Configure Upstream HTTPS

TLS (Transport Layer Security) is a cryptographic protocol designed to secure communication between two parties, such as a web browser and a web server. Services often require TLS if traffic between the API gateway and upstream services is not considered secure or private.

This guide will show you how to configure TLS between APISIX and an upstream service.

Prerequisite(s)

• Install Docker.
• Install cURL to send requests to the services for validation.
• Install and run APISIX, or follow the Getting Started tutorial to start a new APISIX instance in Docker.

Create a Route With TLS Enabled

Create a route to an example upstream httpbin.org on its default HTTPS port 443:

Admin API

curl -i "http://127.0.0.1:9180/apisix/admin/routes" -X PUT -d '
{
  "id": "quickstart-tls-upstream",
  "uri": "/ip",
  "upstream": {
    "scheme": "https",
    "nodes": {
      "httpbin.org:443":1
    },
    "type": "roundrobin"
  }
}'

❶ Configure scheme as https

❷ Configure port as 443

ADC

adc.yaml

services:
  - name: httpbin Service
    routes:
      - uris:
          - /ip
        name: quickstart-tls-upstream
    upstream:
      type: roundrobin
      scheme: https
      nodes:
        - host: httpbin.org
          port: 443
          weight: 1

❶ Configure scheme as https

❷ Configure port as 443

Synchronize the configuration to APISIX:

adc sync -f adc.yaml

Ingress Controller

Gateway API

https-route.yaml

apiVersion: v1
kind: Service
metadata:
  namespace: ingress-apisix
  name: httpbin-external-domain
spec:
  type: ExternalName
  externalName: httpbin.org
---
apiVersion: apisix.apache.org/v1alpha1
kind: BackendTrafficPolicy
metadata:
  namespace: ingress-apisix
  name: passhost-node
spec:
  targetRefs:
  - name: httpbin-external-domain
    kind: Service
    group: ""
  passHost: node
  scheme: https
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  namespace: ingress-apisix
  name: quickstart-tls-upstream
spec:
  parentRefs:
  - name: apisix
  rules:
  - matches:
    - path:
        type: Exact
        value: /ip
    backendRefs:
    - name: httpbin-external-domain
      port: 443

APISIX CRD

https-route.yaml

apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
  namespace: ingress-apisix
  name: httpbin-external-domain
spec:
  scheme: https
  passHost: node
  externalNodes:
  - type: Domain
    name: httpbin.org
    port: 443
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  namespace: ingress-apisix
  name: quickstart-tls-upstream
spec:
  ingressClassName: apisix
  http:
    - name: quickstart-tls-upstream
      match:
        paths:
          - /ip
      upstreams:
      - name: httpbin-external-domain

Apply the configuration to your cluster:

kubectl apply -f https-route.yaml

Test TLS between APISIX and Upstream

Send a request to the route:

curl -i "http://127.0.0.1:9080/ip"

An HTTP/1.1 200 OK response verifies that APISIX has successfully established a connection and communicated with the upstream service over HTTPS.

Next Steps

APISIX also supports TLS connection between clients and APISIX. See configure HTTPS between Client and APISIX.