffXpsIEOVAoGAEs6WOWr1Lu0B3hEV6bn/ -6STJc6Y3ZZo12OaebBfOquc13jcMh7CW39E2IhEb99ktE4vPFPpYWz0hdsENDP1/ -SSi6bzC2ZR9pI/1AB5UwMoh5bnL89LSkV1VjWw5J6yBW+qgS23EE/vrEkM+URFPX -jcY8wdR/FxhutjRfutgIiRQ= ------END PRIVATE KEY-----