apisix 使用

版本

apisix：2.11.0

apisix-dashboard：2.10.1

APISIX

内外网隔离

新建一条高级匹配条件，使用server_port内置参数：

配置 https

第一步：conf/config.yaml

apisix:
  ssl:
    enable: true
    listen:
      - 9443
    enable_http2: true
    # example.com 为默认证书的 sni
    fallback_sni: example.com

第二步：上传 SSL 证书

1. 可以通过接口上传https://apisix.apache.org/zh/docs/apisix/admin-api#ssl
2. 可以通过 dashboard 上传

配置 ETCD TLS

conf/config.yaml

apisix:
  config_center: etcd
  ssl:
    ssl_trusted_certificate: /usr/local/apisix/ssl/etcd-ca.pem
etcd:
  host:
    - "https://etcd:2379"
  prefix: "/apisix"
  timeout: 30
  tls:
    cert: /usr/local/apisix/ssl/etcd.pem
    key: /usr/local/apisix/ssl/etcd-key.pem
    verify: true

注意

• 如果verify=true，需要自己为 Apache APISIX 构建 OpenResty

  • 参考https://github.com/api7/apisix-build-tools
  • apisix 配置 etcd TLS

• 如果verify=false，则不需要

配置 gzip

1. 第一种

nginx_config:
  http_configuration_snippet: |
    gzip               on;
    gzip_comp_level    6;
    gzip_min_length    1000;
    gzip_proxied       expired no-cache no-store private auth;
    gzip_types         text/plain text/html text/css text/xml application/javascript application/json;

2. 第二种

可以配置指定路由，也可以配置全局路由级别的。需要自己为 Apache APISIX 构建 OpenResty，参考https://github.com/api7/apisix-build-tools

• 指定路由级别

{
  "gzip": {
    "comp_level": 6,
    "disable": false,
    "min_length": 1000,
    "types": [
      "text/css",
      "text/html",
      "text/plain",
      "text/xml",
      "application/json",
      "application/javascript"
    ]
  }
}

• 全局路由级别

{
  "comp_level": 6,
  "disable": false,
  "min_length": 1000,
  "types": [
    "text/css",
    "text/html",
    "text/plain",
    "text/xml",
    "application/json",
    "application/javascript"
  ]
}

response-rewrite

配置全局插件，修改server响应头，避免暴露 apisix 服务版本

{
  "disable": false,
  "headers": {
    "server": "20.21.0"
  }
}

配置路由级别

"response-rewrite": {
  "disable": false,
  "headers": {
    "server": "20.21.0"
  }
}

禁用 node-status

conf/config.yaml

plugins:
  # 注释掉改插件，或者删除
  # - node-status

这样就不能通过 http(s)://example.com/apisix/status 查询 apisix 的状态信息了，或者通过interceptors保护该接口。

配置日志格式

nginx_config:
  http:
    access_log_format: '{"@timestamp":"$time_iso8601","host":"$hostname","server_ip":"$server_addr","client_ip":"$remote_addr","xff":"$http_x_forwarded_for","domain":"$host","url":"$uri","referer":"$http_referer","args":"$args","upstreamtime":"$upstream_response_time","responsetime":"$request_time","request_method":"$request_method","status":"$status","size":"$body_bytes_sent","request_length":"$request_length","protocol":"$server_protocol","upstreamhost":"$upstream_addr","http_user_agent":"$http_user_agent"}'
    access_log_format_escape: json

配置日志滚动

conf/config.yaml

plugins:
  - log-rotate
plugin_attr:
  log-rotate:
    interval: 86400
    max_kept: 7
    enable_compression: false

配置防爬虫策略

可以配置指定路由，也可以配置全局路由级别。

{
  "denylist": [
    "(?i)spider",
    "(?i)bot"
  ],
  "disable": false
}

表示拦截 ua 包含 spider 或者 bot 的请求。(?i)表示不区分大小写。

apish-dashboard

配置 https

conf:
  listen:
    host: 0.0.0.0
    port: 9000
  ssl:
    host: 0.0.0.0
    port: 9001
    cert: /usr/local/apisix-dashboard/ssl/example.com.crt
    key: /usr/local/apisix-dashboard/ssl/example.com.key

配置 ETCD TLS

conf:
  etcd:
    endpoints:
      - "https://etcd:2379"
    # username: "root"    # ignore etcd username if not enable etcd auth
    # password: "123456"  # ignore etcd password if not enable etcd auth
    mtls:
      # Path of your self-signed client side key
      key_file: "/usr/local/apisix-dashboard/ssl/etcd-key.pem"
      # Path of your self-signed client side cert
      cert_file: "/usr/local/apisix-dashboard/ssl/etcd.pem"
      # Path of your self-signed ca cert, the CA is used to sign callers' certificates
      ca_file: "/usr/local/apisix-dashboard/ssl/etcd-ca.pem"