38 lines
1.4 KiB
Markdown
38 lines
1.4 KiB
Markdown
# 05 — APISIX: Remove SSL / Configure Trusted Proxy (Prod)
|
|
|
|
## Context
|
|
Identical to `test-env-setup/05-apisix-remove-ssl.md`.
|
|
|
|
The same `init/apisix-core/init.sh` and custom APISIX image are used for both environments.
|
|
Changes made for test already apply to prod.
|
|
|
|
## Checklist
|
|
|
|
- [ ] `ssls/1` PUT block removed from `init/apisix-core/init.sh`
|
|
- [ ] `dev` SSL block removed or confirmed non-impactful for prod
|
|
- [ ] Custom APISIX image (`custom-apisix:3.12.0`) config.yaml contains `real_ip_header`
|
|
and `set_real_ip_from` for overlay CIDR (`10.0.0.0/8`)
|
|
- [ ] New image built and pushed to Harbor if config.yaml was changed:
|
|
```bash
|
|
docker build -t registry.tarla.io/iklimco/custom-apisix:3.12.0 .
|
|
docker push registry.tarla.io/iklimco/custom-apisix:3.12.0
|
|
```
|
|
|
|
## Prod-specific note
|
|
|
|
APISIX runs with `replicas: 2` in prod. Both replicas receive the same configuration
|
|
from etcd — no additional steps needed beyond the single init run.
|
|
|
|
The `init/apisix-core/init.sh` is called once (from the pipeline) and configures the
|
|
shared etcd state that all APISIX instances read from.
|
|
|
|
## Verification
|
|
|
|
```bash
|
|
# From a whitelisted IP, make a request and check real IP in APISIX logs
|
|
docker exec $(docker ps -q -f name=iklimco_apisix | head -1) \
|
|
tail -5 /usr/local/apisix/logs/access.log
|
|
```
|
|
|
|
Client IP should appear in the log, not SWAG's internal overlay IP.
|