mirror of
https://gitee.com/iresty/apisix.git
synced 2024-12-14 17:01:20 +08:00
61 lines
2.0 KiB
Markdown
61 lines
2.0 KiB
Markdown
|
<!--
|
||
|
#
|
||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||
|
# contributor license agreements. See the NOTICE file distributed with
|
||
|
# this work for additional information regarding copyright ownership.
|
||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||
|
# (the "License"); you may not use this file except in compliance with
|
||
|
# the License. You may obtain a copy of the License at
|
||
|
#
|
||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||
|
#
|
||
|
# Unless required by applicable law or agreed to in writing, software
|
||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
# See the License for the specific language governing permissions and
|
||
|
# limitations under the License.
|
||
|
#
|
||
|
-->
|
||
|
|
||
|
[English](../mtls.md)
|
||
|
|
||
|
## 双向认证
|
||
|
|
||
|
### 为什么使用
|
||
|
|
||
|
双向认证可以更好的防止未经授权访问 APISIX ,客户端将向服务器提供其证书,服务器将检查证书是否由提供的 CA 签名并决定是否响应请求。
|
||
|
|
||
|
### 如何开启
|
||
|
|
||
|
1. 生成自签证书对,包括 ca、server、client 证书对。
|
||
|
|
||
|
2. 修改 `conf/config.yaml` 中的配置项:
|
||
|
|
||
|
```yaml
|
||
|
port_admin: 9180
|
||
|
https_admin: true
|
||
|
|
||
|
mtls:
|
||
|
enable: true # Enable or disable mTLS. Enable depends on `port_admin` and `https_admin`.
|
||
|
ca_cert: "/data/certs/mtls_ca.crt" # Path of your self-signed CA cert.
|
||
|
server_key: "/data/certs/mtls_server.key" # Path of your self-signed server side cert.
|
||
|
server_cert: "/data/certs/mtls_server.crt" # Path of your self-signed server side key.
|
||
|
```
|
||
|
|
||
|
3. 执行命令:
|
||
|
|
||
|
```shell
|
||
|
apisix init
|
||
|
apisix reload
|
||
|
```
|
||
|
|
||
|
### 客户端如何调用
|
||
|
|
||
|
请将以下证书及域名替换为您的真实内容。
|
||
|
|
||
|
* 注意:需要和服务器使用相同的 CA 证书 *
|
||
|
|
||
|
```shell
|
||
|
curl --cacert /data/certs/mtls_ca.crt --key /data/certs/mtls_client.key --cert /data/certs/mtls_client.crt https://admin.apisix.dev:9180/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1'
|
||
|
```
|