This PoC demonstrates the issue of client certificates not being provided by APISIX when issuing a mTLS request from a Lua plugin using resty.http.
To make this PoC fully self contained the server used for testing is a separate Nginx server running inside the APISIX config. This server is bound to a unix domain socket.
In practice this issue manifests itself not only using unix domain sockets but also when listening to a ip address using both internal and external servers.
APISIX containing your custom configuration and plugin are run using the APISIX Docker container. While perfectly possible to use the Docker CLI to run APISIX a Makefile is created for convenience.
The Makefile contains the following commands:
- dev-startup -> creates and start the docker container with the appropriate volume mounts
- dev-start -> starts an existing container
- dev-stop -> stops the container
- dev-rm -> removes the container
- dev-reload -> issues the
apisix reloadcommand inside the container
When the container is started a container with the name of apache-apisix-standalone-test is run.
To run the container initially:
make dev-startupstopping and starting a previously started container:
make dev-stop #stops the container
make dev-start #starts a previously stopped containerThe provided key material is located in the certs directory and has been generated as follows:
generate CA private key:
openssl genrsa -des3 -out myCA.key 2048 #passphrase: testgenerate CA root certificate:
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pemgenerate server private key:
openssl genrsa -out test.server.key 2048generate server CSR:
openssl req -new -key test.server.key -out test.server.csrsign server CSR:
openssl x509 -req -in test.server.csr -CA myCA.pem -CAkey myCA.key \
-CAcreateserial -out test.server.crt -days 825 -sha256generate client private key:
openssl genrsa -out test.client.key 2048generate client CSR:
openssl req -new -key test.client.key -out test.client.csrsign client CSR:
openssl x509 -req -in test.client.csr -CA myCA.pem -CAkey myCA.key \
-CAcreateserial -out test.client.crt -days 825 -sha256This repository acts as a template for developing custom plugins for APISIX. It used the APISIX docker container to test and run the plugins locally so no local install of APISIX is needed.
In order to use this template click Use this template and create your own repository based on this template.
The template runs APISIX in standalone mode, so no ETCD is needed. There are three subdirectories of this template:
- conf
- openresty
- src
The conf directory contains the configuration files for APISIX to run and configure in standalone mode. The template offers a minimal configuration to get you up and running.
The src directory contains the source code for the custom plugin. Here you can place your lua files and subdirecties for developing your custom plugin. For more information regarding the development of a custom APISIX plugin see the official docs: https://apisix.apache.org/docs/apisix/plugin-develop/
the openresty directory contains the similar setup using vanilla Openresty instead of APISIX.
The directories mentioned above are mounted in the container as follows: conf/config.yaml -> /usr/local/apisix/conf/config.yaml conf/apisix.yaml -> /usr/local/apisix/conf/apisix.yaml logs/ -> /usr/local/apisix/logs src/ -> /usr/local/apisix/custom-plugins