iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/roadmap/test-env/05-apisix-remove-ssl.md
Murat ÖZDEMİR 81c38e8d39 initial commit
2026-05-09 16:26:06 +03:00

3.0 KiB
Raw Blame History

05 — APISIX: Remove SSL / Configure Trusted Proxy (Test)

Context

  • File: init/apisix-core/init.sh
  • SWAG now terminates TLS. APISIX receives plain HTTP from SWAG via the overlay network.
  • The ssls/1 cert upload is no longer needed.
  • APISIX must trust SWAG's X-Real-IP header to see real client IPs (for rate limiting, fail2ban).

Step 1 — Remove the SSL cert upload block from init/apisix-core/init.sh

Locate and delete this entire block:

# DELETE THIS BLOCK:
if [[ "$PROFILE" == "test" || "$PROFILE" == "prod" ]]; then
  if [[ -f "STAR.iklim.co.full.crt" && -f "STAR.iklim.co_key.txt" ]]; then
    call_api "ssl iklim.co" -X PUT "$APISIX_ADMIN_URL/ssls/1" \
      -H "X-API-KEY: $API_KEY" -H "Content-Type: application/json" \
      -d '{"cert":"'"$(cat STAR.iklim.co.full.crt)"'","key":"'"$(cat STAR.iklim.co_key.txt)"'","snis":["*.iklim.co"]}'
  else
    echo "iklim.co ssl certificates not found!"
  fi
fi

Also delete the dev SSL block if it only serves the ssls/1 endpoint:

# DELETE THIS BLOCK (if only used for cert upload):
if [[ "$PROFILE" == "dev" ]]; then
  if [[ -f "localhost.crt" && -f "localhost.key" ]]; then
    call_api "ssl dev" -X PUT "$APISIX_ADMIN_URL/ssls/1" \
      -H "X-API-KEY: $API_KEY" -H "Content-Type: application/json" \
      -d '{"cert":"'"$(cat localhost.crt)"'","key":"'"$(cat localhost.key)"'","snis":["localhost"]}'
  else
    echo "localhost ssl certificates not found!"
  fi
fi

If the dev block is still needed for local development, keep it but ensure it does not affect test/prod behavior.

Step 2 — APISIX trusted proxy configuration (custom image)

APISIX's custom image (registry.tarla.io/iklimco/custom-apisix:3.12.0) includes a config.yaml. That config must set real IP headers so APISIX sees real client IPs, not SWAG's overlay IP.

Locate the APISIX config.yaml in the custom image build source and ensure it contains:

nginx_config:
  http:
    real_ip_header: "X-Real-IP"
    real_ip_recursive: "on"
    set_real_ip_from:
      - "10.0.0.0/8"
      - "172.16.0.0/12"
      - "192.168.0.0/16"

Docker Swarm overlay networks use 10.x.x.x addressing. These CIDR ranges cover all typical overlay subnet allocations.

If the custom image config does not have these, add them and rebuild+push the image to Harbor before deploying.

Step 3 — Remove APISIX TLS upstream configs (if any)

If any APISIX upstream in init/apisix-core/init.sh uses scheme: https pointing to backend microservices, change to scheme: http. Backends are internal HTTP-only.

The apisix:9443 HTTPS listener is gone; APISIX only listens on 9080 (HTTP).

Verification

After deploy, confirm APISIX receives real client IPs:

# From a machine with known IP, make a request to api-test.iklim.co
# Then check APISIX access log
docker exec $(docker ps -q -f name=iklimco_apisix) \
  tail -20 /usr/local/apisix/logs/access.log

The IP in the log should be the actual client IP, not SWAG's overlay IP (10.x.x.x).