Mutual SSL with APIcast

README.md

Mutual SSL with APIcast

This document describes the steps to enable mutual SSL in APIcast. The instructions are provided for Docker and OpenShift.

Note: this approach will only work in APIcast v3.1.0-rc1 and later.

Prerequisites

• client certificates
• API backend that accepts client certificates

Common steps

Step 1. Create a directory certs in your current working directory, and place the following files there:

• client.crt - certificate in PEM format
• client.key - secret key in PEM format
• password_file - file containing the passphrase for the secret key (you will need if you are using a passphrase, because otherwise nginx requests it on start, otherwise you can skip it)

Step 2. Create a file proxy_ssl.conf in the current directory (provided in this Gist).

Docker

Step 3. Start the container, attaching the extra files as volumes:

docker run --name apicast --rm -p 8080:8080 -e THREESCALE_DEPLOYMENT_ENV=production -e THREESCALE_PORTAL_ENDPOINT=https://<ACCESS_TOKEN>@<DOMAIN>-admin.3scale.net -v $(pwd)/certs:/opt/app-root/src/conf/certs -v $(pwd)/proxy_ssl.conf:/opt/app-root/src/apicast.d/location.d/proxy_ssl.conf quay.io/3scale/apicast:v3.1.0-rc1

OpenShift

Note: You should be logged in to the OpenShift cluster, and the project where APIcast is deployed should be selected. It is assumed that the name of the DeploymentConfig is apicast. If it is different, the instructions need to be adjusted.

Step 3. Create ConfigMaps with the files described above:

oc create configmap proxy-ssl-conf --from-file=./proxy_ssl.conf
oc create configmap certs --from-file=./certs 

Step 4. Mount the ConfigMaps as volumes:

oc set volume dc/apicast --add --name=proxy-ssl-conf --mount-path /opt/app-root/src/conf.d/proxy_ssl.conf --source='{"configMap":{"name":"proxy-ssl-conf","items":[{"key":"proxy_ssl.conf","path":"proxy_ssl.conf"}]}}'

oc set volume dc/apicast --add --name=certs --mount-path /opt/app-root/src/conf/certs --source='{"configMap":{"name":"certs"}}'

oc patch dc/apicast --type=json -p '[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/0/subPath", "value":"proxy_ssl.conf"}]'

Test

Make an API call as usual, and the API backend should receive a client certificate.

proxy_ssl.conf

  proxy_ssl_certificate      /opt/app-root/src/conf/certs/client.crt;
  proxy_ssl_certificate_key  /opt/app-root/src/conf/certs/client.key;
  proxy_ssl_password_file    /opt/app-root/src/conf/certs/password_file;

is it also possible to change this configuration to support multple backends that needs client certs? Thank you!

Hi @FrederikBoelens !
As far as I know, it is not currently possible, because the client certs can't be set programmatically (via Lua), see 3scale/APIcast#440 and the links provided there.

By the way, in the more recent versions of APIcast you don't need to overwrite the proxy_ssl.conf file, you just need to mount the certs files on the container, and then set the paths in the APICAST_PROXY_HTTPS_* environment variables, see https://github.com/3scale/APIcast/blob/master/doc/parameters.md#apicast_proxy_https_certificate_key.

Hi Daria, Thank you for your response! I guess the only solution for now is running 2 Apicasts simultaneously or wait till version 2.8 which is going to support it. Kind regards, Frederik Van: Daria Mayorova [mailto:notifications@github.com] Verzonden: vrijdag 11 oktober 2019 15:48 Aan: mayorova <mayorova@noreply.github.com> CC: Frederik Boelens <fa.boelens@tvm.nl>; Mention <mention@noreply.github.com> Onderwerp: Re: mayorova/README.md Hi @FrederikBoelens<https://github.com/FrederikBoelens> ! As far as I know, it is not currently possible, because the client certs can't be set programmatically (via Lua), see 3scale/APIcast#440<3scale/APIcast#440> and the links provided there. By the way, in the more recent versions of APIcast you don't need to overwrite the proxy_ssl.conf file, you just need to mount the certs files on the container, and then set the paths in the APICAST_PROXY_HTTPS_* environment variables, see https://github.com/3scale/APIcast/blob/master/doc/parameters.md#apicast_proxy_https_certificate_key. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://gist.github.com/19536644f8370bf5f54d25235b567b7b?email_source=notifications&email_token=ANOTJVUQLFQ3CHNGKH4LX3LQOB7YPA5CNFSM4I7ZDCL2YY3PNVWWK3TUL52HS4DFVNDWS43UINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAF2KKW#gistcomment-3052715>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANOTJVSGSPLOERHCTOW6QOTQOB7YPANCNFSM4I7ZDCLQ>.

@FrederikBoelens I am not aware of the plans for 2.8 (given that there are external dependencies that need to be met first), but yes, it looks like running multiple instances of APIcast in parallel should do the trick. You can limit the services that will be handled by one instance of APIcast using the APICAST_SERVICES_LIST env var: https://github.com/3scale/APIcast/blob/master/doc/parameters.md#apicast_services_list