You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2022/06/27 03:38:34 UTC
[apisix] branch master updated: feat(deployment): send the right Host & SNI (#7323)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new f03d3c797 feat(deployment): send the right Host & SNI (#7323)
f03d3c797 is described below
commit f03d3c797cb4362ff2573524f4e4c9dad90bf438
Author: 罗泽轩 <sp...@gmail.com>
AuthorDate: Mon Jun 27 11:38:29 2022 +0800
feat(deployment): send the right Host & SNI (#7323)
Signed-off-by: spacewander <sp...@gmail.com>
---
apisix/cli/snippet.lua | 9 +++
apisix/conf_server.lua | 18 ++++-
t/deployment/conf_server.t | 163 +++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 188 insertions(+), 2 deletions(-)
diff --git a/apisix/cli/snippet.lua b/apisix/cli/snippet.lua
index 2ce4a6627..24fa7e915 100644
--- a/apisix/cli/snippet.lua
+++ b/apisix/cli/snippet.lua
@@ -60,6 +60,8 @@ function _M.generate_conf_server(env, conf)
listen unix:{* home *}/conf/config_listen.sock;
access_log off;
+ set $upstream_host '';
+
access_by_lua_block {
local conf_server = require("apisix.conf_server")
conf_server.access()
@@ -69,6 +71,11 @@ function _M.generate_conf_server(env, conf)
{% if enable_https then %}
proxy_pass https://apisix_conf_backend;
proxy_ssl_server_name on;
+ {% if sni then %}
+ proxy_ssl_name {* sni *};
+ {% else %}
+ proxy_ssl_name $upstream_host;
+ {% end %}
proxy_ssl_protocols TLSv1.2 TLSv1.3;
{% else %}
proxy_pass http://apisix_conf_backend;
@@ -76,6 +83,7 @@ function _M.generate_conf_server(env, conf)
proxy_http_version 1.1;
proxy_set_header Connection "";
+ proxy_set_header Host $upstream_host;
}
log_by_lua_block {
@@ -85,6 +93,7 @@ function _M.generate_conf_server(env, conf)
}
]])
return conf_render({
+ sni = etcd.tls and etcd.tls.sni,
enable_https = enable_https,
home = env.apisix_home or ".",
})
diff --git a/apisix/conf_server.lua b/apisix/conf_server.lua
index 9c59b3795..40cf28951 100644
--- a/apisix/conf_server.lua
+++ b/apisix/conf_server.lua
@@ -21,6 +21,7 @@ local balancer = require("ngx.balancer")
local error = error
local ipairs = ipairs
local ngx = ngx
+local ngx_var = ngx.var
local _M = {}
@@ -35,6 +36,7 @@ local function create_resolved_result(server)
return {
host = host,
port = port,
+ server = server,
}
end
@@ -117,7 +119,7 @@ local function resolve_servers(ctx)
if #servers > 1 then
local nodes = {}
for _, res in ipairs(resolved_results) do
- local s = res.host .. ":" .. res.port
+ local s = res.server
nodes[s] = 1
end
server_picker = picker.new(nodes, {})
@@ -136,13 +138,25 @@ local function pick_node(ctx)
ctx.server_picker = server_picker
ctx.balancer_server = server
- res = create_resolved_result(server)
+
+ for _, r in ipairs(resolved_results) do
+ if r.server == server then
+ res = r
+ break
+ end
+ end
else
res = resolved_results[1]
end
ctx.balancer_ip = res.host
ctx.balancer_port = res.port
+
+ ngx_var.upstream_host = res.domain or res.host
+ if balancer.recreate_request and ngx.get_phase() == "balancer" then
+ balancer.recreate_request()
+ end
+
return true
end
diff --git a/t/deployment/conf_server.t b/t/deployment/conf_server.t
index 2e89ac2ae..c6a088b38 100644
--- a/t/deployment/conf_server.t
+++ b/t/deployment/conf_server.t
@@ -264,3 +264,166 @@ deployment:
connect() failed
--- response_body
foo
+
+
+
+=== TEST 6: check default SNI
+--- http_config
+server {
+ listen 12345 ssl;
+ ssl_certificate cert/apisix.crt;
+ ssl_certificate_key cert/apisix.key;
+
+ ssl_certificate_by_lua_block {
+ local ngx_ssl = require "ngx.ssl"
+ ngx.log(ngx.WARN, "Receive SNI: ", ngx_ssl.server_name())
+ }
+
+ location / {
+ proxy_pass http://127.0.0.1:2379;
+ }
+}
+--- config
+ location /t {
+ content_by_lua_block {
+ local etcd = require("apisix.core.etcd")
+ assert(etcd.set("/apisix/test", "foo"))
+ local res = assert(etcd.get("/apisix/test"))
+ ngx.say(res.body.node.value)
+ }
+ }
+--- response_body
+foo
+--- extra_yaml_config
+deployment:
+ role: traditional
+ role_traditional:
+ config_provider: etcd
+ etcd:
+ prefix: "/apisix"
+ host:
+ - https://localhost:12345
+--- error_log
+Receive SNI: localhost
+--- no_error_log
+[error]
+
+
+
+=== TEST 7: check configured SNI
+--- http_config
+server {
+ listen 12345 ssl;
+ ssl_certificate cert/apisix.crt;
+ ssl_certificate_key cert/apisix.key;
+
+ ssl_certificate_by_lua_block {
+ local ngx_ssl = require "ngx.ssl"
+ ngx.log(ngx.WARN, "Receive SNI: ", ngx_ssl.server_name())
+ }
+
+ location / {
+ proxy_pass http://127.0.0.1:2379;
+ }
+}
+--- config
+ location /t {
+ content_by_lua_block {
+ local etcd = require("apisix.core.etcd")
+ assert(etcd.set("/apisix/test", "foo"))
+ local res = assert(etcd.get("/apisix/test"))
+ ngx.say(res.body.node.value)
+ }
+ }
+--- response_body
+foo
+--- extra_yaml_config
+deployment:
+ role: traditional
+ role_traditional:
+ config_provider: etcd
+ etcd:
+ prefix: "/apisix"
+ host:
+ - https://127.0.0.1:12345
+ tls:
+ sni: "x.com"
+--- error_log
+Receive SNI: x.com
+--- no_error_log
+[error]
+
+
+
+=== TEST 8: check Host header
+--- http_config
+server {
+ listen 12345;
+ location / {
+ access_by_lua_block {
+ ngx.log(ngx.WARN, "Receive Host: ", ngx.var.http_host)
+ }
+ proxy_pass http://127.0.0.1:2379;
+ }
+}
+--- config
+ location /t {
+ content_by_lua_block {
+ local etcd = require("apisix.core.etcd")
+ assert(etcd.set("/apisix/test", "foo"))
+ local res = assert(etcd.get("/apisix/test"))
+ ngx.say(res.body.node.value)
+ }
+ }
+--- response_body
+foo
+--- extra_yaml_config
+deployment:
+ role: traditional
+ role_traditional:
+ config_provider: etcd
+ etcd:
+ prefix: "/apisix"
+ host:
+ - http://127.0.0.1:12345
+ - http://localhost:12345
+--- error_log
+Receive Host: localhost
+Receive Host: 127.0.0.1
+
+
+
+=== TEST 9: check Host header after retry
+--- http_config
+server {
+ listen 12345;
+ location / {
+ access_by_lua_block {
+ ngx.log(ngx.WARN, "Receive Host: ", ngx.var.http_host)
+ }
+ proxy_pass http://127.0.0.1:2379;
+ }
+}
+--- config
+ location /t {
+ content_by_lua_block {
+ local etcd = require("apisix.core.etcd")
+ assert(etcd.set("/apisix/test", "foo"))
+ local res = assert(etcd.get("/apisix/test"))
+ ngx.say(res.body.node.value)
+ }
+ }
+--- response_body
+foo
+--- extra_yaml_config
+deployment:
+ role: traditional
+ role_traditional:
+ config_provider: etcd
+ etcd:
+ prefix: "/apisix"
+ host:
+ - http://127.0.0.1:1979
+ - http://localhost:12345
+--- error_log
+Receive Host: localhost