This document describes the steps to enable mutual SSL in APIcast. The instructions are provided for Docker and OpenShift.
Note: this approach will only work in APIcast v3.1.0-rc1 and later.
- client certificates
- API backend that accepts client certificates
Step 1. Create a directory certs
in your current working directory, and place the following files there:
client.crt
- certificate in PEM formatclient.key
- secret key in PEM formatpassword_file
- file containing the passphrase for the secret key (you will need if you are using a passphrase, because otherwise nginx requests it on start, otherwise you can skip it)
Step 2. Create a file proxy_ssl.conf
in the current directory (provided in this Gist).
Step 3. Start the container, attaching the extra files as volumes:
docker run --name apicast --rm -p 8080:8080 -e THREESCALE_DEPLOYMENT_ENV=production -e THREESCALE_PORTAL_ENDPOINT=https://<ACCESS_TOKEN>@<DOMAIN>-admin.3scale.net -v $(pwd)/certs:/opt/app-root/src/conf/certs -v $(pwd)/proxy_ssl.conf:/opt/app-root/src/apicast.d/location.d/proxy_ssl.conf quay.io/3scale/apicast:v3.1.0-rc1
Note: You should be logged in to the OpenShift cluster, and the project where APIcast is deployed should be selected. It is assumed that the name of the DeploymentConfig is apicast
. If it is different, the instructions need to be adjusted.
Step 3. Create ConfigMaps with the files described above:
oc create configmap proxy-ssl-conf --from-file=./proxy_ssl.conf
oc create configmap certs --from-file=./certs
Step 4. Mount the ConfigMaps as volumes:
oc set volume dc/apicast --add --name=proxy-ssl-conf --mount-path /opt/app-root/src/conf.d/proxy_ssl.conf --source='{"configMap":{"name":"proxy-ssl-conf","items":[{"key":"proxy_ssl.conf","path":"proxy_ssl.conf"}]}}'
oc set volume dc/apicast --add --name=certs --mount-path /opt/app-root/src/conf/certs --source='{"configMap":{"name":"certs"}}'
oc patch dc/apicast --type=json -p '[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/0/subPath", "value":"proxy_ssl.conf"}]'
Make an API call as usual, and the API backend should receive a client certificate.
is it also possible to change this configuration to support multple backends that needs client certs? Thank you!