mirror of
https://gitee.com/iresty/apisix.git
synced 2024-12-15 17:31:45 +08:00
8578fe032e
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
137 lines
3.9 KiB
Markdown
137 lines
3.9 KiB
Markdown
---
|
|
title: Stream Proxy
|
|
---
|
|
|
|
<!--
|
|
#
|
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
|
# contributor license agreements. See the NOTICE file distributed with
|
|
# this work for additional information regarding copyright ownership.
|
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
|
# (the "License"); you may not use this file except in compliance with
|
|
# the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
-->
|
|
|
|
TCP is the protocol for many popular applications and services, such as LDAP, MySQL, and RTMP. UDP (User Datagram Protocol) is the protocol for many popular non-transactional applications, such as DNS, syslog, and RADIUS.
|
|
|
|
APISIX can dynamically load balancing TCP/UDP proxy. In Nginx world, we call TCP/UDP proxy to stream proxy, we followed this statement.
|
|
|
|
## How to enable stream proxy?
|
|
|
|
Setting the `stream_proxy` option in `conf/config.yaml`, specify a list of addresses that require dynamic proxy.
|
|
By default, no stream proxy is enabled.
|
|
|
|
```yaml
|
|
apisix:
|
|
stream_proxy: # TCP/UDP proxy
|
|
tcp: # TCP proxy address list
|
|
- 9100
|
|
- "127.0.0.1:9101"
|
|
udp: # UDP proxy address list
|
|
- 9200
|
|
- "127.0.0.1:9211"
|
|
```
|
|
|
|
## How to set route?
|
|
|
|
Here is a mini example:
|
|
|
|
```shell
|
|
curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
|
|
{
|
|
"remote_addr": "127.0.0.1",
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1995": 1
|
|
},
|
|
"type": "roundrobin"
|
|
}
|
|
}'
|
|
```
|
|
|
|
It means APISIX will proxy the request to `127.0.0.1:1995` which the client remote address is `127.0.0.1`.
|
|
|
|
For more use cases, please take a look at [test case](https://github.com/apache/apisix/blob/master/t/stream-node/sanity.t).
|
|
|
|
## More route match options
|
|
|
|
And we can add more options to match a route.
|
|
|
|
Here is an example:
|
|
|
|
```shell
|
|
curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
|
|
{
|
|
"server_addr": "127.0.0.1",
|
|
"server_port": 2000,
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1995": 1
|
|
},
|
|
"type": "roundrobin"
|
|
}
|
|
}'
|
|
```
|
|
|
|
It means APISIX will proxy the request to `127.0.0.1:1995` which the server address is `127.0.0.1` and the server port is equal to `2000`.
|
|
|
|
Read [Admin API's Stream Route section](./admin-api.md#stream-route) for the complete options list.
|
|
|
|
## Accept TLS over TCP
|
|
|
|
APISIX can accept TLS over TCP.
|
|
|
|
First of all, we need to enable TLS for the TCP address:
|
|
|
|
```yaml
|
|
apisix:
|
|
stream_proxy: # TCP/UDP proxy
|
|
tcp: # TCP proxy address list
|
|
- addr: 9100
|
|
tls: true
|
|
```
|
|
|
|
Second, we need to configure certificate for the given SNI.
|
|
See [Admin API's SSL section](./admin-api.md#ssl) for how to do.
|
|
|
|
Third, we need to configure a stream route to match and proxy it to the upstream:
|
|
|
|
```shell
|
|
curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
|
|
{
|
|
"remote_addr": "127.0.0.1",
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1995": 1
|
|
},
|
|
"type": "roundrobin"
|
|
}
|
|
}'
|
|
```
|
|
|
|
When the connection is TLS over TCP, we can use the SNI to match a route, like:
|
|
|
|
```shell
|
|
curl http://127.0.0.1:9080/apisix/admin/stream_routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
|
|
{
|
|
"sni": "a.test.com",
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:5991": 1
|
|
},
|
|
"type": "roundrobin"
|
|
}
|
|
}'
|
|
```
|
|
|
|
In this case, a connection handshaked with SNI `a.test.com` will be proxied to `127.0.0.1:5991`.
|