87 lines
3.0 KiB
Markdown
87 lines
3.0 KiB
Markdown
# 05 — APISIX: Remove SSL / Configure Trusted Proxy (Test)
|
|
|
|
## Context
|
|
- **File:** `init/apisix-core/init.sh`
|
|
- SWAG now terminates TLS. APISIX receives plain HTTP from SWAG via the overlay network.
|
|
- The `ssls/1` cert upload is no longer needed.
|
|
- APISIX must trust SWAG's `X-Real-IP` header to see real client IPs (for rate limiting, fail2ban).
|
|
|
|
## Step 1 — Remove the SSL cert upload block from `init/apisix-core/init.sh`
|
|
|
|
Locate and **delete** this entire block:
|
|
|
|
```bash
|
|
# DELETE THIS BLOCK:
|
|
if [[ "$PROFILE" == "test" || "$PROFILE" == "prod" ]]; then
|
|
if [[ -f "STAR.iklim.co.full.crt" && -f "STAR.iklim.co_key.txt" ]]; then
|
|
call_api "ssl iklim.co" -X PUT "$APISIX_ADMIN_URL/ssls/1" \
|
|
-H "X-API-KEY: $API_KEY" -H "Content-Type: application/json" \
|
|
-d '{"cert":"'"$(cat STAR.iklim.co.full.crt)"'","key":"'"$(cat STAR.iklim.co_key.txt)"'","snis":["*.iklim.co"]}'
|
|
else
|
|
echo "iklim.co ssl certificates not found!"
|
|
fi
|
|
fi
|
|
```
|
|
|
|
Also delete the `dev` SSL block if it only serves the `ssls/1` endpoint:
|
|
|
|
```bash
|
|
# DELETE THIS BLOCK (if only used for cert upload):
|
|
if [[ "$PROFILE" == "dev" ]]; then
|
|
if [[ -f "localhost.crt" && -f "localhost.key" ]]; then
|
|
call_api "ssl dev" -X PUT "$APISIX_ADMIN_URL/ssls/1" \
|
|
-H "X-API-KEY: $API_KEY" -H "Content-Type: application/json" \
|
|
-d '{"cert":"'"$(cat localhost.crt)"'","key":"'"$(cat localhost.key)"'","snis":["localhost"]}'
|
|
else
|
|
echo "localhost ssl certificates not found!"
|
|
fi
|
|
fi
|
|
```
|
|
|
|
> If the `dev` block is still needed for local development, keep it but ensure it does not
|
|
> affect test/prod behavior.
|
|
|
|
## Step 2 — APISIX trusted proxy configuration (custom image)
|
|
|
|
APISIX's custom image (`registry.tarla.io/iklimco/custom-apisix:3.12.0`) includes a
|
|
`config.yaml`. That config must set real IP headers so APISIX sees real client IPs, not
|
|
SWAG's overlay IP.
|
|
|
|
Locate the APISIX `config.yaml` in the custom image build source and ensure it contains:
|
|
|
|
```yaml
|
|
nginx_config:
|
|
http:
|
|
real_ip_header: "X-Real-IP"
|
|
real_ip_recursive: "on"
|
|
set_real_ip_from:
|
|
- "10.0.0.0/8"
|
|
- "172.16.0.0/12"
|
|
- "192.168.0.0/16"
|
|
```
|
|
|
|
Docker Swarm overlay networks use `10.x.x.x` addressing. These CIDR ranges cover all
|
|
typical overlay subnet allocations.
|
|
|
|
If the custom image config does not have these, add them and rebuild+push the image to Harbor
|
|
before deploying.
|
|
|
|
## Step 3 — Remove APISIX TLS upstream configs (if any)
|
|
|
|
If any APISIX upstream in `init/apisix-core/init.sh` uses `scheme: https` pointing to
|
|
backend microservices, change to `scheme: http`. Backends are internal HTTP-only.
|
|
|
|
The `apisix:9443` HTTPS listener is gone; APISIX only listens on `9080` (HTTP).
|
|
|
|
## Verification
|
|
|
|
After deploy, confirm APISIX receives real client IPs:
|
|
```bash
|
|
# From a machine with known IP, make a request to api-test.iklim.co
|
|
# Then check APISIX access log
|
|
docker exec $(docker ps -q -f name=iklimco_apisix) \
|
|
tail -20 /usr/local/apisix/logs/access.log
|
|
```
|
|
|
|
The IP in the log should be the actual client IP, not SWAG's overlay IP (`10.x.x.x`).
|