# 05 — APISIX: Remove SSL / Configure Trusted Proxy (Test) ## Context - **File:** `init/apisix-core/init.sh` - SWAG now terminates TLS. APISIX receives plain HTTP from SWAG via the overlay network. - The `ssls/1` cert upload is no longer needed. - APISIX must trust SWAG's `X-Real-IP` header to see real client IPs (for rate limiting, fail2ban). ## Step 1 — Remove the SSL cert upload block from `init/apisix-core/init.sh` Locate and **delete** this entire block: ```bash # DELETE THIS BLOCK: if [[ "$PROFILE" == "test" || "$PROFILE" == "prod" ]]; then if [[ -f "STAR.iklim.co.full.crt" && -f "STAR.iklim.co_key.txt" ]]; then call_api "ssl iklim.co" -X PUT "$APISIX_ADMIN_URL/ssls/1" \ -H "X-API-KEY: $API_KEY" -H "Content-Type: application/json" \ -d '{"cert":"'"$(cat STAR.iklim.co.full.crt)"'","key":"'"$(cat STAR.iklim.co_key.txt)"'","snis":["*.iklim.co"]}' else echo "iklim.co ssl certificates not found!" fi fi ``` Also delete the `dev` SSL block if it only serves the `ssls/1` endpoint: ```bash # DELETE THIS BLOCK (if only used for cert upload): if [[ "$PROFILE" == "dev" ]]; then if [[ -f "localhost.crt" && -f "localhost.key" ]]; then call_api "ssl dev" -X PUT "$APISIX_ADMIN_URL/ssls/1" \ -H "X-API-KEY: $API_KEY" -H "Content-Type: application/json" \ -d '{"cert":"'"$(cat localhost.crt)"'","key":"'"$(cat localhost.key)"'","snis":["localhost"]}' else echo "localhost ssl certificates not found!" fi fi ``` > If the `dev` block is still needed for local development, keep it but ensure it does not > affect test/prod behavior. ## Step 2 — APISIX trusted proxy configuration (custom image) APISIX's custom image (`registry.tarla.io/iklimco/custom-apisix:3.12.0`) includes a `config.yaml`. That config must set real IP headers so APISIX sees real client IPs, not SWAG's overlay IP. Locate the APISIX `config.yaml` in the custom image build source and ensure it contains: ```yaml nginx_config: http: real_ip_header: "X-Real-IP" real_ip_recursive: "on" set_real_ip_from: - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" ``` Docker Swarm overlay networks use `10.x.x.x` addressing. These CIDR ranges cover all typical overlay subnet allocations. If the custom image config does not have these, add them and rebuild+push the image to Harbor before deploying. ## Step 3 — Remove APISIX TLS upstream configs (if any) If any APISIX upstream in `init/apisix-core/init.sh` uses `scheme: https` pointing to backend microservices, change to `scheme: http`. Backends are internal HTTP-only. The `apisix:9443` HTTPS listener is gone; APISIX only listens on `9080` (HTTP). ## Verification After deploy, confirm APISIX receives real client IPs: ```bash # From a machine with known IP, make a request to api-test.iklim.co # Then check APISIX access log docker exec $(docker ps -q -f name=iklimco_apisix) \ tail -20 /usr/local/apisix/logs/access.log ``` The IP in the log should be the actual client IP, not SWAG's overlay IP (`10.x.x.x`).