[WIP] feature: supported https client request.

.travis.yml

@@ -20,7 +20,7 @@ addons:
 
 env:
   global:
-    - OPENRESTY_PREFIX=/usr/local/openresty
+    - OPENRESTY_PREFIX=/usr/local/openresty-debug
 
 before_install:
   - sudo cpanm --notest Test::Nginx IPC::Run > build.log 2>&1 || (cat build.log && exit 1)
@@ -30,7 +30,7 @@ install:
   - sudo apt-get -y install software-properties-common
   - sudo add-apt-repository -y "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main"
   - sudo apt-get update
-  - sudo apt-get install openresty
+  - sudo apt-get install openresty-debug
   - sudo luarocks install apisix-*.rockspec --only-deps
   - git clone https://github.com/openresty/test-nginx.git test-nginx
 

Makefile

@@ -65,9 +65,10 @@ reload:
 .PHONY: install
 install:
 	$(INSTALL) -d /usr/local/apisix/logs/
-	$(INSTALL) -d /usr/local/apisix/conf/
+	$(INSTALL) -d /usr/local/apisix/conf/cert
 	$(INSTALL) conf/mime.types /usr/local/apisix/conf/mime.types
 	$(INSTALL) conf/config.yaml /usr/local/apisix/conf/config.yaml
+	$(INSTALL) conf/cert/apisix.* /usr/local/apisix/conf/cert/
 
 	$(INSTALL) -d $(INST_LUADIR)/apisix/lua/apisix/core
 	$(INSTALL) lua/*.lua $(INST_LUADIR)/apisix/lua/

apisix-0.4-3.rockspec → apisix-0.4-4.rockspec

@@ -1,5 +1,5 @@
 package = "apisix"
-version = "0.4-3"
+version = "0.4-4"
 supported_platforms = {"linux", "macosx"}
 
 source = {
@@ -15,7 +15,7 @@ description = {
 }
 
 dependencies = {
-   "lua-resty-libr3 = 0.5",
+   "lua-resty-libr3 = 0.6",
    "lua-resty-template = 1.9-1",
    "lua-resty-etcd = 0.5",
    "lua-resty-balancer = 0.02rc5",

bin/apisix

@@ -119,6 +119,10 @@ http {
 
     server {
         listen {* node_listen *};
+        listen 9443 ssl;
+        ssl_certificate      cert/apisix.crt;
+        ssl_certificate_key  cert/apisix.key;
+        ssl_session_cache    shared:SSL:1m;
 
         include mime.types;
 
@@ -271,7 +275,8 @@ local function init_etcd(show_output)
     local uri = etcd_conf.host .. "/v2/keys" .. (etcd_conf.prefix or "")
 
     for _, dir_name in ipairs({"/routes", "/upstreams", "/services",
-                               "/plugins", "/consumers", "/node_status"}) do
+                               "/plugins", "/consumers", "/node_status",
+                               "/ssl"}) do
         local cmd = "curl " .. uri .. dir_name
                     .. "?prev_exist=false -X PUT -d dir=true 2>&1"
         local res = exec(cmd)

conf/cert/apisix.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEojCCAwqgAwIBAgIJAK253pMhgCkxMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTEPMA0G
+A1UECgwGaXJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTAgFw0xOTA2MjQyMjE4MDVa
+GA8yMTE5MDUzMTIyMTgwNVowVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5n
+RG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxETAPBgNVBAMM
+CHRlc3QuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyCM0rqJe
+cvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5jhZB3W6BkWUWR4oNFLLSqcVb
+VDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfoeLj0efMiOepOSZflj9Ob4yKR
+2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5smPtW1Oc/BV5terhscJdOgmRr
+abf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt6iMWEGeQU6mwPENgvj1olji2
+WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiyVt1TmtMWn1ztk6FfLRqwJWR/
+Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1onpRVeXhrBajbCRDRBMwaNw/1
+/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2fzaqpIfyUbPST4GdqNG9NyIh
+/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI1cGrGwyXbrieNp63AgMBAAGj
+cTBvMB0GA1UdDgQWBBSZtSvV8mBwl0bpkvFtgyiOUUcbszAfBgNVHSMEGDAWgBSZ
+tSvV8mBwl0bpkvFtgyiOUUcbszAMBgNVHRMEBTADAQH/MB8GA1UdEQQYMBaCCHRl
+c3QuY29tggoqLnRlc3QuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQAHGEul/x7ViVgC
+tC8CbXEslYEkj1XVr2Y4hXZXAXKd3W7V3TC8rqWWBbr6L/tsSVFt126V5WyRmOaY
+1A5pju8VhnkhYxYfZALQxJN2tZPFVeME9iGJ9BE1wPtpMgITX8Rt9kbNlENfAgOl
+PYzrUZN1YUQjX+X8t8/1VkSmyZysr6ngJ46/M8F16gfYXc9zFj846Z9VST0zCKob
+rJs3GtHOkS9zGGldqKKCj+Awl0jvTstI4qtS1ED92tcnJh5j/SSXCAB5FgnpKZWy
+hme45nBQj86rJ8FhN+/aQ9H9/2Ib6Q4wbpaIvf4lQdLUEcWAeZGW6Rk0JURwEog1
+7/mMgkapDglgeFx9f/XztSTrkHTaX4Obr+nYrZ2V4KOB4llZnK5GeNjDrOOJDk2y
+IJFgBOZJWyS93dQfuKEj42hA79MuX64lMSCVQSjX+ipR289GQZqFrIhiJxLyA+Ve
+U/OOcSRr39Kuis/JJ+DkgHYa/PWHZhnJQBxcqXXk1bJGw9BNbhM=
+-----END CERTIFICATE-----

conf/cert/apisix.key

@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAyCM0rqJecvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5
+jhZB3W6BkWUWR4oNFLLSqcVbVDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfo
+eLj0efMiOepOSZflj9Ob4yKR2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5s
+mPtW1Oc/BV5terhscJdOgmRrabf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt
+6iMWEGeQU6mwPENgvj1olji2WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiy
+Vt1TmtMWn1ztk6FfLRqwJWR/Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1o
+npRVeXhrBajbCRDRBMwaNw/1/3Uvza8QKK10PzQR6OcQ0xo9psMkd9j9ts/dTuo2
+fzaqpIfyUbPST4GdqNG9NyIh/B9g26/0EWcjyO7mYVkaycrtLMaXm1u9jyRmcQQI
+1cGrGwyXbrieNp63AgMBAAECggGBAJM8g0duoHmIYoAJzbmKe4ew0C5fZtFUQNmu
+O2xJITUiLT3ga4LCkRYsdBnY+nkK8PCnViAb10KtIT+bKipoLsNWI9Xcq4Cg4G3t
+11XQMgPPgxYXA6m8t+73ldhxrcKqgvI6xVZmWlKDPn+CY/Wqj5PA476B5wEmYbNC
+GIcd1FLl3E9Qm4g4b/sVXOHARF6iSvTR+6ol4nfWKlaXSlx2gNkHuG8RVpyDsp9c
+z9zUqAdZ3QyFQhKcWWEcL6u9DLBpB/gUjyB3qWhDMe7jcCBZR1ALyRyEjmDwZzv2
+jlv8qlLFfn9R29UI0pbuL1eRAz97scFOFme1s9oSU9a12YHfEd2wJOM9bqiKju8y
+DZzePhEYuTZ8qxwiPJGy7XvRYTGHAs8+iDlG4vVpA0qD++1FTpv06cg/fOdnwshE
+OJlEC0ozMvnM2rZ2oYejdG3aAnUHmSNa5tkJwXnmj/EMw1TEXf+H6+xknAkw05nh
+zsxXrbuFUe7VRfgB5ElMA/V4NsScgQKBwQDmMRtnS32UZjw4A8DsHOKFzugfWzJ8
+Gc+3sTgs+4dNIAvo0sjibQ3xl01h0BB2Pr1KtkgBYB8LJW/FuYdCRS/KlXH7PHgX
+84gYWImhNhcNOL3coO8NXvd6+m+a/Z7xghbQtaraui6cDWPiCNd/sdLMZQ/7LopM
+RbM32nrgBKMOJpMok1Z6zsPzT83SjkcSxjVzgULNYEp03uf1PWmHuvjO1yELwX9/
+goACViF+jst12RUEiEQIYwr4y637GQBy+9cCgcEA3pN9W5OjSPDVsTcVERig8++O
+BFURiUa7nXRHzKp2wT6jlMVcu8Pb2fjclxRyaMGYKZBRuXDlc/RNO3uTytGYNdC2
+IptU5N4M7iZHXj190xtDxRnYQWWo/PR6EcJj3f/tc3Itm1rX0JfuI3JzJQgDb9Z2
+s/9/ub8RRvmQV9LM/utgyOwNdf5dyVoPcTY2739X4ZzXNH+CybfNa+LWpiJIVEs2
+txXbgZrhmlaWzwA525nZ0UlKdfktdcXeqke9eBghAoHARVTHFy6CjV7ZhlmDEtqE
+U58FBOS36O7xRDdpXwsHLnCXhbFu9du41mom0W4UdzjgVI9gUqG71+SXrKr7lTc3
+dMHcSbplxXkBJawND/Q1rzLG5JvIRHO1AGJLmRgIdl8jNgtxgV2QSkoyKlNVbM2H
+Wy6ZSKM03lIj74+rcKuU3N87dX4jDuwV0sPXjzJxL7NpR/fHwgndgyPcI14y2cGz
+zMC44EyQdTw+B/YfMnoZx83xaaMNMqV6GYNnTHi0TO2TAoHBAKmdrh9WkE2qsr59
+IoHHygh7Wzez+Ewr6hfgoEK4+QzlBlX+XV/9rxIaE0jS3Sk1txadk5oFDebimuSk
+lQkv1pXUOqh+xSAwk5v88dBAfh2dnnSa8HFN3oz+ZfQYtnBcc4DR1y2X+fVNgr3i
+nxruU2gsAIPFRnmvwKPc1YIH9A6kIzqaoNt1f9VM243D6fNzkO4uztWEApBkkJgR
+4s/yOjp6ovS9JG1NMXWjXQPcwTq3sQVLnAHxZRJmOvx69UmK4QKBwFYXXjeXiU3d
+bcrPfe6qNGjfzK+BkhWznuFUMbuxyZWDYQD5yb6ukUosrj7pmZv3BxKcKCvmONU+
+CHgIXB+hG+R9S2mCcH1qBQoP/RSm+TUzS/Bl2UeuhnFZh2jSZQy3OwryUi6nhF0u
+LDzMI/6aO1ggsI23Ri0Y9ZtqVKczTkxzdQKR9xvoNBUufjimRlS80sJCEB3Qm20S
+wzarryret/7GFW1/3cz+hTj9/d45i25zArr3Pocfpur5mfz3fJO8jg==
+-----END RSA PRIVATE KEY-----

conf/cert/openssl.conf

@@ -0,0 +1,24 @@
+[req]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = CN
+ST = GuangDong
+L = ZhuHai
+O = iresty
+CN = test.com
+
+[v3_req]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+basicConstraints = CA:TRUE
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = test.com
+DNS.2 = *.test.com
+
+## openssl genrsa -out apisix.key 3072 -nodes
+## openssl req -new -x509 -key apisix.key -sha256 -config openssl.conf -out apisix.crt -days 36500

conf/nginx.conf

@@ -66,6 +66,11 @@ http {
     }
 
     server {
+        listen 9443 ssl;
+        ssl_certificate      cert/apisix.crt;
+        ssl_certificate_key  cert/apisix.key;
+        ssl_session_cache    shared:SSL:1m;
+
         listen 9080;
 
         include mime.types;
@@ -83,6 +88,10 @@ http {
             }
         }
 
+        ssl_certificate_by_lua_block {
+            apisix.ssl_phase()
+        }
+
         location / {
             set $upstream_scheme             'http';
             set $upstream_host               $host;

lua/apisix.lua

@@ -6,11 +6,13 @@ local router = require("apisix.route").get
 local plugin = require("apisix.plugin")
 local load_balancer = require("apisix.balancer").run
 local service_fetch = require("apisix.service").get
+local ssl_match = require("apisix.ssl").match
 local admin_init = require("apisix.admin.init")
 local get_var = require("resty.ngxvar").fetch
 local ngx = ngx
 local get_method = ngx.req.get_method
 local ngx_exit = ngx.exit
+local ngx_ERROR = ngx.ERROR
 local math = math
 local match_opts = {}
 
@@ -49,6 +51,7 @@ function _M.init_worker()
     require("apisix.consumer").init_worker()
     require("apisix.heartbeat").init_worker()
     require("apisix.admin.init").init_worker()
+    require("apisix.ssl").init_worker()
 end
 
 
@@ -87,24 +90,40 @@ local function run_plugin(phase, plugins, api_ctx)
 end
 
 
+function _M.ssl_phase()
+    local ngx_ctx = ngx.ctx
+    local api_ctx = ngx_ctx.api_ctx
+
+    if api_ctx == nil then
+        api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
+        ngx_ctx.api_ctx = api_ctx
+    end
+
+    local ok, err = ssl_match(api_ctx)
+    if not ok then
+        if err then
+            core.log.error("failed to fetch ssl config: ", err)
+        end
+        return ngx_exit(ngx_ERROR)
+    end
+end
+
+
 function _M.access_phase()
     local ngx_ctx = ngx.ctx
     local api_ctx = ngx_ctx.api_ctx
 
     if api_ctx == nil then
         api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
+        ngx_ctx.api_ctx = api_ctx
     end
 
     core.ctx.set_vars_meta(api_ctx)
-    ngx_ctx.api_ctx = api_ctx
-
     core.table.clear(match_opts)
     match_opts.method = api_ctx.var.method
     match_opts.host = api_ctx.var.host
-    api_ctx.uri_parse_param = core.tablepool.fetch("uri_parse_param", 0, 4)
 
-    local ok = router():dispatch2(api_ctx.uri_parse_param,
-                                  api_ctx.var.uri, match_opts, api_ctx)
+    local ok = router():dispatch2(nil, api_ctx.var.uri, match_opts, api_ctx)
     if not ok then
         core.log.info("not find any matched route")
         return core.response.exit(404)
@@ -165,11 +184,15 @@ end
 function _M.log_phase()
     local api_ctx = run_plugin("log")
     if api_ctx then
-        core.tablepool.release("uri_parse_param", api_ctx.uri_parse_param)
+        if api_ctx.uri_parse_param then
+            core.tablepool.release("uri_parse_param", api_ctx.uri_parse_param)
+        end
+
         core.ctx.release_vars(api_ctx)
         if api_ctx.plugins then
             core.tablepool.release("plugins", api_ctx.plugins)
         end
+
         core.tablepool.release("api_ctx", api_ctx)
     end
 end

lua/apisix/admin/init.lua

@@ -6,11 +6,12 @@ local ngx = ngx
 
 
 local resources = {
-    routes   = require("apisix.admin.routes"),
-    services = require("apisix.admin.services"),
+    routes    = require("apisix.admin.routes"),
+    services  = require("apisix.admin.services"),
     upstreams = require("apisix.admin.upstreams"),
     consumers = require("apisix.admin.consumers"),
-    schema = require("apisix.admin.schema"),
+    schema    = require("apisix.admin.schema"),
+    ssl       = require("apisix.admin.ssl"),
 }
 
 
@@ -52,17 +53,17 @@ end
 
 local uri_route = {
     {
-        uri = [[/apisix/admin/{res:routes|services|upstreams|consumers}]],
+        path = [[/apisix/admin/{res:routes|services|upstreams|consumers|ssl}]],
         handler = run
     },
     {
-        uri = [[/apisix/admin/{res:routes|services|upstreams|consumers}]]
+        path = [[/apisix/admin/{res:routes|services|upstreams|consumers|ssl}]]
                 .. [[/{id:[\d\w_]+}]],
         handler = run
     },
     {
-        uri = [[/apisix/admin/{res:schema}/]]
-                .. [[{id:route|service|upstream|consumer}]],
+        path = [[/apisix/admin/{res:schema}/]]
+                .. [[{id:route|service|upstream|consumer|ssl}]],
         handler = run
     },
 }