修改config.yaml中admin的允许ip后可以进入dashboard，进入后菜单报错

[zhaosuqi]

点击左侧所有菜单界面可以显示，但是报403错误，nginx日志错误信息如下：

172.16.56.54 - - [29/May/2020:04:34:33 +0000] 11.11.3.36:9080 "GET /apisix/admin/services HTTP/1.1" 403 552 0.000 "http://11.11.3.36:9080/apisix/dashboard" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Edg/83.0.478.37" - - -

conf/config.yaml

apisix:
  node_listen: 9080              # APISIX listening port
  enable_heartbeat: true
  enable_admin: true
  enable_admin_cors: true         # Admin API support CORS response headers.
  enable_debug: false
  enable_dev_mode: false          # Sets nginx worker_processes to 1 if set to true
  enable_reuseport: true          # Enable nginx SO_REUSEPORT switch if set to true.
  enable_ipv6: true
  config_center: etcd             # etcd: use etcd to store the config value
                                  # yaml: fetch the config value from local yaml file `/your_path/conf/apisix.yaml`

  #proxy_protocol:                 # Proxy Protocol configuration
  #  listen_http_port: 9181        # The port with proxy protocol for http, it differs from node_listen and port_admin.
                                   # This port can only receive http request with proxy protocol, but node_listen & port_admin
                                   # can only receive http request. If you enable proxy protocol, you must use this port to
                                   # receive http request with proxy protocol
  #  listen_https_port: 9182       # The port with proxy protocol for https
  #  enable_tcp_pp: true           # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option
  #  enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server

  proxy_cache:                     # Proxy Caching configuration
    cache_ttl: 10s                 # The default caching time if the upstream does not specify the cache time
    zones:                         # The parameters of a cache
    - name: disk_cache_one         # The name of the cache, administrator can be specify
                                   # which cache to use by name in the admin api
      memory_size: 50m             # The size of shared memory, it's used to store the cache index
      disk_size: 1G                # The size of disk, it's used to store the cache data
      disk_path: "/tmp/disk_cache_one" # The path to store the cache data
      cache_levels: "1:2"           # The hierarchy levels of a cache
  #  - name: disk_cache_two
  #    memory_size: 50m
  #    disk_size: 1G
  #    disk_path: "/tmp/disk_cache_two"
  #    cache_levels: "1:2"

  allow_admin:                  # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
    - 0.0.0.0/0              # If we don't set any IP list, then any IP access is allowed by default.
  #   - "::/64"
  # port_admin: 9180              # use a separate port

  # Default token when use API to call for Admin API.
  # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
  # Disabling this configuration item means that the Admin API does not
  # require any authentication.
  admin_key:
    -
      name: "admin"
      key: edd1c9f034335f136f87ad84b625c8f1
      role: admin                 # admin: manage all configuration data
                                  # viewer: only can view configuration data
    -
      name: "viewer"
      key: 4054f7cf07e344346cd3f287985e76a2
      role: viewer
  router:
    http: 'radixtree_uri'         # radixtree_uri: match route by uri(base on radixtree)
                                  # radixtree_host_uri: match route by host + uri(base on radixtree)
    ssl: 'radixtree_sni'          # radixtree_sni: match route by SNI(base on radixtree)
  # stream_proxy:                 # TCP/UDP proxy
  #   tcp:                        # TCP proxy port list
  #     - 9100
  #     - 9101
  #   udp:                        # UDP proxy port list
  #     - 9200
  #     - 9211
  # dns_resolver:                   # If not set, read from `/etc/resolv.conf`
  #  - 1.1.1.1
  #  - 8.8.8.8
  dns_resolver_valid: 30          # valid time for dns result 30 seconds
  resolver_timeout: 5             # resolver timeout
  ssl:
    enable: true
    enable_http2: true
    listen_port: 9443
    ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
    ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"

nginx_config:                     # config for render the template to genarate nginx.conf
  error_log: "logs/error.log"
  error_log_level: "warn"         # warn,error
  worker_rlimit_nofile: 20480     # the number of files a worker process can open, should be larger than worker_connections
  event:
    worker_connections: 10620
  http:
    access_log: "logs/access.log"
    keepalive_timeout: 60s         # timeout during which a keep-alive client connection will stay open on the server side.
    client_header_timeout: 60s     # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client
    client_body_timeout: 60s       # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client
    send_timeout: 10s              # timeout for transmitting a response to the client.then the connection is closed
    underscores_in_headers: "on"   # default enables the use of underscores in client request header fields
    real_ip_header: "X-Real-IP"    # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
    real_ip_from:                  # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
      - 127.0.0.1
      - 'unix:'
    #lua_shared_dicts:              # add custom shared cache to nginx.conf
    #  ipc_shared_dict: 100m        # custom shared cache, format: `cache-key: cache-size`

etcd:
  host:                           # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
    - "http://127.0.0.1:2379"     # multiple etcd address
  prefix: "/apisix"               # apisix configurations prefix
  timeout: 3                      # 3 seconds

plugins:                          # plugin list
  - example-plugin
  - limit-req
  - limit-count
  - limit-conn
  - key-auth
  - basic-auth
  - prometheus
  - node-status
  - jwt-auth
  - zipkin
  - ip-restriction
  - grpc-transcode
  - serverless-pre-function
  - serverless-post-function
  - openid-connect
  - proxy-rewrite
  - redirect
  - response-rewrite
  - fault-injection
  - udp-logger
  - wolf-rbac
  - proxy-cache
  - tcp-logger
  - proxy-mirror
  - kafka-logger
  - cors
  - syslog
  - batch-requests
stream_plugins:
  - mqtt-proxy
---

[jevic]

你这样的提问方式 是认真的嘛？

[zhaosuqi]

配置文件贴进来就长这样，第一次提问，不好意思

[jevic]

配置文件贴进来就长这样，第一次提问，不好意思

你可以尝试改成这样看看:

allow_admin:                  # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
    - 127.0.0.0/24              # If we don't set any IP list, then any IP access is allowed by default.
    - 192.168.0.0/16

[houshunwei]

我用的1.2镜像，存在同样问题。 跟着下面的教程做的： https://github.com/apache/incubator-apisix/blob/master/doc/getting-started-cn.md

403的问题，我已经解决了，需要设置 allow_admin: 中请求端的ip（比如我的宿主机ip 172.18.0.1/24）。

但是我遇到另外的问题，请求admin不通，报 no route to host： [root@e55e6d0dc93b apisix]# curl "http://127.0.0.1:9080/apisix/admin/services/" -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' {"error_msg":"no route to host"}

[membphis]

@zhaosuqi I make a test right now, your config.yaml is invalid.

when I try to call make init, I got an error message like this:

$ make init
./bin/apisix init
lua: /home/resty/git/membphis/apisix/deps/share/lua/5.1/tinyyaml.lua:40: bad argument #1 to 'ssub' (string expected, got table)
stack traceback:
    [C]: in function 'string.sub'
    /home/resty/git/membphis/apisix/deps/share/lua/5.1/tinyyaml.lua:40: in upvalue 'startswith'
    /home/resty/git/membphis/apisix/deps/share/lua/5.1/tinyyaml.lua:468: in upvalue 'parseseq'
    /home/resty/git/membphis/apisix/deps/share/lua/5.1/tinyyaml.lua:661: in upvalue 'parsemap'
    /home/resty/git/membphis/apisix/deps/share/lua/5.1/tinyyaml.lua:721: in upvalue 'parsedocuments'
    /home/resty/git/membphis/apisix/deps/share/lua/5.1/tinyyaml.lua:746: in function 'tinyyaml.parse'
    (...tail calls...)
    ./bin/apisix:649: in field '?'
    ./bin/apisix:865: in main chunk
    [C]: in ?
make: *** [Makefile:75: init] Error 1

[membphis]

但是我遇到另外的问题，请求admin不通，报 no route to host： [root@e55e6d0dc93b apisix]# curl "http://127.0.0.1:9080/apisix/admin/services/" -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' {"error_msg":"no route to host"}

Have you enabled a separate port for admin api?

https://github.com/apache/incubator-apisix/blob/master/conf/config.yaml#L56

[houshunwei]

但是我遇到另外的问题，请求admin不通，报 no route to host： [root@e55e6d0dc93b apisix]# curl "http://127.0.0.1:9080/apisix/admin/services/" -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' {"error_msg":"no route to host"}

Have you enabled a separate port for admin api?

https://github.com/apache/incubator-apisix/blob/master/conf/config.yaml#L56

我搞通了。

原因比较傻：我本地无法访问etcd的镜像()。所以我改成了bitnami的etcd镜像，这个镜像需要对应修改yaml文件。 这样改就可以了：

etcd:

if you are in the mainland China, please use Azure China mirror:

image: gcr.azk8s.cn/etcd-development/etcd:v3.3.12

image: bitnami/etcd:3.3.15

image: gcr.io/etcd-development/etcd:v3.3.12

command: /usr/local/bin/etcd --advertise-client-urls http://0.0.0.0:2379 --listen-client-urls http://0.0.0.0:2379

restart: always volumes:

• ./etcd_data:/etcd_data
• ./etcd_conf/etcd.conf.yml:/opt/bitnami/etcd/conf/etcd.conf.yml environment: ETCD_DATA_DIR: /etcd_data ALLOW_NONE_AUTHENTICATION: 'yes' ports:
• "2379:2379/tcp"
• "2380:2380/tcp" networks: apisix: ipv4_address: 172.18.5.10

之前获取镜像失败的日志:

docker pull gcr.azk8s.cn/etcd-development/etcd:v3.3.12 Error response from daemon: error parsing HTTP 403 response body: invalid character '<' looking for beginning of value: "\r\n\r\n

[zhaosuqi]

我要关闭了，问题自己康复了，我下午再看就不报错了，什么都没改，后续部署再看看会不会再次出现

[zxhans]

把admin api的端口，换一个端口即可，区分9080即可