You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "kellyseeme (via GitHub)" <gi...@apache.org> on 2023/05/08 12:04:56 UTC
[GitHub] [apisix] kellyseeme opened a new issue, #9433: apisix have more globalrules
kellyseeme opened a new issue, #9433:
URL: https://github.com/apache/apisix/issues/9433
### Description
if the apisix have more global rules,then what the orders to execute.
i have set two globalrules,one is real_ip,second is ip-restriction,then this is not in desire.
in my desire,first is real_ip,the second is ip-restriction...how to set this?
### Environment
- APISIX version (run `apisix version`):2.15.1
- Operating system (run `uname -a`):
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kayx23 commented on issue #9433: apisix have more globalrules
Posted by "kayx23 (via GitHub)" <gi...@apache.org>.
kayx23 commented on issue #9433:
URL: https://github.com/apache/apisix/issues/9433#issuecomment-1549431136
## TEST: Plugins Enabled in Two Separate Global Rule
First, create a route pointing to httpbin.org `/anything`
```
curl "http://127.0.0.1:9180/apisix/admin/routes" -H "X-API-KEY: xxxx" -X PUT -d '
{
"id": "getting-started-anything",
"uri": "/anything",
"upstream" : {
"type": "roundrobin",
"nodes": {
"httpbin.org": 1
}
}
}'
```
Create two global rules:
```
$ curl http://127.0.0.1:9180/apisix/admin/global_rules/1 -H "X-API-KEY: xxxx" -X PUT -d '{
"id":"1",
"plugins":{
"real-ip":{
"source": "http_x_forwarded_for"
}
}
}'
{"key":"/apisix/global_rules/1","value":{"update_time":1684233963,"plugins":{"real-ip":{"source":"http_x_forwarded_for","recursive":false}},"create_time":1684229345,"id":"1"}}
$ curl http://127.0.0.1:9180/apisix/admin/global_rules/2 -H "X-API-KEY: xxxx" -X PUT -d '{
"id":"2",
"plugins":{
"ip-restriction":{
"whitelist":[
"10.140.0.2",
"172.17.0.1",
"172.18.0.1"
],
"message": "Your IP address is not allowed"
}
}
}'
{"key":"/apisix/global_rules/2","value":{"update_time":1684233969,"plugins":{"ip-restriction":{"whitelist":["10.140.0.2","172.17.0.1","172.18.0.1"],"message":"Your IP address is not allowed"}},"create_time":1684233969,"id":"2"}}
```
Curl to the endpoint to see if the request goes through:
```
$ curl "http://127.0.0.1:9080/anything" -H "x_forwarded_for: 100.123.1.16"
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "*/*",
"Host": "127.0.0.1",
"User-Agent": "curl/7.74.0",
"X-Amzn-Trace-Id": "Root=1-64635f62-761ff0fb389ff1102fc89eda",
"X-Forwarded-Host": "127.0.0.1"
},
"json": null,
"method": "GET",
"origin": "172.18.0.1, 34.81.252.224, 100.123.1.16",
"url": "http://127.0.0.1/anything"
}
```
The request went through; the returned result showed `100.123.1.16` as one of the origins.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: order of execution with multiple global rules [apisix]
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek closed issue #9433: help request: order of execution with multiple global rules
URL: https://github.com/apache/apisix/issues/9433
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: order of execution with multiple global rules [apisix]
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9433:
URL: https://github.com/apache/apisix/issues/9433#issuecomment-1846494638
@kellyseeme I will close this issue, please reopen if you have any insights. Thank you.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kellyseeme commented on issue #9433: apisix have more globalrules
Posted by "kellyseeme (via GitHub)" <gi...@apache.org>.
kellyseeme commented on issue #9433:
URL: https://github.com/apache/apisix/issues/9433#issuecomment-1546699998
> Hi @kellyseeme , you can adjust the order of execution by plugin priorities, given that they are executed in the same phase (e.g. rewrite, access).
>
> Note that `ip-restriction` has a [default priority of 3000](https://github.com/apache/apisix/blob/e85ef647471effdc2eb861a9bc29565660172558/conf/config-default.yaml#L426) and `real-ip` has a [default priority of 23000](https://github.com/apache/apisix/blob/e85ef647471effdc2eb861a9bc29565660172558/conf/config-default.yaml#L412). Plugin that has the higher priority will be executed first **within the same phase**.
>
> In your specific case, [`ip-restriction` is in rewrite](https://github.com/apache/apisix/blob/e85ef647471effdc2eb861a9bc29565660172558/apisix/plugins/ip-restriction.lua#L23) and [`real-ip` is in access](https://github.com/apache/apisix/blob/e85ef647471effdc2eb861a9bc29565660172558/apisix/plugins/real-ip.lua#L132). Logic in rewrite will be executed before the logic of access regardless of priority, so `ip-restriction` is executed first out of the two.
>
> For more info, see [Plugin Execution Order](https://docs.api7.ai/apisix/key-concepts/plugins#plugins-execution-order) doc.
tks for reply,in my test,if all the two plugins in one globalrules,then the real_ip and ip-restriction worked in my desired,first execute real_ip,and then ip_restriction,but if in two globalrules,then the ip-restriction is first execute,why this happen?
other words, in nginx,the real_ip is the first phase of post-read,why in apisix this is in rewrite phase?if we dont have the real_ip,then why can get the ture client ip for ip restriction?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kayx23 commented on issue #9433: apisix have more globalrules
Posted by "kayx23 (via GitHub)" <gi...@apache.org>.
kayx23 commented on issue #9433:
URL: https://github.com/apache/apisix/issues/9433#issuecomment-1546708262
> if in two globalrules,then the ip-restriction is first execute
Could you share your tests?
Also, APISIX phases were indeed derived from OpenResty & Nginx, but they're not 100% the same.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kayx23 commented on issue #9433: apisix have more globalrules
Posted by "kayx23 (via GitHub)" <gi...@apache.org>.
kayx23 commented on issue #9433:
URL: https://github.com/apache/apisix/issues/9433#issuecomment-1539923862
Hi @kellyseeme , you can adjust the order of execution by plugin priorities, given that they are executed in the same phase (e.g. rewrite, access).
In your case, `ip-restriction` has a [default priority of 3000](https://github.com/apache/apisix/blob/e85ef647471effdc2eb861a9bc29565660172558/conf/config-default.yaml#L426). Not sure about your other arbitrary plugin.
So two cases:
1. if two plugins are executed in the same phase, then whichever plugin has the higher priority will be executed first.
2. if two plugins are executed in different phases, say [`ip-restriction` is in rewrite](https://github.com/apache/apisix/blob/e85ef647471effdc2eb861a9bc29565660172558/apisix/plugins/ip-restriction.lua#L23) and the other one is in access, then the logic of rewrite will be executed before the logic of access, regardless of priority.
For more info, see [Plugin Execution Order](https://docs.api7.ai/apisix/key-concepts/plugins#plugins-execution-order) doc.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kayx23 commented on issue #9433: apisix have more globalrules
Posted by "kayx23 (via GitHub)" <gi...@apache.org>.
kayx23 commented on issue #9433:
URL: https://github.com/apache/apisix/issues/9433#issuecomment-1539932740
As for determining which phase the plugin runs in, it seems that the current plugin docs do not address this info (either intentionally or unintentionally). Def some room for improvements here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kellyseeme commented on issue #9433: apisix have more globalrules
Posted by "kellyseeme (via GitHub)" <gi...@apache.org>.
kellyseeme commented on issue #9433:
URL: https://github.com/apache/apisix/issues/9433#issuecomment-1546917300
`curl http://127.0.0.1:9180/apisix/admin/global_rules/1 -H "X-API-KEY: xxx" -X PUT \
-d '{
"id": "1",
"plugins": {
"ip-restriction": {
"whitelist": [
"192.168.1.1",
"192.168.0.0/29",
"192.168.0.1/32",
"192.168.3.2"
],
"_meta": {
"disable": false
},
"message": "Your IP address is not allowed"
},
"real-ip": {
"_meta": {
"disable": false
},
"trusted_addresses": [
"100.123.192.13",
"100.123.1.16",
"127.0.0.0/24"
],
"source": "http_x_forwarded_for",
"recursive": true
}
}
}'`
--use this ,the tests is all disable false.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kellyseeme commented on issue #9433: apisix have more globalrules
Posted by "kellyseeme (via GitHub)" <gi...@apache.org>.
kellyseeme commented on issue #9433:
URL: https://github.com/apache/apisix/issues/9433#issuecomment-1546916398
> > if in two globalrules,then the ip-restriction is first execute
>
> Could you share your tests?
>
> Also, APISIX phases were indeed derived from OpenResty & Nginx, but they're not 100% the same.
`curl http://127.0.0.1:9180/apisix/admin/global_rules/1 -H "X-API-KEY: xxx" -X PUT
-d '{
"id": "1",
"plugins": {
"ip-restriction": {
"whitelist": [
"192.168.1.1",
"192.168.0.0/29",
"192.168.0.1/32",
"192.168.3.2"
],
"_meta": {
"disable": false
},
"message": "Your IP address is not allowed"
},
"real-ip": {
"_meta": {
"disable": true
},
"trusted_addresses": [
"100.123.192.13",
"100.123.1.16",
"127.0.0.0/24"
],
"source": "http_x_forwarded_for",
"recursive": true
}
}
}'`
then use the curl to test it results:
`curl -H "x_forwarded_for:192.168.0.1, 100.123.1.16" localhost
curl -H "x_forwarded_for:10.168.0.1, 100.123.1.16" localhost`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kayx23 commented on issue #9433: apisix have more globalrules
Posted by "kayx23 (via GitHub)" <gi...@apache.org>.
kayx23 commented on issue #9433:
URL: https://github.com/apache/apisix/issues/9433#issuecomment-1549415661
## TEST: Both Plugins Enabled in the Same Global Rule
First, create a route pointing to httpbin.org `/anything`
```
curl "http://127.0.0.1:9180/apisix/admin/routes" -H "X-API-KEY: xxxx" -X PUT -d '
{
"id": "getting-started-anything",
"uri": "/anything",
"upstream" : {
"type": "roundrobin",
"nodes": {
"httpbin.org": 1
}
}
}'
```
Create a global rule with both plugins enabled:
```
$ curl http://127.0.0.1:9180/apisix/admin/global_rules/1 -H "X-API-KEY: xxxx" -X PUT -d '{
"id":"1",
"plugins":{
"ip-restriction":{
"whitelist":[
"10.140.0.2",
"172.17.0.1",
"172.18.0.1"
],
"message": "Your IP address is not allowed"
},
"real-ip":{
"source": "http_x_forwarded_for"
}
}
}'
```
```
{"key":"/apisix/global_rules/1","value":{"update_time":1684232635,"plugins":{"real-ip":{"source":"http_x_forwarded_for","recursive":false},"ip-restriction":{"whitelist":["10.140.0.2","172.17.0.1","172.18.0.1"],"message":"Your IP address is not allowed"}},"create_time":1684229345,"id":"1"}}
```
* Note: IP addresses in whitelist are updated to my host's IPs.
Curl to the endpoint to see if the request goes through:
```
$ curl "http://127.0.0.1:9080/anything" -H "x_forwarded_for: 100.123.1.16"
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "*/*",
"Host": "127.0.0.1",
"User-Agent": "curl/7.74.0",
"X-Amzn-Trace-Id": "Root=1-646359c9-4f710db67cf47e734cf402a5",
"X-Forwarded-Host": "127.0.0.1"
},
"json": null,
"method": "GET",
"origin": "172.18.0.1, 34.81.252.xxx, 100.123.1.16",
"url": "http://127.0.0.1/anything"
}
```
The request went through; the returned result showed `100.123.1.16` as one of the origins.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kayx23 commented on issue #9433: apisix have more globalrules
Posted by "kayx23 (via GitHub)" <gi...@apache.org>.
kayx23 commented on issue #9433:
URL: https://github.com/apache/apisix/issues/9433#issuecomment-1549438044
> in my test,if all the two plugins in one globalrules,then the real_ip and ip-restriction worked in my desired,first execute real_ip,and then ip_restriction,but if in two globalrules,then the ip-restriction is first execute,why this happen?
@kellyseeme I don't observe this phenomenon from my tests. Either having them in one or two global rules seem to have no impact. Please see above and provide your tests (the actual tests with output and how it doesn't match your expectation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org