You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "thor533 (via GitHub)" <gi...@apache.org> on 2023/04/04 08:22:59 UTC
[GitHub] [apisix] thor533 opened a new issue, #9239: priority of the custom plug-in is invalid
thor533 opened a new issue, #9239:
URL: https://github.com/apache/apisix/issues/9239
### Description
I set the plug-in execution priority, base-auth and ip-restriction according to the documents, but the Settings are invalid and the base-auth plug-in is executed first
the route config is :
{
"id": "453027477904687809",
"create_time": 1679555018,
"update_time": 1679989160,
"uri": "/xubin/",
"name": "检查测试",
"priority": 1,
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"plugins": {
"basic-auth": {
"_meta": {
"priority": -2000
},
"disable": false
},
"ip-restriction": {
"_meta": {
"priority": 10000
},
"disable": false,
"whitelist": [
"113.74.26.106/24"
]
},
"proxy-rewrite": {
"regex_uri": [
"^/xubin(/|$)(.)",
"/$2"
]
}
},
"upstream": {
"nodes": [
{
"host": "192.168.88.66",
"port": 9001,
"weight": 1
}
],
"retries": 15,
"timeout": {
"connect": 1,
"send": 1,
"read": 9
},
"type": "roundrobin",
"scheme": "http",
"pass_host": "pass",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
},
"retry_timeout": 10
},
"labels": {
"1": "1"
},
"status": 1
}
### Environment
- APISIX version (run `apisix 2.15-alpine`):
- Operating system (run `uname -a`):
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sn0rt commented on issue #9239: priority of the custom plug-in is invalid
Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.
Sn0rt commented on issue #9239:
URL: https://github.com/apache/apisix/issues/9239#issuecomment-1506555922
> >
>
> Is this an apisix bug or a configuration problem?
still in process.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9239: priority of the custom plug-in is invalid
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9239:
URL: https://github.com/apache/apisix/issues/9239#issuecomment-1506678818
> > >
> >
> >
> > Is this an apisix bug or a configuration problem?
>
> maybe this is a feature.
>
> Because the core logic of the two plug-ins works in different phase of nginx's http request processing, while ip_restriction is in the `access` phase, and basic-auth is in the`rewrite` phase.
>
> The rewrite phase is processed before the access phase.
>
> We plan to remove ambiguity about priorities by updating the documentation.
Okey, i think the ip-restriction should excute first,it should have the highest priority! thank you reply !
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sn0rt commented on issue #9239: priority of the custom plug-in is invalid
Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.
Sn0rt commented on issue #9239:
URL: https://github.com/apache/apisix/issues/9239#issuecomment-1508028509
> > > > > >
> > > > >
> > > > >
> > > > > Is this an apisix bug or a configuration problem?
> > > >
> > > >
> > > > maybe this is a feature.
> > > > Because the core logic of the two plug-ins works in different phase of nginx's http request processing, while ip_restriction is in the `access` phase, and basic-auth is in the`rewrite` phase.
> > > > The rewrite phase is processed before the access phase.
> > > > We plan to remove ambiguity about priorities by updating the documentation.
> > >
> > >
> > > Okey, i think the ip-restriction should excute first,it should have the highest priority! thank you reply !
> >
> >
> > yep, we will think twice for how to remove ambiguity
>
> My final question is, is there a way to get ip-restriction to execute first, do you need a custom plugin or something, i am looking forward to your reply !
only for poc
```
ubuntu@ip-172-31-36-124:~/apisix$ git diff
diff --git a/apisix/plugins/ip-restriction.lua b/apisix/plugins/ip-restriction.lua
index b499f2dd..9c40bfdd 100644
--- a/apisix/plugins/ip-restriction.lua
+++ b/apisix/plugins/ip-restriction.lua
@@ -20,7 +20,7 @@ local base = require("apisix.plugins.ip-restriction.init")
-- avoid unexpected data sharing
local ip_restriction = core.table.clone(base)
-ip_restriction.access = base.restrict
+ip_restriction.rewrite = base.restrict
```
```
ubuntu@ip-172-31-36-124:~/apisix$ curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d @../meta-router.json
{"key":"/apisix/routes/1","value":{"id":"1","name":"检查测试","upstream":{"type":"roundrobin","hash_on":"vars","pass_host":"pass","nodes":[{"weight":1,"port":80,"host":"httpbin.org","priority":0}],"scheme":"http"},"methods":["GET"],"create_time":1681438174,"plugins":{"ip-restriction":{"blacklist":["127.0.0.1"],"_meta":{"priority":99999},"message":"Your IP address is not allowed"},"basic-auth":{"username":"foo","hide_credentials":false,"password":"bar"}},"priority":1,"uri":"/xubin/","status":1,"update_time":1681455913}}
ubuntu@ip-172-31-36-124:~/apisix$ curl http://localhost:9080/xubin/ -i --interface 127.0.0.1
HTTP/1.1 403 Forbidden
Date: Fri, 14 Apr 2023 07:05:15 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/3.2.0
{"message":"Your IP address is not allowed"}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9239: priority of the custom plug-in is invalid
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9239:
URL: https://github.com/apache/apisix/issues/9239#issuecomment-1508087659
> > > > > > >
> > > > > >
> > > > > >
> > > > > > Is this an apisix bug or a configuration problem?
> > > > >
> > > > >
> > > > > maybe this is a feature.
> > > > > Because the core logic of the two plug-ins works in different phase of nginx's http request processing, while ip_restriction is in the `access` phase, and basic-auth is in the`rewrite` phase.
> > > > > The rewrite phase is processed before the access phase.
> > > > > We plan to remove ambiguity about priorities by updating the documentation.
> > > >
> > > >
> > > > Okey, i think the ip-restriction should excute first,it should have the highest priority! thank you reply !
> > >
> > >
> > > yep, we will think twice for how to remove ambiguity
> >
> >
> > My final question is, is there a way to get ip-restriction to execute first, do you need a custom plugin or something, i am looking forward to your reply !
>
> only for poc
>
> ```
> ubuntu@ip-172-31-36-124:~/apisix$ git diff
> diff --git a/apisix/plugins/ip-restriction.lua b/apisix/plugins/ip-restriction.lua
> index b499f2dd..9c40bfdd 100644
> --- a/apisix/plugins/ip-restriction.lua
> +++ b/apisix/plugins/ip-restriction.lua
> @@ -20,7 +20,7 @@ local base = require("apisix.plugins.ip-restriction.init")
>
> -- avoid unexpected data sharing
> local ip_restriction = core.table.clone(base)
> -ip_restriction.access = base.restrict
> +ip_restriction.rewrite = base.restrict
> ```
>
> ```
> ubuntu@ip-172-31-36-124:~/apisix$ curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d @../meta-router.json
> {"key":"/apisix/routes/1","value":{"id":"1","name":"检查测试","upstream":{"type":"roundrobin","hash_on":"vars","pass_host":"pass","nodes":[{"weight":1,"port":80,"host":"httpbin.org","priority":0}],"scheme":"http"},"methods":["GET"],"create_time":1681438174,"plugins":{"ip-restriction":{"blacklist":["127.0.0.1"],"_meta":{"priority":99999},"message":"Your IP address is not allowed"},"basic-auth":{"username":"foo","hide_credentials":false,"password":"bar"}},"priority":1,"uri":"/xubin/","status":1,"update_time":1681455913}}
> ubuntu@ip-172-31-36-124:~/apisix$ curl http://localhost:9080/xubin/ -i --interface 127.0.0.1
> HTTP/1.1 403 Forbidden
> Date: Fri, 14 Apr 2023 07:05:15 GMT
> Content-Type: text/plain; charset=utf-8
> Transfer-Encoding: chunked
> Connection: keep-alive
> Server: APISIX/3.2.0
>
> {"message":"Your IP address is not allowed"}
> ```
okey,best wish,thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sn0rt commented on issue #9239: priority of the custom plug-in is invalid
Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.
Sn0rt commented on issue #9239:
URL: https://github.com/apache/apisix/issues/9239#issuecomment-1506298336
has reproduced. let me check .
```shell
curl -s http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d @./meta-router.json|jq
{
"key": "/apisix/routes/1",
"value": {
"uri": "/xubin/",
"name": "检查测试",
"update_time": 1681357891,
"plugins": {
"ip-restriction": {
"whitelist": [
"127.0.0.1"
],
"_meta": {
"priority": 99999
},
"message": "Your IP address is not allowed"
},
"basic-auth": {
"password": "bar",
"hide_credentials": false,
"username": "foo"
}
},
"methods": [
"GET"
],
"id": "1",
"upstream": {
"type": "roundrobin",
"nodes": [
{
"host": "httpbin.org",
"weight": 1,
"priority": 0,
"port": 80
}
],
"hash_on": "vars",
"pass_host": "pass",
"scheme": "http"
},
"status": 1,
"priority": 1,
"create_time": 1681357731
}
}
```
check
```shell
curl http://localhost:9080/xubin/ -i --interface 127.0.0.1
HTTP/1.1 401 Unauthorized
Date: Thu, 13 Apr 2023 03:51:56 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
WWW-Authenticate: Basic realm='.'
Server: APISIX/3.2.0
Apisix-Plugins: ip-restriction, basic-auth
{"message":"Missing authorization in request"}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9239: priority of the custom plug-in is invalid
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9239:
URL: https://github.com/apache/apisix/issues/9239#issuecomment-1508015965
> > > > >
> > > >
> > > >
> > > > Is this an apisix bug or a configuration problem?
> > >
> > >
> > > maybe this is a feature.
> > > Because the core logic of the two plug-ins works in different phase of nginx's http request processing, while ip_restriction is in the `access` phase, and basic-auth is in the`rewrite` phase.
> > > The rewrite phase is processed before the access phase.
> > > We plan to remove ambiguity about priorities by updating the documentation.
> >
> >
> > Okey, i think the ip-restriction should excute first,it should have the highest priority! thank you reply !
>
> yep, we will think twice for how to remove ambiguity
My final question is, is there a way to get ip-restriction to execute first, do you need a custom plugin or something,
i am looking forward to your reply !
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 closed issue #9239: priority of the custom plug-in is invalid
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 closed issue #9239: priority of the custom plug-in is invalid
URL: https://github.com/apache/apisix/issues/9239
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sn0rt commented on issue #9239: priority of the custom plug-in is invalid
Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.
Sn0rt commented on issue #9239:
URL: https://github.com/apache/apisix/issues/9239#issuecomment-1506691540
> > > >
> > >
> > >
> > > Is this an apisix bug or a configuration problem?
> >
> >
> > maybe this is a feature.
> > Because the core logic of the two plug-ins works in different phase of nginx's http request processing, while ip_restriction is in the `access` phase, and basic-auth is in the`rewrite` phase.
> > The rewrite phase is processed before the access phase.
> > We plan to remove ambiguity about priorities by updating the documentation.
>
> Okey, i think the ip-restriction should excute first,it should have the highest priority! thank you reply !
yep, we will think twice for how to remove ambiguity
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9239: priority of the custom plug-in is invalid
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9239:
URL: https://github.com/apache/apisix/issues/9239#issuecomment-1506496738
>
Is this an apisix bug or a configuration problem?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9239: priority of the custom plug-in is invalid
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9239:
URL: https://github.com/apache/apisix/issues/9239#issuecomment-1506268751
![图片](https://user-images.githubusercontent.com/62246176/231638399-d4439f9c-88b2-4245-8371-facccbaf3a0f.png)
This parameter is invalid in ip-restriction, I set it to execute first, but it doesn't work
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org