Current Behavior
Using mTLS for HTTPS Upstream with $env:// for Certificate and Private Key does not work. I think it does not resolve the variable "$env://API_UPSTREAM_KEY]". It tries to decrypt it instead.
I haven't been able to figure out where the variables for Upstream TLS are resolved in the code yet.
I also configured upstream tls client directly (not via extra SSL ID) - this works as expected. Maybe the resolving of the env vars is missing if the SSL config is loaded via get_by_id(cert_id)?
I will try to add some debug logs in the next days.
init.lua: handle_upstream()
if api_ctx.matched_upstream and api_ctx.matched_upstream.tls and
api_ctx.matched_upstream.tls.client_cert_id then
local cert_id = api_ctx.matched_upstream.tls.client_cert_id
local upstream_ssl = router.router_ssl.get_by_id(cert_id)
if not upstream_ssl or upstream_ssl.type ~= "client" then
local err = upstream_ssl and
"ssl type should be 'client'" or
"ssl id [" .. cert_id .. "] not exits"
core.log.error("failed to get ssl cert: ", err)
if is_http then
return core.response.exit(502)
end
return ngx_exit(1)
end
core.log.info("matched ssl: ",
core.json.delay_encode(upstream_ssl, true))
api_ctx.upstream_ssl = upstream_ssl
end
Expected Behavior
Using nginx env variable should be working for secrets like private key.
Error Logs
ssl.lua:162: aes_decrypt_pkey(): base64 decode ssl key failed. key[$env://API_UPSTREAM_KEY] ...
Steps to Reproduce
- Run APISIX binary on Ubuntu
- Create Service with Upstream and refer to a SSL ID
- Create SSL with type=client
Used ADC but curl to Admin API does not work too.
services:
- id: apigw-service
name: apigw-service
upstream:
name: apigw-upstream
type: roundrobin
scheme: https
pass_host: "node"
nodes:
- host: "example.com"
port: 443
weight: 1
tls:
client_cert_id: "UPSTREAM_CLIENT_CERT_ID"
routes:
- name: apigw-route
plugins:
proxy-rewrite:
headers:
set:
apikey: "REDACTED"
uris:
- "/api/example-api"
methods:
- GET
ssls:
- id: "UPSTREAM_CLIENT_CERT_ID"
certificates:
- certificate: "$env://API_UPSTREAM_CERT"
key: "$env://API_UPSTREAM_KEY"
snis:
- "example.com"
ssl_protocols:
- TLSv1.2
- TLSv1.3
type: client
Environment
- APISIX version (run
apisix version): 3.15.0
- Operating system (run
uname -a): Ubuntu
- OpenResty / Nginx version (run
openresty -V or nginx -V): openresty/1.27.1.2
- etcd version, if relevant (run
curl http://127.0.0.1:9090/v1/server_info): -
- APISIX Dashboard version, if relevant: not used
- Plugin runner version, for issues related to plugin runners: -
- LuaRocks version, for installation issues (run
luarocks --version): -
Current Behavior
Using mTLS for HTTPS Upstream with $env:// for Certificate and Private Key does not work. I think it does not resolve the variable "$env://API_UPSTREAM_KEY]". It tries to decrypt it instead.
I haven't been able to figure out where the variables for Upstream TLS are resolved in the code yet.
I also configured upstream tls client directly (not via extra SSL ID) - this works as expected. Maybe the resolving of the env vars is missing if the SSL config is loaded via get_by_id(cert_id)?
I will try to add some debug logs in the next days.
init.lua: handle_upstream()
Expected Behavior
Using nginx env variable should be working for secrets like private key.
Error Logs
ssl.lua:162: aes_decrypt_pkey(): base64 decode ssl key failed. key[$env://API_UPSTREAM_KEY] ...
Steps to Reproduce
Used ADC but curl to Admin API does not work too.
Environment
apisix version): 3.15.0uname -a): Ubuntuopenresty -Vornginx -V): openresty/1.27.1.2curl http://127.0.0.1:9090/v1/server_info): -luarocks --version): -