3scale · eguzki · Oct 31, 2023 · Oct 20, 2023 · Oct 21, 2023 · Oct 21, 2023
@@ -23,8 +23,6 @@ DEVEL_DOCKER_COMPOSE_VOLMOUNT_MAC_FILE ?= docker-compose-devel-volmount-mac.yml
 DEVEL_DOCKER_COMPOSE_VOLMOUNT_DEFAULT_FILE ?= docker-compose-devel-volmount-default.yml
 
 PROVE_DOCKER_COMPOSE_FILE ?= docker-compose.prove.yml
-FORWARD_PROXY_DOCKER_COMPOSE_FILE ?= docker-compose.forward-proxy.yml
-UPSTREAM_TLS_DOCKER_COMPOSE_FILE ?= docker-compose.upstream-tls.yml
 
 DOCKER_VOLUME_NAME ?= apicast-local-volume
 
@@ -167,20 +165,9 @@ gateway-logs: export IMAGE_NAME = does-not-matter
 gateway-logs:
 	$(DOCKER) compose logs gateway
 
-opentelemetry-gateway: ## run gateway instrumented with opentelemetry
-	$(DOCKER) compose run opentelemetry-instrumented-gateway
-
 opentracing-gateway: ## run gateway instrumented with opentracing
 	$(DOCKER) compose run opentracing-instrumented-gateway
 
-# Environment described in ./examples/forward-proxy
-forward-proxy-gateway: ## run gateway configured to run along with a forward proxy
-	$(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) run gateway
-
-# Environment described in ./examples/tlsv1.3-upstream
-upstream-tls-gateway: ## run gateway configured to access upstream powered with TLS
-	$(DOCKER) compose -f $(UPSTREAM_TLS_DOCKER_COMPOSE_FILE) run gateway
-
 test-runtime-image: export IMAGE_NAME ?= $(RUNTIME_IMAGE)
 test-runtime-image: clean-containers ## Smoke test the runtime image. Pass any docker image in IMAGE_NAME parameter.
 	$(DOCKER) compose --version
@@ -247,8 +234,6 @@ clean-containers:
 	$(DOCKER) compose down --volumes --remove-orphans
 	$(DOCKER) compose -f $(PROVE_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
 	$(DOCKER) compose -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) down --volumes --remove-orphans
-	$(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
-	$(DOCKER) compose -f $(UPSTREAM_TLS_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
 
 clean-deps: ## Remove all local dependency folders
 	- rm -rf $(PROJECT_PATH)/lua_modules $(PROJECT_PATH)/local $(PROJECT_PATH)/.cpanm $(PROJECT_PATH)/vendor/cache $(PROJECT_PATH)/.cache :

@@ -0,0 +1,13 @@
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+.DEFAULT_GOAL := gateway
+MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
+WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
+DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
+
+gateway: ## run gateway configured to access upstream powered with TLS
+	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+
+clean:
+	$(DOCKER) compose down --volumes --remove-orphans
+	$(DOCKER) compose -f docker-compose.yml down --volumes --remove-orphans
@@ -0,0 +1,51 @@
+# PROXY with upstream using plain HTTP 1.1
+
+APIcast --> tiny proxy (connect to 443 but no cert installed) --> upstream (plain HTTP 1.1)
+
+APIcast configured with plain HTTP 1.1 upstream through a proxy.
+
+## Run the gateway
+
+Running local `apicast-test` docker image
+
+```sh
+make gateway
+```
+
+Running custom apicast image
+
+```sh
+make gateway IMAGE_NAME=quay.io/3scale/apicast:latest
+```
+
+Traffic between the proxy and upstream can be inspected looking at logs from `example.com` service
+
+```
+docker compose -p http-proxy-plain-http-upstream logs -f example.com
+```
+
+Proxy can be inspected looking at logs from `proxy` service
+
+```
+docker compose -p http-proxy-plain-http-upstream logs -f proxy
+```
+
+## Testing
+
+`GET` request
+
+```sh
+curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123"
+```
+
+`POST` request
+
+```sh
+curl --resolve post.example.com:8080:127.0.0.1 -v -X POST "http://post.example.com:8080/?user_key=123"
+```
+
+## Clean env
+
+```sh
+make clean
+```
@@ -0,0 +1,70 @@
+{
+  "services": [
+    {
+      "id": "1",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["get.example.com"],
+        "api_backend": "http://example.com/get",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.http_proxy",
+            "configuration": {
+              "http_proxy": "http://proxy:443/"
+            }
+          },
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "GET",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    },
+    {
+      "id": "2",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["post.example.com"],
+        "api_backend": "http://example.com/post",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.http_proxy",
+            "configuration": {
+              "http_proxy": "http://proxy:443/"
+            }
+          },
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "POST",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    }
+  ]
+}
@@ -5,7 +5,8 @@ services:
     image: ${IMAGE_NAME:-apicast-test}
     depends_on:
     - proxy
-    - upstream
+    - example.com
+    - two.upstream
     environment:
       THREESCALE_CONFIG_FILE: /tmp/config.json
       THREESCALE_DEPLOYMENT_ENV: staging
@@ -20,20 +21,23 @@ services:
       - "8080:8080"
       - "8090:8090"
     volumes:
-      - ./examples/forward-proxy/apicast-config.json:/tmp/config.json
-  upstream:
-    image: nginx:1.23.4
-    expose:
-      - "443"
-    volumes:
-      - ./examples/forward-proxy/proxy-nginx.conf:/etc/nginx/nginx.conf
-      - ./examples/forward-proxy/upstream-cert/upstream.key:/etc/pki/tls.key
-      - ./examples/forward-proxy/upstream-cert/upstream.crt:/etc/pki/tls.crt
+      - ./apicast-config.json:/tmp/config.json
   proxy:
     build:
-      dockerfile: ./examples/forward-proxy/tinyproxy.Dockerfile
+      dockerfile: ./tinyproxy.Dockerfile
     expose:
       - "3128:3128"
       - "443:443"
     volumes:
-      - ./examples/forward-proxy/tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf
+      - ./tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf
+  example.com:
+    image: alpine/socat:1.7.4.4
+    container_name: example.com
+    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:80"
+    expose:
+      - "443"
+    restart: unless-stopped
+  two.upstream:
+    image: kennethreitz/httpbin
+    expose:
+      - "80"
@@ -0,0 +1,18 @@
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+.DEFAULT_GOAL := gateway
+MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
+WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
+DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
+
+gateway: ## run gateway configured to access upstream powered with TLS
+	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+
+clean:
+	$(DOCKER) compose down --volumes --remove-orphans
+	$(DOCKER) compose -f docker-compose.yml down --volumes --remove-orphans
+
+certs:
+	$(MAKE) clean -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile
+	$(MAKE) ca -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile
+	$(MAKE) clientcerts -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile DOMAIN=example.com
@@ -0,0 +1,59 @@
+# PROXY with upstream using TLSv1.3
+
+APIcast --> tiny proxy (connect to 443 but no cert installed) --> upstream (TLSv1.3)
+
+APIcast configured with TLSv1.3 powered upstream through a proxy. TLS termination endpoint is `socat`.
+
+APicast starts SSL tunnel (via HTTP CONNECT method) against proxy to access upstream configured with TLSv1.3
+
+## Create the SSL Certificates
+
+```sh
+make certs
+```
+
+## Run the gateway
+
+Running local `apicast-test` docker image
+
+```sh
+make gateway
+```
+
+Running custom apicast image
+
+```sh
+make gateway IMAGE_NAME=quay.io/3scale/apicast:latest
+```
+
+Traffic between the proxy and upstream can be inspected looking at logs from `example.com` service
+
+```
+docker compose -p https-proxy-upstream-tlsv13 logs -f example.com
+```
+
+Proxy can be inspected looking at logs from `proxy` service
+
+```
+docker compose -p https-proxy-upstream-tlsv13 logs -f proxy
+```
+
+## Testing
+
+`GET` request
+
+```sh
+curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123"
+```
+
+`POST` request
+
+```sh
+curl --resolve post.example.com:8080:127.0.0.1 -v -X POST "http://post.example.com:8080/?user_key=123"
+```
+
+## Clean env
+
+```sh
+make clean
+```
@@ -0,0 +1,70 @@
+{
+  "services": [
+    {
+      "id": "1",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["get.example.com"],
+        "api_backend": "https://example.com/get",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.http_proxy",
+            "configuration": {
+              "https_proxy": "http://proxy:443/"
+            }
+          },
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "GET",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    },
+    {
+      "id": "2",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["post.example.com"],
+        "api_backend": "https://example.com/post",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.http_proxy",
+            "configuration": {
+              "https_proxy": "http://proxy:443/"
+            }
+          },
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "POST",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    }
+  ]
+}
@@ -0,0 +1,16 @@
+clean:
+	- rm *.crt *.key *.pem *.csr
+
+ca:
+	openssl genrsa -out rootCA.key 2048
+	openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
+
+clientcerts:
+	openssl req -subj '/CN=$(DOMAIN)'  -newkey rsa:4096 -nodes \
+			-sha256 \
+			-days 3650 \
+			-keyout $(DOMAIN).key \
+			-out $(DOMAIN).csr
+	chmod +r $(DOMAIN).key
+	openssl x509 -req -in $(DOMAIN).csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $(DOMAIN).crt -days 500 -sha256
+	cat $(DOMAIN).key $(DOMAIN).crt >$(DOMAIN).pem