Murat ÖZDEMİR
e3787d80f6
Update Environment_Infrastructure to match the current root stack conventions for database images, shared secret names, and APISIX real IP handling. - update test Ansible DB image defaults to PostGIS 18/PostGIS 3.6 and MongoDB 8.3.2 - align Patroni configuration with DATABASE_POSTGRES_* secret variable names - document APISIX real IP template configuration and Harbor rebuild workflow - replace the separate DB stack env file guidance with the shared .env.secrets.shared flow - update production setup and roadmap snippets to use current PostGIS, MongoDB, and APISIX rebuild commands
3.2 KiB
05 — APISIX: Remove SSL / Configure Trusted Proxy (Test)
Context
- File:
init/apisix-core/init.sh - SWAG now terminates TLS. APISIX receives plain HTTP from SWAG via the overlay network.
- The
ssls/1cert upload is no longer needed. - APISIX must trust SWAG's
X-Real-IPheader to see real client IPs (for rate limiting, fail2ban).
Step 1 — Remove the SSL cert upload block from init/apisix-core/init.sh
Locate and delete this entire block:
# DELETE THIS BLOCK:
if [[ "$PROFILE" == "test" || "$PROFILE" == "prod" ]]; then
if [[ -f "STAR.iklim.co.full.crt" && -f "STAR.iklim.co_key.pem" ]]; then
call_api "ssl iklim.co" -X PUT "$APISIX_ADMIN_URL/ssls/1" \
-H "X-API-KEY: $API_KEY" -H "Content-Type: application/json" \
-d '{"cert":"'"$(cat STAR.iklim.co.full.crt)"'","key":"'"$(cat STAR.iklim.co_key.pem)"'","snis":["*.iklim.co"]}'
else
echo "iklim.co ssl certificates not found!"
fi
fi
Also delete the dev SSL block if it only serves the ssls/1 endpoint:
# DELETE THIS BLOCK (if only used for cert upload):
if [[ "$PROFILE" == "dev" ]]; then
if [[ -f "localhost.crt" && -f "localhost.key" ]]; then
call_api "ssl dev" -X PUT "$APISIX_ADMIN_URL/ssls/1" \
-H "X-API-KEY: $API_KEY" -H "Content-Type: application/json" \
-d '{"cert":"'"$(cat localhost.crt)"'","key":"'"$(cat localhost.key)"'","snis":["localhost"]}'
else
echo "localhost ssl certificates not found!"
fi
fi
If the
devblock is still needed for local development, keep it but ensure it does not affect test/prod behavior.
Step 2 — APISIX trusted proxy configuration (custom image)
APISIX's custom image (registry.tarla.io/iklimco/custom-apisix:3.12.0) includes a
config.yaml. That config must set real IP headers so APISIX sees real client IPs, not
SWAG's overlay IP.
The source file is template/apisix-core/config.yaml.template — ops/push-harbor-custom-images.sh generates build/apisix-core/config.yaml from this template at build time and deletes it afterward. Ensure the template contains:
nginx_config:
http:
real_ip_header: "X-Real-IP"
real_ip_recursive: "on"
set_real_ip_from:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
Docker Swarm overlay networks use 10.x.x.x addressing. These CIDR ranges cover all
typical overlay subnet allocations.
If the template does not have these, add them and rebuild+push the image to Harbor before deploying:
bash ops/push-harbor-custom-images.sh
Step 3 — Remove APISIX TLS upstream configs (if any)
If any APISIX upstream in init/apisix-core/init.sh uses scheme: https pointing to
backend microservices, change to scheme: http. Backends are internal HTTP-only.
The apisix:9443 HTTPS listener is gone; APISIX only listens on 9080 (HTTP).
Verification
After deploy, confirm APISIX receives real client IPs:
# From a machine with known IP, make a request to api-test.iklim.co
# Then check APISIX access log
docker exec $(docker ps -q -f name=iklimco_apisix) \
tail -20 /usr/local/apisix/logs/access.log
The IP in the log should be the actual client IP, not SWAG's overlay IP (10.x.x.x).