[THREESCALE-11128] Prevent APIcast fallback to global proxy settings for direct connection

[tkan145]

What

Fix https://issues.redhat.com/browse/THREESCALE-11128

Notes

With the newer version of lua-resty-http (0.7.1), if a proxy options is not provided when calling the connect() method, it will fall back to using the global proxy settings set by the "set_proxy_option" function (has no effect in previous versions of the library). This then causes unexpected behavior where the direct connection will now go through the proxy server.

Verification steps

• Build a new runtime image

  make runtime-image IMAGE_NAME=apicast-test

• Move into dev-environment

  cd dev-environments/http-proxy-plain-http-upstream

• Edit apicast-config.json as follow:

diff --git a/dev-environments/http-proxy-plain-http-upstream/apicast-config.json b/dev-environments/http-proxy-plain-http-upstream/apicast-config.json
index daa6967c..0e404d45 100644
--- a/dev-environments/http-proxy-plain-http-upstream/apicast-config.json
+++ b/dev-environments/http-proxy-plain-http-upstream/apicast-config.json
@@ -11,12 +11,6 @@
           "host": "backend"
         },
         "policy_chain": [
-          {
-            "name": "apicast.policy.http_proxy",
-            "configuration": {
-              "http_proxy": "http://proxy:8080/"
-            }
-          },
           {
             "name": "apicast.policy.apicast"
           }

• Update docker-compose.yml

  
  diff --git a/dev-environments/http-proxy-plain-http-upstream/docker-compose.yml b/dev-environments/http-proxy-plain-http-upstream/docker-compose.yml
  index f1e461fb..c25fa61d 100644
  --- a/dev-environments/http-proxy-plain-http-upstream/docker-compose.yml
  +++ b/dev-environments/http-proxy-plain-http-upstream/docker-compose.yml
  @@ -15,6 +15,8 @@ services:
     APICAST_WORKERS: 1
     APICAST_LOG_LEVEL: debug
     APICAST_CONFIGURATION_CACHE: "0"

• HTTP_PROXY: "http://proxy:8080"
• NO_PROXY: "127.0.0.1,localhost" expose:
  • "8080"
  • "8090"

• Start APIcast

  make gateway IMAGE_NAME=apicast-test

• Send a request

  curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123"

  APIcast should response with 200

< HTTP/1.1 200 OK
< Server: openresty
< Date: Thu, 27 Jun 2024 02:59:58 GMT
< Content-Type: application/json
< Content-Length: 249
< Connection: keep-alive
< Via: 1.1 tinyproxy (tinyproxy/1.11.2)
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true

[eguzki]

Good one.

I also tested without the NO_PROXY and the backend request goes via proxy as expected, which obviously fails as the proxy cannot resolve http://127.0.0.1:8081/transactions/authrep.xml

From docker compose -p http-proxy-plain-http-upstream logs -f proxy:

proxy  | 2024/06/27 08:36:02 socat[1] N accepting connection from AF=2 172.22.0.6:55516 on AF=2 172.22.0.4:8080
proxy  | 2024/06/27 08:36:02 socat[1] N forked off child process 7
proxy  | 2024/06/27 08:36:02 socat[1] N listening on AF=2 0.0.0.0:8080
proxy  | 2024/06/27 08:36:02 socat[7] N opening connection to AF=2 172.22.0.3:443
proxy  | 2024/06/27 08:36:02 socat[7] N successfully connected from local address AF=2 172.22.0.4:48682
proxy  | 2024/06/27 08:36:02 socat[7] N starting data transfer loop with FDs [6,6] and [5,5]
proxy  | > 2024/06/27 08:36:02.000476032  length=269 from=0 to=268
proxy  | GET http://127.0.0.1:8081/transactions/authrep.xml?service_id=1&usage%5Bhits%5D=1&user_key=123 HTTP/1.1\r
proxy  | Host: backend\r
proxy  | 3scale-Options: rejection_reason_header=1&limit_headers=1&no_body=1\r
proxy  | Connection: Keep-Alive\r
proxy  | User-Agent: APIcast/3.15.0 (Linux; x64; env:staging)\r
proxy  | \r
proxy  | < 2024/06/27 08:36:02.000476991  length=104 from=0 to=103
proxy  | HTTP/1.1 500 Unable to connect\r

HTTP/1.1 500 Unable to connect\