Closed liyin37 closed 2 years ago
debug日志: 2020/12/30 07:25:45 [warn] 37#37: 12314 [lua] init.lua:162: http_ssl_phase(): failed to fetch ssl config: failed to fetch SSL certificate: not found, context: ssl_certificate_by_lua, client: 8.210.143.155, server: 0.0.0.0:9443 2020/12/30 07:25:45 [info] 37#37: 12310 [lua] init.lua:338: http_access_phase(): matched route: {"value":{"priority":0,"plugins":{"proxy-rewrite":{"scheme":"https"},"ip-blacklist":{"blacklist":[["124.205.245.114","1609308000000","1609311600000"]]}},"uris":["\/test\/"],"id":"402846fc7673cae00176745d682618df","desc":"test","upstream":{"hash_on":"vars","nodes":[{"host":"www.baidu.com","port":443,"weight":1}],"type":"roundrobin"}},"has_domain":true,"_cache_ver":"23#1609312931.291","clean_handlers":{},"createdIndex":23,"dns_value":{"priority":0,"plugins":{"proxy-rewrite":{"scheme":"https"},"ip-blacklist":{"blacklist":[["124.205.245.114","1609308000000","1609311600000"]]}},"uris":["\/test\/"],"id":"402846fc7673cae00176745d682618df","desc":"test","upstream":{"nodes":[{"host":"103.235.46.39","port":443,"weight":1}],"hash_on":"vars","type":"roundrobin"}},"key":"\/apisix\/routes\/402846fc7673cae00176745d682618df","modifiedIndex_org":23,"modifiedIndex":"23#1609312931.291"}, client: 8.210.143.155, server: , request: "GET /test/1 HTTP/1.1", host: "8.210.172.30:9443" 2020/12/30 07:25:45 [info] 37#37: 12310 [lua] init.lua:175: parse_domain(): parse addr: {"address":"103.235.46.39","class":1,"ttl":173,"name":"www.wshifen.com","section":1,"type":1}, client: 8.210.143.155, server: , request: "GET /test/1 HTTP/1.1", host: "8.210.172.30:9443" 2020/12/30 07:25:45 [info] 37#37: 12310 [lua] init.lua:176: parse_domain(): resolver: ["127.0.0.11"], client: 8.210.143.155, server: , request: "GET /test/1 HTTP/1.1", host: "8.210.172.30:9443" 2020/12/30 07:25:45 [info] 37#37: 12310 [lua] init.lua:177: parse_domain(): host: www.baidu.com, client: 8.210.143.155, server: , request: "GET /test/1 HTTP/1.1", host: "8.210.172.30:9443" 2020/12/30 07:25:45 [info] 37#37: 12310 [lua] init.lua:179: parse_domain(): dns resolver domain: www.baidu.com to 103.235.46.39, client: 8.210.143.155, server: , request: "GET /test/1 HTTP/1.1", host: "8.210.172.30:9443" 2020/12/30 07:25:45 [info] 37#37: 12310 [lua] balancer.lua:160: pick_server(): route: {"value":{"priority":0,"plugins":{"proxy-rewrite":{"scheme":"https"},"ip-blacklist":{"blacklist":[["124.205.245.114","1609308000000","1609311600000"]]}},"uris":["\/test\/"],"id":"402846fc7673cae00176745d682618df","desc":"test","upstream":{"hash_on":"vars","nodes":[{"host":"www.baidu.com","port":443,"weight":1}],"type":"roundrobin"}},"has_domain":true,"_cache_ver":"23#1609312931.291","clean_handlers":{},"createdIndex":23,"dns_value":{"priority":0,"plugins":{"proxy-rewrite":{"scheme":"https"},"ip-blacklist":{"blacklist":[["124.205.245.114","1609308000000","1609311600000"]]}},"uris":["\/test\/"],"id":"402846fc7673cae00176745d682618df","desc":"test","upstream":{"nodes":[{"host":"103.235.46.39","port":443,"weight":1}],"hash_on":"vars","type":"roundrobin"}},"key":"\/apisix\/routes\/402846fc7673cae00176745d682618df","modifiedIndex_org":23,"modifiedIndex":"23#1609312931.291"} while connecting to upstream, client: 8.210.143.155, server: , request: "GET /test/1 HTTP/1.1", host: "8.210.172.30:9443" 2020/12/30 07:25:45 [info] 37#37: 12310 [lua] balancer.lua:161: pick_server(): ctx: {"conf_id":"402846fc7673cae00176745d682618df","var":{"host":"8.210.172.30","request_method":"GET","request_uri":"\/test\/1","upstream_uri":"\/test\/1","remote_addr":"8.210.143.155","uri":"\/test\/1","is_args":"","upstream_scheme":"https","_request":"cdata<void >: 0x56405e190bd0"},"upstream_version":"23#1609312931.291","upstream_key":"roundrobin#route_402846fc7673cae00176745d682618df","upstream_healthcheck_parent":"table: 0x7fd68d9ef658","conf_type":"route","conf_version":"23#1609312931.291","upstream_conf":"table: 0x7fd68d8662b8","matched_route":{"value":{"priority":0,"plugins":{"proxy-rewrite":{"scheme":"https"},"ip-blacklist":{"blacklist":[["124.205.245.114","1609308000000","1609311600000"]]}},"uris":["\/test\/"],"id":"402846fc7673cae00176745d682618df","desc":"test","upstream":{"hash_on":"vars","nodes":[{"host":"www.baidu.com","port":443,"weight":1}],"type":"roundrobin"}},"has_domain":true,"_cache_ver":"23#1609312931.291","clean_handlers":{},"createdIndex":23,"dns_value":{"priority":0,"plugins":{"proxy-rewrite":{"scheme":"https"},"ip-blacklist":{"blacklist":[["124.205.245.114","1609308000000","1609311600000"]]}},"uris":["\/test\/"],"id":"402846fc7673cae00176745d682618df","desc":"test","upstream":{"nodes":[{"host":"103.235.46.39","port":443,"weight":1}],"hash_on":"vars","type":"roundrobin"}},"key":"\/apisix\/routes\/402846fc7673cae00176745d682618df","modifiedIndex_org":23,"modifiedIndex":"23#1609312931.291"},"plugins":[{"priority":5000,"access":"function: 0x7fd68d974ce8","name":"ip-blacklist","check_schema":"function: 0x7fd68d974ab0","schema":{"properties":{"blacklist":{"items":{"type":"array"},"minItems":1,"type":"array"}},"type":"object","oneOf":[{"required":["blacklist"]}]},"version":0.1},"table: 0x7fd68d9f9a80",{"priority":1008,"version":0.1,"schema":{"type":"object","properties":{"regex_uri":{"maxItems":2,"description":"new uri that substitute from client uri for upstream, lower priority than uri property","items":{"description":"regex uri","type":"string"},"minItems":2,"type":"array"},"uri":{"maxLength":4096,"pattern":"^\\/.","minLength":1,"description":"new uri for upstream","type":"string"},"scheme":{"type":"string","enum":["http","https"],"description":"new scheme for upstream"},"host":{"type":"string","pattern":"^[0-9a-zA-Z-.]+$","description":"new host for upstream"},"headers":{"type":"object","minProperties":1,"description":"new headers for request"}},"additionalProperties":false,"minProperties":1},"check_schema":"function: 0x7fd68da145f8","name":"proxy-rewrite","rewrite":"function: 0x7fd68da148f0"},"table: 0x7fd68d9f90f0"]} while connecting to upstream, client: 8.210.143.155, server: , request: "GET /test/1 HTTP/1.1", host: "8.210.172.30:9443" 2020/12/30 07:25:45 [info] 37#37: 12310 [lua] balancer.lua:264: load_balancer(): proxy request to 103.235.46.39:443 while connecting to upstream, client: 8.210.143.155, server: , request: "GET /test/1 HTTP/1.1", host: "8.210.172.30:9443" 2020/12/30 07:25:45 [info] 37#37: *12310 client 8.210.143.155 closed keepalive connection
@spacewander @moonming 请帮忙分析下是什么原因,谢谢
I can't even understand what you want, how can I help you? You should provide a way to reproduce the issue, and a detailed description about what you need / how you do / what you expect / what you actually see.
不好意思,我仔细描述下: 使用docker-compose启动apisix服务,其中 docker-compose.yaml: version: "3"
services: apisix: container_name: gistack-apisix image: registry.cn-beijing.aliyuncs.com/gisuni/apisix:1.5-alpine restart: always volumes:
"9000:9000/tcp"
etcd: container_name: gistack-etcd image: registry.cn-beijing.aliyuncs.com/gisuni/etcd:3.4.9 user: root restart: always volumes:
"2379:2379/tcp" config.yaml 配置文件内容为: #
#
#
# apisix: node_listen: 9080 # APISIX listening port enable_admin: true enable_admin_cors: true # Admin API support CORS response headers. enable_debug: false enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true. enable_ipv6: true config_center: etcd # etcd: use etcd to store the config value
/your_path/conf/apisix.yaml
# This port can only receive http request with proxy protocol, but node_listen & port_admin
# can only receive http request. If you enable proxy protocol, you must use this port to
# receive http request with proxy protocol
proxy_cache: # Proxy Caching configuration cache_ttl: 10s # The default caching time if the upstream does not specify the cache time zones: # The parameters of a cache
memory_size: 50m # The size of shared memory, it's used to store the cache index disk_size: 1G # The size of disk, it's used to store the cache data disk_path: "/tmp/disk_cache_one" # The path to store the cache data cache_levels: "1:2" # The hierarchy levels of a cache
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
# Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
admin_api_mtls: # Depends on port_admin
and https_admin
.
admin_ssl_cert: "" # Path of your self-signed server side cert.
admin_ssl_cert_key: "" # Path of your self-signed server side key.
admin_ssl_ca_cert: "" # Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates.
name: "admin" key: edd1c9f034335f136f87ad84b625c8f1 role: admin # admin: manage all configuration data
- name: "viewer" key: 4054f7cf07e344346cd3f287985e76a2 role: viewer
delete_uri_tail_slash: false # delete the '/' at the end of the URI router: http: 'radixtree_uri' # radixtree_uri: match route by uri(base on radixtree)
ssl: 'radixtree_sni' # radixtree_sni: match route by SNI(base on radixtree)
/etc/resolv.conf
dns_resolver_valid: 30 # valid time for dns result 30 seconds resolver_timeout: 5 # resolver timeout ssl: enable: true enable_http2: true listen_port: 9443 ssl_protocols: "TLSv1.2 TLSv1.3" ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd.
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !!
nginx_config: # config for render the template to genarate nginx.conf error_log: "logs/error.log" error_log_level: "debug" # warn,error worker_rlimit_nofile: 20480 # the number of files a worker process can open, should be larger than worker_connections worker_shutdown_timeout: 240s # timeout for a graceful shutdown of worker processes event: worker_connections: 10620 http: access_log: "logs/access.log" keepalive_timeout: 60s # timeout during which a keep-alive client connection will stay open on the server side. client_header_timeout: 60s # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client client_body_timeout: 60s # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client send_timeout: 10s # timeout for transmitting a response to the client.then the connection is closed underscores_in_headers: "on" # default enables the use of underscores in client request header fields real_ip_header: "X-Real-IP" # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
cache-key: cache-size
etcd: host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
plugins: # plugin list
stream_plugins:
我们添加了一个黑白名单的插件ip-blacklist.lua到镜像的/usr/local/apisix/apisix/plugins目录下 local ipairs = ipairs local core = require("apisix.core") local ipmatcher = require("resty.ipmatcher") local cjson = require ("cjson") local str_sub = string.sub local str_find = string.find local tonumber = tonumber
local schema = { type = "object", properties = { blacklist = { type = "array", items = {type = "array"}, minItems = 1 } }, oneOf = { {required = {"blacklist"}} } }
local plugin_name = "ip-blacklist"
local _M = { version = 0.1, priority = 5000, -- TODO: add a type field, may be a good idea name = plugin_name, schema = schema, }
local function valid_ip(ip) local mask = 0 local sep_pos = str_find(ip, "/", 1, true) if sep_pos then mask = str_sub(ip, sep_pos + 1) mask = tonumber(mask) if mask < 0 or mask > 128 then return false end ip = str_sub(ip, 1, sep_pos - 1) end
if ipmatcher.parse_ipv4(ip) then
if mask < 0 or mask > 32 then
return false
end
return true
end
if mask < 0 or mask > 128 then
return false
end
return ipmatcher.parse_ipv6(ip)
end
function _M.check_schema(conf) local ok, err = core.schema.check(schema, conf)
if not ok then
return false, err
end
if conf.blacklist and #conf.blacklist > 0 then
for _, cidr in ipairs(conf.blacklist) do
if not valid_ip(cidr[1]) then
return false, "invalid ip address: " .. cidr
end
end
end
return true
end
local function create_ip_mather(ip_list) local ip, err = ipmatcher.new(ip_list) if not ip then core.log.error("failed to create ip matcher: ", err, " ip list: ", core.json.delay_encode(ip_list)) return nil end
return ip
end
function _M.access(conf, ctx)
local servername = ""
local uri = ctx.var.request_uri
local sep_end = str_find(uri, "/", 2, true)
if sep_end then
servername = str_sub(uri, 2, sep_end - 1)
else
servername = str_sub(uri, 2, string.len(uri))
end
if servername ~= "arcgis" then
ngx.header["Set-Cookie"] = {"server-site-location="..servername..";path=/"}
end
local remote_addr = ctx.var.remote_addr
if conf.blacklist and #conf.blacklist > 0 then
-- core.log.warn(cjson.encode(conf.blacklist))
for i,cidr in pairs(conf.blacklist) do
-- core.log.warn(cidr)
local ip = cidr[1]
local start_time = tonumber(cidr[2])
local end_time = tonumber(cidr[3])
local current_time = os.time()*1000;
if remote_addr==ip and current_time >= start_time and current_time <= end_time then
return 403, { message = "Sorry, Your IP address is not allowed!" }
end
end
end end
return _M
现在开始测试黑白名单功能 添加一条路由策略,代码如下: curl https://8.210.172.30:9443/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ‘ { "uris": [ "/test/*" ], "upstream": { "nodes": { "www.baidu.com:443": 1 }, "type": "roundrobin" }, "desc": "test", "plugins": { "proxy-rewrite": { "scheme": "https" }, "ip-blacklist": { "blacklist": [ ["1.1.1.1","1609308000000","1609311600000"] ] } }, "priority": 0 }’ 拦截的是1.1.1.1这个IP,但随便找一台客户机请求这条路由,都提示403 错误 URL:https://8.210.172.30:9443/test/1
黑名单拦截正常的IP后,会提示:Sorry, Your IP address is not allowed!,但其他客户端访问一直提示403 拒绝访问。
"plugins": {
"proxy-rewrite": {
"scheme": "https"
},
"ip-blacklist": {
"blacklist": [
["1.1.1.1","1609308000000","1609311600000"]
]
}
Can this be reproduced with the official ip-restriction
plugin?
We don't solve the problem causes by Lua code or Nginx configuration snippet written by other. It is beyond the support of open source version.
加不加这个插件都提示403的,和插件没有关系,您可以测试下,谢谢
Can you upload the config.yaml and error.log? Please don't paste the content here, since they are not in markdown syntax.
好的,谢谢,请稍等
2020/12/31 02:19:41 [info] 37#37: *93695 [lua] balancer.lua:160: pick_server(): route: {"value":{"priority":0,"plugins":{"proxy-rewrite":{"scheme":"https"},"ip-blacklist":{"blacklist":[["106.38.39.210","1609378200000","1609407000000"]]}},"uris":["\/test\/*"],"id":"00000000000000000014","desc":"test","upstream":{"hash_on":"vars","nodes":[{"host":"www.baidu.com","port":443,"weight":1}],"type":"roundrobin"}},"has_domain":true,"_cache_ver":"14#1609379263.776","clean_handlers":{},"dir":false,"createdIndex":14,"modifiedIndex_org":14,"modifiedIndex":"14#1609379263.776","key":"\/apisix\/routes\/00000000000000000014","dns_value":{"priority":0,"plugins":{"proxy-rewrite":{"scheme":"https"},"ip-blacklist":{"blacklist":[["106.38.39.210","1609378200000","1609407000000"]]}},"uris":["\/test\/*"],"id":"00000000000000000014","desc":"test","upstream":{"nodes":[{"host":"103.235.46.39","port":443,"weight":1}],"hash_on":"vars","type":"roundrobin"}}} while connecting to upstream, client: 124.205.245.114, server: , request: "GET /test/1 HTTP/2.0", host: "8.210.172.30:9443"
2020/12/31 02:19:41 [info] 37#37: *93695 [lua] balancer.lua:161: pick_server(): ctx: {"conf_id":"00000000000000000014","var":{"host":"8.210.172.30","request_method":"GET","request_uri":"\/test\/1","upstream_uri":"\/test\/1","remote_addr":"124.205.245.114","uri":"\/test\/1","is_args":"","upstream_scheme":"https","_request":"cdata<void *>: 0x5610ebf6a4b0"},"upstream_version":"14#1609379263.776","upstream_key":"roundrobin#route_00000000000000000014","upstream_healthcheck_parent":"table: 0x7f7aea6493c0","conf_type":"route","conf_version":"14#1609379263.776","upstream_conf":"table: 0x7f7aea63b888","matched_route":{"value":{"priority":0,"plugins":{"proxy-rewrite":{"scheme":"https"},"ip-blacklist":{"blacklist":[["106.38.39.210","1609378200000","1609407000000"]]}},"uris":["\/test\/*"],"id":"00000000000000000014","desc":"test","upstream":{"hash_on":"vars","nodes":[{"host":"www.baidu.com","port":443,"weight":1}],"type":"roundrobin"}},"has_domain":true,"_cache_ver":"14#1609379263.776","clean_handlers":{},"dir":false,"createdIndex":14,"modifiedIndex_org":14,"modifiedIndex":"14#1609379263.776","key":"\/apisix\/routes\/00000000000000000014","dns_value":{"priority":0,"plugins":{"proxy-rewrite":{"scheme":"https"},"ip-blacklist":{"blacklist":[["106.38.39.210","1609378200000","1609407000000"]]}},"uris":["\/test\/*"],"id":"00000000000000000014","desc":"test","upstream":{"nodes":[{"host":"103.235.46.39","port":443,"weight":1}],"hash_on":"vars","type":"roundrobin"}}},"plugins":[{"priority":5000,"access":"function: 0x7f7aea733498","name":"ip-blacklist","check_schema":"function: 0x7f7aea733260","schema":{"type":"object","properties":{"blacklist":{"items":{"type":"array"},"minItems":1,"type":"array"}},"oneOf":[{"required":["blacklist"]}],"id":"root:\/"},"version":0.1},"table: 0x7f7aea6495d0",{"priority":1008,"version":0.1,"schema":{"additionalProperties":false,"id":"root:\/","properties":{"regex_uri":{"maxItems":2,"description":"new uri that substitute from client uri for upstream, lower priority than uri property","items":{"description":"regex uri","type":"string"},"minItems":2,"type":"array"},"uri":{"maxLength":4096,"pattern":"^\\\/.*","minLength":1,"description":"new uri for upstream","type":"string"},"scheme":{"type":"string","enum":["http","https"],"description":"new scheme for upstream"},"host":{"type":"string","pattern":"^[0-9a-zA-Z-.]+$","description":"new host for upstream"},"headers":{"type":"object","minProperties":1,"description":"new headers for request"}},"minProperties":1,"type":"object"},"check_schema":"function: 0x7f7aea7d2788","name":"proxy-rewrite","rewrite":"function: 0x7f7aea7d2a80"},"table: 0x7f7aea649518"]} while connecting to upstream, client: 124.205.245.114, server: , request: "GET /test/1 HTTP/2.0", host: "8.210.172.30:9443"
2020/12/31 02:19:41 [info] 37#37: *93695 [lua] balancer.lua:264: load_balancer(): proxy request to 103.235.46.39:443 while connecting to upstream, client: 124.205.245.114, server: , request: "GET /test/1 HTTP/2.0", host: "8.210.172.30:9443"
Look like the request is successfully proxy to 103.235.46.39:443? You may need to do network capture and see what does 103.235.46.39 return.
This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.
apisix with in docker,use the docker-compose configure it , the version is : apisix : 1.5-alpine etcd: 3.4.9
I config one route with below: https://8.210.172.30:9443/test/1 but I visit the url ,it come one error "访问 8.210.172.30 的请求遭到拒绝您未获授权,无法查看此网页。 HTTP ERROR 403" please help me see this problem,thanks