mirror of
https://gitee.com/iresty/apisix.git
synced 2024-12-15 09:21:26 +08:00
63 lines
2.1 KiB
Markdown
63 lines
2.1 KiB
Markdown
|
<!--
|
||
|
#
|
||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||
|
# contributor license agreements. See the NOTICE file distributed with
|
||
|
# this work for additional information regarding copyright ownership.
|
||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||
|
# (the "License"); you may not use this file except in compliance with
|
||
|
# the License. You may obtain a copy of the License at
|
||
|
#
|
||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||
|
#
|
||
|
# Unless required by applicable law or agreed to in writing, software
|
||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
# See the License for the specific language governing permissions and
|
||
|
# limitations under the License.
|
||
|
#
|
||
|
-->
|
||
|
|
||
|
[Chinese](zh-cn/mtls.md)
|
||
|
|
||
|
## Mutual TLS authentication
|
||
|
|
||
|
### Why use it
|
||
|
|
||
|
Mutual TLS authentication provides a better way to prevent unauthorized access to APISIX.
|
||
|
|
||
|
The clients will provide their certificates to the server and the server will check whether the cert is signed by the supplied CA and decide whether to serve the request.
|
||
|
|
||
|
### How to enable
|
||
|
|
||
|
1. Generate self-signed key pairs, including ca, server, client key pairs.
|
||
|
|
||
|
2. Modify configuration items in `conf/config.yaml`:
|
||
|
|
||
|
```yaml
|
||
|
port_admin: 9180
|
||
|
https_admin: true
|
||
|
|
||
|
mtls:
|
||
|
enable: true # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`.
|
||
|
ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed ca cert.
|
||
|
server_key: "/data/certs/mtls_server.key" # Path of your self-signed server side cert.
|
||
|
server_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side key.
|
||
|
```
|
||
|
|
||
|
3. Run command:
|
||
|
|
||
|
```shell
|
||
|
apisix init
|
||
|
apisix reload
|
||
|
```
|
||
|
|
||
|
### How client calls
|
||
|
|
||
|
Please replace the following certificate paths and domain name with your real ones.
|
||
|
|
||
|
* Note: The same CA certificate as the server needs to be used *
|
||
|
|
||
|
```shell
|
||
|
curl --cacert /data/certs/mtls_ca.crt --key /data/certs/mtls_client.key --cert /data/certs/mtls_client.crt https://admin.apisix.dev:9180/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1'
|
||
|
```
|