This document describes the steps to enable mutual SSL in APIcast. The instructions are provided for Docker and OpenShift.
Note: this approach will only work in APIcast v3.1.0-rc1 and later.
- client certificates
- API backend that accepts client certificates
Step 1. Create a directory certs
in your current working directory, and place the following files there:
client.crt
- certificate in PEM formatclient.key
- secret key in PEM formatpassword_file
- file containing the passphrase for the secret key (you will need if you are using a passphrase, because otherwise nginx requests it on start, otherwise you can skip it)
Step 2. Create a file proxy_ssl.conf
in the current directory (provided in this Gist).
Step 3. Start the container, attaching the extra files as volumes:
docker run --name apicast --rm -p 8080:8080 -e THREESCALE_DEPLOYMENT_ENV=production -e THREESCALE_PORTAL_ENDPOINT=https://<ACCESS_TOKEN>@<DOMAIN>-admin.3scale.net -v $(pwd)/certs:/opt/app-root/src/conf/certs -v $(pwd)/proxy_ssl.conf:/opt/app-root/src/apicast.d/location.d/proxy_ssl.conf quay.io/3scale/apicast:v3.1.0-rc1
Note: You should be logged in to the OpenShift cluster, and the project where APIcast is deployed should be selected. It is assumed that the name of the DeploymentConfig is apicast
. If it is different, the instructions need to be adjusted.
Step 3. Create ConfigMaps with the files described above:
oc create configmap proxy-ssl-conf --from-file=./proxy_ssl.conf
oc create configmap certs --from-file=./certs
Step 4. Mount the ConfigMaps as volumes:
oc set volume dc/apicast --add --name=proxy-ssl-conf --mount-path /opt/app-root/src/conf.d/proxy_ssl.conf --source='{"configMap":{"name":"proxy-ssl-conf","items":[{"key":"proxy_ssl.conf","path":"proxy_ssl.conf"}]}}'
oc set volume dc/apicast --add --name=certs --mount-path /opt/app-root/src/conf/certs --source='{"configMap":{"name":"certs"}}'
oc patch dc/apicast --type=json -p '[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/0/subPath", "value":"proxy_ssl.conf"}]'
Make an API call as usual, and the API backend should receive a client certificate.
Hi @FrederikBoelens !
As far as I know, it is not currently possible, because the client certs can't be set programmatically (via Lua), see 3scale/APIcast#440 and the links provided there.
By the way, in the more recent versions of APIcast you don't need to overwrite the
proxy_ssl.conf
file, you just need to mount the certs files on the container, and then set the paths in theAPICAST_PROXY_HTTPS_*
environment variables, see https://github.com/3scale/APIcast/blob/master/doc/parameters.md#apicast_proxy_https_certificate_key.