apisix 使用

版本

apisix:2.11.0

apisix-dashboard:2.10.1

apisix

配置 https

第一步:conf/config.yaml

1
2
3
4
5
6
7
8
apisix:
ssl:
enable: true
listen:
- 9443
enable_http2: true
# example.com 为默认证书的 sni
fallback_sni: example.com

第二步:上传 SSL 证书

  1. 可以通过接口上传https://apisix.apache.org/zh/docs/apisix/admin-api#ssl
  2. 可以通过 dashboard 上传

配置 ETCD TLS

conf/config.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
apisix:
config_center: etcd
ssl:
ssl_trusted_certificate: /usr/local/apisix/ssl/etcd-ca.pem
etcd:
host:
- "https://etcd:2379"
prefix: "/apisix"
timeout: 30
tls:
cert: /usr/local/apisix/ssl/etcd.pem
key: /usr/local/apisix/ssl/etcd-key.pem
verify: true

注意

配置 gzip

  1. 第一种
1
2
3
4
5
6
7
nginx_config:
http_configuration_snippet: |
gzip on;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/html text/css text/xml application/javascript application/json;
  1. 第二种

可以配置指定路由,也可以配置全局路由级别的。需要自己为 Apache APISIX 构建 OpenResty,参考https://github.com/api7/apisix-build-tools

  • 指定路由级别
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
"gzip": {
"comp_level": 6,
"disable": false,
"min_length": 1000,
"types": [
"text/css",
"text/html",
"text/plain",
"text/xml",
"application/json",
"application/javascript"
]
}
}

  • 全局路由级别
1
2
3
4
5
6
7
8
9
10
11
12
13
{
"comp_level": 6,
"disable": false,
"min_length": 1000,
"types": [
"text/css",
"text/html",
"text/plain",
"text/xml",
"application/json",
"application/javascript"
]
}

response-rewrite

配置全局插件,修改server响应头,避免暴露 apisix 服务版本

1
2
3
4
5
6
{
"disable": false,
"headers": {
"server": "20.21.0"
}
}

配置路由级别

1
2
3
4
5
6
"response-rewrite": {
"disable": false,
"headers": {
"server": "20.21.0"
}
}

禁用 node-status

conf/config.yaml

1
2
3
plugins:
# 注释掉改插件,或者删除
# - node-status

这样就不能通过 http(s)://example.com/apisix/status 查询 apisix 的状态信息了,或者通过interceptors保护该接口。

配置日志格式

1
2
3
4
nginx_config:
http:
access_log_format: '{"@timestamp":"$time_iso8601","host":"$hostname","server_ip":"$server_addr","client_ip":"$remote_addr","xff":"$http_x_forwarded_for","domain":"$host","url":"$uri","referer":"$http_referer","args":"$args","upstreamtime":"$upstream_response_time","responsetime":"$request_time","request_method":"$request_method","status":"$status","size":"$body_bytes_sent","request_length":"$request_length","protocol":"$server_protocol","upstreamhost":"$upstream_addr","http_user_agent":"$http_user_agent"}'
access_log_format_escape: json

配置日志滚动

conf/config.yaml

1
2
3
4
5
6
7
plugins:
- log-rotate
plugin_attr:
log-rotate:
interval: 86400
max_kept: 7
enable_compression: false

配置防爬虫策略

可以配置指定路由,也可以配置全局路由级别。

1
2
3
4
5
6
7
{
"denylist": [
"(?i)spider",
"(?i)bot"
],
"disable": false
}

表示拦截 ua 包含 spider 或者 bot 的请求。(?i)表示不区分大小写。

apish-dashboard

配置 https

1
2
3
4
5
6
7
8
9
conf:
listen:
host: 0.0.0.0
port: 9000
ssl:
host: 0.0.0.0
port: 9001
cert: /usr/local/apisix-dashboard/ssl/example.com.crt
key: /usr/local/apisix-dashboard/ssl/example.com.key

配置 ETCD TLS

1
2
3
4
5
6
7
8
9
10
11
12
13
conf:
etcd:
endpoints:
- "https://etcd:2379"
# username: "root" # ignore etcd username if not enable etcd auth
# password: "123456" # ignore etcd password if not enable etcd auth
mtls:
# Path of your self-signed client side key
key_file: "/usr/local/apisix-dashboard/ssl/etcd-key.pem"
# Path of your self-signed client side cert
cert_file: "/usr/local/apisix-dashboard/ssl/etcd.pem"
# Path of your self-signed ca cert, the CA is used to sign callers' certificates
ca_file: "/usr/local/apisix-dashboard/ssl/etcd-ca.pem"
  • 本文作者: forever杨
  • 本文链接: https://blog.yl-online.top/posts/cf6abfd1.html
  • 版权声明: 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。如果文章内容对你有用,请记录到你的笔记中。本博客站点随时会停止服务,请不要收藏、转载!