Environment_Infrastructure/roadmap/prod-env/05-apisix-remove-ssl.md

# 05 — APISIX: Remove SSL / Configure Trusted Proxy (Prod)

## Context

The same `init/apisix-core/init.sh` and custom APISIX image are used for test and prod. TLS terminates at SWAG; APISIX receives plain HTTP over the `iklimco-net` overlay network.

## Checklist

- `ssls/1` PUT block is removed from `init/apisix-core/init.sh`.
- The dev-only SSL block is removed or confirmed to be non-impactful for prod.
- The custom APISIX image includes trusted proxy settings in `template/apisix-core/config.yaml.template`: `real_ip_header`, `real_ip_recursive`, and `set_real_ip_from` for private ranges.
- The custom image is pushed to Harbor when the APISIX config template changes.

## Current Prod Model

APISIX runs with 3 replicas in `docker-stack-infra_db-prod.yml`. All replicas read configuration from the shared DB-node etcd cluster with the `/apisix` prefix, so the pipeline runs `init/apisix-core/init.sh` once.

Production deployment uses:

```bash
docker stack deploy --with-registry-auth -c docker-stack-infra_db-prod.yml iklimco
```

## SWAG to APISIX Load Distribution

SWAG connects to APISIX through the service name:

```nginx
proxy_pass http://apisix:9080;
```

Docker Swarm resolves `apisix` to the service VIP and distributes requests across APISIX replicas. SWAG does not need a separate upstream list for APISIX.

## Verification

```bash
docker exec $(docker ps -q -f name=iklimco_apisix | head -1) \
  tail -5 /usr/local/apisix/logs/access.log
```

Client IP should appear in the log, not SWAG's internal overlay IP.

## Historical / Superseded by Setup

The old prod overlay command `docker stack deploy -c docker-stack-infra.yml -c docker-stack-infra.prod.yml iklimco` is superseded by `docker-stack-infra_db-prod.yml`.