apache
help request: https access apisix ssl error
Description
When using nginx on the client side, calling the upstream node as apisix may cause handshake failure when using https
The current solution to the problem is to add proxy_stsl_derver.name on, but we have more than 2000 proxy domain names.
After capturing the package, it was found that the missing SNI information with the server name is suspected to be caused by apisix config ssl: radixtree_stni. Is there any way to solve this problem?
client nginx config:
location ^~/FLY_PROXY/ {
proxy_pass https://fly-front-api.gwm.cn/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Comparison of packet capture information
Environment
- APISIX version (run
apisix version): 3.2.2 - Operating system (run
uname -a): Linux iZjm301h1rdw50h8km2hwuZ 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux - OpenResty / Nginx version (run
openresty -Vornginx -V): openresty/1.21.4.1 - etcd version, if relevant (run
curl http://127.0.0.1:9090/v1/server_info): - APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run
luarocks --version):
Due to the large number of callers, it is not convenient to request the other party to add all parameters to solve the problem
When Nginx sends HTTPS requests to APISIX as a client, it does not send SNI (Server Name Indication) information by default, and APISIX uses SNI to match the corresponding SSL certificate by default.
The simplest solution is to set the fallback_sni parameter in the APISIX configuration file. That way, when the client does not provide SNI information, APISIX will use this default value:
apisix:
ssl:
fallback_sni:
