support-tls-upstream-chunked-requests

3scale · Jul 3, 2023 · 73cd1a9 · 73cd1a9
1 parent 17e7ed1
commit 73cd1a9
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 83 deletions.
diff --git a/docker-compose.upstream-tls.yml b/docker-compose.upstream-tls.yml
@@ -5,6 +5,7 @@ services:
     image: ${IMAGE_NAME:-apicast-test}
     depends_on:
     - one.upstream
+    - two.upstream
     environment:
       THREESCALE_CONFIG_FILE: /tmp/config.json
       THREESCALE_DEPLOYMENT_ENV: staging
@@ -21,10 +22,13 @@ services:
     volumes:
       - ./examples/tlsv1.3-upstream/apicast-config.json:/tmp/config.json
   one.upstream:
-    image: nginx:1.23.4
+    image: alpine/socat:1.7.4.4
+    container_name: one.upstream
+    command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/tls.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80"
     expose:
       - "443"
+    restart: unless-stopped
     volumes:
-      - ./examples/tlsv1.3-upstream/proxy-nginx.conf:/etc/nginx/nginx.conf
-      - ./examples/tlsv1.3-upstream/upstream-cert/one.upstream.key:/etc/pki/tls.key
-      - ./examples/tlsv1.3-upstream/upstream-cert/one.upstream.crt:/etc/pki/tls.crt
+      - ./examples/tlsv1.3-upstream/upstream-cert/one.upstream.pem:/etc/pki/tls.pem
+  two.upstream:
+    image: kennethreitz/httpbin
diff --git a/examples/tlsv1.3-upstream/README.md b/examples/tlsv1.3-upstream/README.md
@@ -2,10 +2,36 @@
 
 APIcast --> upstream (TLSv1.3)
 
-APicast configured to access TLSv1.3 powered upstream
+APIcast configured with TLS upstream. TLS termination endpoint is socat.
+
+Run `make upstream-tls-gateway`
+
+* GET request
+```
+# you need container name of the gateway
+APICAST_IP=$(docker inspect apicast_build_0-gateway-run-3b16b962fa2a | yq e -P '.[0].NetworkSettings.Networks.apicast_build_0_default.IPAddress' -)
+curl -v -H "Host: get" http://${APICAST_IP}:8080/?user_key=foo
+```
+
+* POST request
+```
+# you need container name of the gateway
+APICAST_IP=$(docker inspect apicast_build_0-gateway-run-3b16b962fa2a | yq e -P '.[0].NetworkSettings.Networks.apicast_build_0_default.IPAddress' -)
+curl -v -X POST -H "Host: post" http://${APICAST_IP}:8080/?user_key=foo
+```
 
 ```
 curl -v -H "Host: one" http://${APICAST_IP}:8080/?user_key=foo
 ```
 
 NOTE: using `one.upstream` as upstream hostname becase when APIcast resolves `upstream` it returns `0.0.0.1`
+NOTE: pem file creation
+```
+// generate a private key;
+$ openssl genrsa -out server.key 1024
+// generate a self signed cert:
+$ openssl req -new -key server.key -x509 -days 3653 -out server.crt
+//     enter fields... (may all be empty when cert is only used privately)
+// generate the pem file:
+$ cat server.key server.crt >server.pem
+```
diff --git a/examples/tlsv1.3-upstream/apicast-config.json b/examples/tlsv1.3-upstream/apicast-config.json
@@ -1,30 +1,58 @@
 {
-    "services": [
-        {
-            "backend_version": "1",
-            "proxy": {
-                "hosts": ["one"],
-                "api_backend": "https://one.upstream:443/",
-                "backend": {
-                    "endpoint": "http://127.0.0.1:8081",
-                    "host": "backend"
-                },
-                "policy_chain": [
-                    {
-                        "name": "apicast.policy.apicast"
-                    }
-                ],
-                "proxy_rules": [
-                    {
-                        "http_method": "GET",
-                        "pattern": "/",
-                        "metric_system_name": "hits",
-                        "delta": 1,
-                        "parameters": [],
-                        "querystring_parameters": {}
-                    }
-                ]
-            }
-        }
-    ]
+  "services": [
+    {
+      "id": "1",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["get"],
+        "api_backend": "https://one.upstream/get",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "GET",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    },
+    {
+      "id": "2",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["post"],
+        "api_backend": "https://one.upstream/post",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "POST",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    }
+  ]
 }
diff --git a/examples/tlsv1.3-upstream/proxy-nginx.conf b/examples/tlsv1.3-upstream/proxy-nginx.conf
diff --git a/examples/tlsv1.3-upstream/upstream-cert/one.upstream.crt b/examples/tlsv1.3-upstream/upstream-cert/one.upstream.crt
diff --git a/...3-upstream/upstream-cert/one.upstream.key → ...3-upstream/upstream-cert/one.upstream.pem b/...3-upstream/upstream-cert/one.upstream.key → ...3-upstream/upstream-cert/one.upstream.pem
@@ -1,3 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIID5TCCAs2gAwIBAgIUEW7oIi1pFN2GT/MXNPt0YfRmJBowDQYJKoZIhvcNAQEL
+BQAwgYExCzAJBgNVBAYTAkVTMRIwEAYDVQQIDAlCYXJjZWxvbmExEjAQBgNVBAcM
+CUJhcmNlbG9uYTEhMB8GA1UECgwYUmVkSGF0LTNzY2FsZS1EZXZ0ZXN0aW5nMRAw
+DgYDVQQLDAdBUEljYXN0MRUwEwYDVQQDDAxvbmUudXBzdHJlYW0wHhcNMjMwMzMx
+MDk0NjU0WhcNMzMwMzI4MDk0NjU0WjCBgTELMAkGA1UEBhMCRVMxEjAQBgNVBAgM
+CUJhcmNlbG9uYTESMBAGA1UEBwwJQmFyY2Vsb25hMSEwHwYDVQQKDBhSZWRIYXQt
+M3NjYWxlLURldnRlc3RpbmcxEDAOBgNVBAsMB0FQSWNhc3QxFTATBgNVBAMMDG9u
+ZS51cHN0cmVhbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWwMSy2
+Bh0fBUqHPMr3Twh29rtKTTd5V4dRHf+DAuSSS68ypMV7/SV+uMs2MXYgFTbew0sy
+LfXdioMSOCHVDQqFsItKdN3SEnUhdIusWynkUID0hBW2orrkOyUW7kktL7sh5jWO
+MdpB6/SyrH2j+wy2sONjEGMpFY/hJ6AaTFjhmPM8SgbzwpSAORJKVvzyCQ/Cfjt5
+cmACY6X0zijhctg6+GOYo1hQDMhU2sN4cm2fgKah+WJgQMgyZ9OwZInfOrF0guem
+IOkh2jUA0N/r+m0niPaiexd0L6zhxqCMjuylRbj1ObP8gpqqWiofUcr+OrP5x4n7
+nIYgWcB3iQqUHOsCAwEAAaNTMFEwHQYDVR0OBBYEFMjravcu5CLPgA/gFdNg5cI2
+g1/zMB8GA1UdIwQYMBaAFMjravcu5CLPgA/gFdNg5cI2g1/zMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAMAOl0v4fcW8EHpCUWLeidbnc4+B+94H
+5kIpa8YEETeVmVD/ZYFuEf6QgWGBydLTR0HQ/nlF+HWD+guf2n1tP5p9kJKad8nL
+Kf/rurWCe8C1F+YcRkWtNZZ/IcOBmm67LoyVM1ZbrTbMcLcOPZXI/KlfIf4m1zrG
+LC9QYxoZ3yjk8JKUOxHkSfyKEFhPtOMZPwI4nw7CjvjzALOYPHAGGqDdQvRC29ui
+EL008p658bZlwPCD+1BDXaw2BhhN3tgbExk7RJTsEe9MEsIGpsbrNhVdho7nrq8L
+QpxZc1dbljzN3NnrEy+XlPswK3gFzgcYbQTy/MdpWI8amDkWCXfu9hI=
+-----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFsDEstgYdHwVK
 hzzK908Idva7Sk03eVeHUR3/gwLkkkuvMqTFe/0lfrjLNjF2IBU23sNLMi313YqD