Configure Upstream HTTPS
TLS (Transport Layer Security) is a cryptographic protocol designed to secure communication between two parties, such as a web browser and a web server. Services often require TLS if traffic between the API gateway and upstream services is not considered secure or private.
This guide will show you how to configure TLS between APISIX and an upstream service.

Prerequisite(s)
- Install Docker.
- Install cURL to send requests to the services for validation.
- Install and run APISIX, or follow the Getting Started tutorial to start a new APISIX instance in Docker.
Create a Route With TLS Enabled
Create a route to an example upstream httpbin.org on its default HTTPS port 443
:
- Admin API
- ADC
- Ingress Controller
curl -i "http://127.0.0.1:9180/apisix/admin/routes" -X PUT -d '
{
"id": "quickstart-tls-upstream",
"uri": "/ip",
"upstream": {
"scheme": "https",
"nodes": {
"httpbin.org:443":1
},
"type": "roundrobin"
}
}'
❶ Configure scheme as https
❷ Configure port as 443
services:
- name: httpbin Service
routes:
- uris:
- /ip
name: quickstart-tls-upstream
upstream:
type: roundrobin
scheme: https
nodes:
- host: httpbin.org
port: 443
weight: 1
❶ Configure scheme as https
❷ Configure port as 443
Synchronize the configuration to APISIX:
adc sync -f adc.yaml
- Gateway API
- APISIX CRD
apiVersion: v1
kind: Service
metadata:
namespace: ingress-apisix
name: httpbin-external-domain
spec:
type: ExternalName
externalName: httpbin.org
---
apiVersion: apisix.apache.org/v1alpha1
kind: BackendTrafficPolicy
metadata:
namespace: ingress-apisix
name: passhost-node
spec:
targetRefs:
- name: httpbin-external-domain
kind: Service
group: ""
passHost: node
scheme: https
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: ingress-apisix
name: quickstart-tls-upstream
spec:
parentRefs:
- name: apisix
rules:
- matches:
- path:
type: Exact
value: /ip
backendRefs:
- name: httpbin-external-domain
port: 443
apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
namespace: ingress-apisix
name: httpbin-external-domain
spec:
scheme: https
passHost: node
externalNodes:
- type: Domain
name: httpbin.org
port: 443
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
namespace: ingress-apisix
name: quickstart-tls-upstream
spec:
ingressClassName: apisix
http:
- name: quickstart-tls-upstream
match:
paths:
- /ip
upstreams:
- name: httpbin-external-domain
Apply the configuration to your cluster:
kubectl apply -f https-route.yaml
Test TLS between APISIX and Upstream
Send a request to the route:
curl -i "http://127.0.0.1:9080/ip"
An HTTP/1.1 200 OK
response verifies that APISIX has successfully established a connection and communicated with the upstream service over HTTPS.
Next Steps
APISIX also supports TLS connection between clients and APISIX. See configure HTTPS between Client and APISIX.