Closed thibaultcha closed 7 months ago
@hishamhm I recall you were running some tests with various branches for this feature, would you give it another try with this branch?
Merging #484 (f551c4a) into main (e8e9a59) will decrease coverage by
0.08867%
. The diff coverage is89.06250%
.
@thibaultcha I gave it a try, but running the latest Kong master
with the same filter I had compiled earlier and this branch is giving me "name resolution failed" responses:
HTTP/1.1 503 Service Temporarily Unavailable
Connection: keep-alive
Content-Length: 91
Content-Type: application/json; charset=utf-8
Date: Mon, 29 Jan 2024 21:48:27 GMT
Server: kong/3.6.0
X-Kong-Request-Id: daf81a78af4a005d961a3a106237643a
X-Kong-Response-Latency: 1
{
"message": "name resolution failed",
"request_id": "daf81a78af4a005d961a3a106237643a"
}
It's the end of my day here now, but I'll take another look at this tomorrow morning. Might be something silly on my end. (I already ran it with KONG_DNS_NO_SYNC=on
just in case but it made no difference.)
Hmmm that is strange, this should not rely to the DNS resolver at least not directly... Not sure what could be going on. I am spending some cycles on mlcache since it is being used by the new Gateway DNS resolver, but perhaps this needs some more work.
Is your filter using a dispatch call prior to the response being produced? Because if so then it can be the same bug Damon experienced last week. If so, then dns_no_sync
alone is not enough, you will also need this commit. Or producing a response without a hostname dispatch call.
Update: the name resolution issue was a misconfiguration on my end, you can ignore that.
The current status is that I'm getting the following:
2024/01/30 16:49:34 [error] 851930#0: *20552 [proxy-wasm] bad "on_response_headers" return action: "PAUSE" while reading response header from upstream, client: 127.0.0.1, server: kong, request: "GET /status/406 HTTP/1.1", upstream: "http://127.0.0.1:8080/status/406", host: "localhost:8000", request_id: "0c7b7a3e68611b7306574b4fa49d703c"
In both my version and upstream's version of the filter, ActionPause
is called by OnHttpResponseHeaders (usually via ctx.handleInterruption), after a local response is produced.
This ends up causing a 500 error in a test case where a 403 (set by said local response) was wanted.
@hishamhm Ok, that second commit should fix this!
@thibaultcha just tested the latest version of the PR, and yes, it does pass all of the e2e-example.sh
tests running my fork of the coraza-waf filter :tada:
Replaces #470 by implementing the feature at the Proxy-Wasm host layer.