You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2021/07/22 03:08:17 UTC
[apisix] branch master updated: fix(stream): sni router is broken
when session reuses (#4607)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new a461c98 fix(stream): sni router is broken when session reuses (#4607)
a461c98 is described below
commit a461c9856d7e1951b0307809edc573fd88ec0a52
Author: 罗泽轩 <sp...@gmail.com>
AuthorDate: Thu Jul 22 11:08:10 2021 +0800
fix(stream): sni router is broken when session reuses (#4607)
---
apisix/ssl/router/radixtree_sni.lua | 2 --
apisix/stream/router/ip_port.lua | 15 ++--------
t/APISIX.pm | 55 +++++++++++++++++++++----------------
t/stream-node/sni.t | 34 +++++++++++++++++------
4 files changed, 60 insertions(+), 46 deletions(-)
diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua
index 9685390..6f44a2f 100644
--- a/apisix/ssl/router/radixtree_sni.lua
+++ b/apisix/ssl/router/radixtree_sni.lua
@@ -171,8 +171,6 @@ function _M.match_and_set(api_ctx)
end
end
- api_ctx.sni_rev = sni_rev
-
local matched_ssl = api_ctx.matched_ssl
core.log.info("debug - matched: ", core.json.delay_encode(matched_ssl, true))
diff --git a/apisix/stream/router/ip_port.lua b/apisix/stream/router/ip_port.lua
index 9d72334..44b0ab3 100644
--- a/apisix/stream/router/ip_port.lua
+++ b/apisix/stream/router/ip_port.lua
@@ -19,7 +19,6 @@ local config_util = require("apisix.core.config_util")
local plugin_checker = require("apisix.plugin").stream_plugin_checker
local router_new = require("apisix.utils.router").new
local ngx_ssl = require("ngx.ssl")
-local ngx_lua_version = ngx.config.ngx_lua_version -- get the version of stream-lua-nginx-module
local error = error
local tonumber = tonumber
local ipairs = ipairs
@@ -135,17 +134,9 @@ do
router_ver = user_routes.conf_version
end
- if ngx_lua_version < 9 then
- -- be compatible with old OpenResty
- local sni = ngx_ssl.server_name()
- if sni then
- local sni_rev = sni:reverse()
- api_ctx.sni_rev = sni_rev
- end
- end
-
- if api_ctx.sni_rev and tls_router then
- local sni_rev = api_ctx.sni_rev
+ local sni = ngx_ssl.server_name()
+ if sni and tls_router then
+ local sni_rev = sni:reverse()
core.table.clear(match_opts)
match_opts.vars = api_ctx.var
diff --git a/t/APISIX.pm b/t/APISIX.pm
index 82ca1b4..e1c5557 100644
--- a/t/APISIX.pm
+++ b/t/APISIX.pm
@@ -258,34 +258,43 @@ _EOC_
}
chomp $stream_tls_request;
+ my $repeat = "1";
+ if (defined $block->stream_session_reuse) {
+ $repeat = "2";
+ }
+
my $config = <<_EOC_;
location /stream_tls_request {
content_by_lua_block {
- local sock = ngx.socket.tcp()
- local ok, err = sock:connect("127.0.0.1", 2005)
- if not ok then
- ngx.say("failed to connect: ", err)
- return
- end
-
- local sess, err = sock:sslhandshake(nil, $sni, false)
- if not sess then
- ngx.say("failed to do SSL handshake: ", err)
- return
- end
-
- local bytes, err = sock:send("$stream_tls_request")
- if not bytes then
- ngx.say("send stream request error: ", err)
- return
- end
- local data, err = sock:receive("*a")
- if not data then
+ local sess
+ for _ = 1, $repeat do
+ local sock = ngx.socket.tcp()
+ local ok, err = sock:connect("127.0.0.1", 2005)
+ if not ok then
+ ngx.say("failed to connect: ", err)
+ return
+ end
+
+ sess, err = sock:sslhandshake(sess, $sni, false)
+ if not sess then
+ ngx.say("failed to do SSL handshake: ", err)
+ return
+ end
+
+ local bytes, err = sock:send("$stream_tls_request")
+ if not bytes then
+ ngx.say("send stream request error: ", err)
+ return
+ end
+ local data, err = sock:receive("*a")
+ if not data then
+ sock:close()
+ ngx.say("receive stream response error: ", err)
+ return
+ end
+ ngx.print(data)
sock:close()
- ngx.say("receive stream response error: ", err)
- return
end
- ngx.print(data)
}
}
_EOC_
diff --git a/t/stream-node/sni.t b/t/stream-node/sni.t
index 4ff54c1..ab70117 100644
--- a/t/stream-node/sni.t
+++ b/t/stream-node/sni.t
@@ -128,7 +128,23 @@ proxy request to 127.0.0.1:1995
-=== TEST 3: hit route, wildcard SNI
+=== TEST 3: hit route (session reuse)
+--- stream_tls_request
+mmm
+--- stream_sni: a.test.com
+--- stream_session_reuse
+--- response_body
+hello world
+hello world
+--- grep_error_log eval
+qr/proxy request to 127.0.0.\d:1995/
+--- grep_error_log_out
+proxy request to 127.0.0.1:1995
+proxy request to 127.0.0.1:1995
+
+
+
+=== TEST 4: hit route, wildcard SNI
--- stream_tls_request
mmm
--- stream_sni: b.test.com
@@ -139,7 +155,7 @@ proxy request to 127.0.0.2:1995
-=== TEST 4: hit route, no TLS
+=== TEST 5: hit route, no TLS
--- stream_enable
--- stream_request
mmm
@@ -150,7 +166,7 @@ proxy request to 127.0.0.3:1995
-=== TEST 5: set different stream route with the same sni
+=== TEST 6: set different stream route with the same sni
--- config
location /t {
content_by_lua_block {
@@ -204,7 +220,7 @@ passed
-=== TEST 6: hit route
+=== TEST 7: hit route
--- stream_tls_request
mmm
--- stream_sni: a.test.com
@@ -215,7 +231,7 @@ proxy request to 127.0.0.4:1995
-=== TEST 7: change a.test.com route to fall back to wildcard route
+=== TEST 8: change a.test.com route to fall back to wildcard route
--- config
location /t {
content_by_lua_block {
@@ -250,7 +266,7 @@ passed
-=== TEST 8: hit route
+=== TEST 9: hit route
--- stream_tls_request
mmm
--- stream_sni: a.test.com
@@ -261,7 +277,7 @@ proxy request to 127.0.0.2:1995
-=== TEST 9: no sni matched, fall back to non-sni route
+=== TEST 10: no sni matched, fall back to non-sni route
--- config
location /t {
content_by_lua_block {
@@ -285,7 +301,7 @@ passed
-=== TEST 10: hit route
+=== TEST 11: hit route
--- stream_tls_request
mmm
--- stream_sni: b.test.com
@@ -296,7 +312,7 @@ proxy request to 127.0.0.3:1995
-=== TEST 11: clean up routes
+=== TEST 12: clean up routes
--- config
location /t {
content_by_lua_block {