# 05 — APISIX: Remove SSL / Configure Trusted Proxy (Prod)

## Context
Identical to `test-env-setup/05-apisix-remove-ssl.md`.

The same `init/apisix-core/init.sh` and custom APISIX image are used for both environments.
Changes made for test already apply to prod.

## Checklist

- [ ] `ssls/1` PUT block removed from `init/apisix-core/init.sh`
- [ ] `dev` SSL block removed or confirmed non-impactful for prod
- [ ] Custom APISIX image (`custom-apisix:3.12.0`) config.yaml contains `real_ip_header`
      and `set_real_ip_from` for overlay CIDR (`10.0.0.0/8`)
- [ ] New image built and pushed to Harbor if config.yaml was changed:
      ```bash
      docker build -t registry.tarla.io/iklimco/custom-apisix:3.12.0 .
      docker push registry.tarla.io/iklimco/custom-apisix:3.12.0
      ```

## Prod-specific note

APISIX runs with `replicas: 2` in prod. Both replicas receive the same configuration
from etcd — no additional steps needed beyond the single init run.

The `init/apisix-core/init.sh` is called once (from the pipeline) and configures the
shared etcd state that all APISIX instances read from.

## Verification

```bash
# From a whitelisted IP, make a request and check real IP in APISIX logs
docker exec $(docker ps -q -f name=iklimco_apisix | head -1) \
  tail -5 /usr/local/apisix/logs/access.log
```

Client IP should appear in the log, not SWAG's internal overlay IP.