Hazel6869
commented
1 year ago @wavemoroc001 Hi, you can see https://apisix.apache.org/docs/apisix/FAQ/#why-do-i-need-a-new-api-gateway
Closed wavemoroc001 closed 1 year ago
Hazel6869
commented
1 year ago @wavemoroc001 Hi, you can see https://apisix.apache.org/docs/apisix/FAQ/#why-do-i-need-a-new-api-gateway
wavemoroc001
commented
1 year ago @Hazel6869 It still show that error, Is it related to my certificate ? I use Cloudflare Origin Certificate
Hazel6869
commented
1 year ago @Hazel6869 It still show that error, Is it related to my certificate ? I use Cloudflare Origin Certificate
I don‘t know 🤔, did you follow the documentation?
wavemoroc001
commented
1 year ago @Hazel6869 I did follow document this is my config.yaml
apisix:
ssl:
ssl_trusted_certificate: "/usr/local/apisix/cert/classroom_cert.crt"
ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_protocols: TLSv1.2 TLSv1.3
# ssl_cert: /usr/local/apisix/conf/cert/classroom_cert.crt
# ssl_cert_key: /usr/local/apisix/conf/cert/classroom_key.key
enable: true
listen: # APISIX listening port in https.
- port: 9443
enable_http2: true
node_listen: 9080 # APISIX listening port
enable_ipv6: false
enable_control: true
control:
ip: "0.0.0.0"
port: 9092
deployment:
admin:
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
admin_key:
- name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1
role: admin # admin: manage all configuration data
- name: "viewer"
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://etcd:2379" # multiple etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 30 # 30 seconds
plugin_attr:
prometheus:
export_addr:
ip: "0.0.0.0"
port: 9091I look in error.log. It say that
2022/11/10 08:10:53 [error] 46#46: *5016 [lua] radixtree_sni.lua:146: match_and_set(): failed to find any SSL certificate by SNI: gateway-classroom.wavemoroc.app, context: ssl_certificate_by_lua*, client: 172.68.234.221, server: 0.0.0.0:9443but i already add it. Is there any config should configured ?
Hazel6869
commented
1 year ago @wavemoroc001 do you reload your config.yaml
wavemoroc001
commented
1 year ago @Hazel6869 Yes, Already reloaded but it still show error. Should i rollback to lts version ?
Hazel6869
commented
1 year ago @wavemoroc001 I think your ssl_trusted_certificate configuration is not right, why you do like this?
Hazel6869
commented
1 year ago @Hazel6869 Yes, Already reloaded but it still show error. Should i rollback to lts version ?
Can you give me the complete routing request curl? I will help you check.
wavemoroc001
commented
1 year ago @Hazel6869
Error log says failed to find any SSL certificate by SNI so I just try to add certification and hope it will found but still log not found certificate
this is my route that enable plugin auth_keycloak
{
"uri": "/student",
"name": "student-route",
"methods": [
"GET"
],
"plugins": {
"authz-keycloak": {
"bearer_only": true,
"client_id": "myclient",
"disable": false,
"discovery": "https://gateway-classroom.wavemoroc.app:8443/auth/realms/Apisix/.well-known/uma2-configuration"
}
},
"upstream": {
"nodes": [
{
"host": "example_web1_1",
"port": 80,
"weight": 1
}
],
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"checks": {
"active": {
"concurrency": 10,
"healthy": {
"http_statuses": [
200,
302
],
"interval": 1,
"successes": 2
},
"http_path": "/",
"timeout": 1,
"type": "http",
"unhealthy": {
"http_failures": 5,
"http_statuses": [
429,
404,
500,
501,
502,
503,
504,
505
],
"interval": 1,
"tcp_failures": 2,
"timeouts": 3
}
}
},
"scheme": "http",
"pass_host": "pass",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
}
},
"status": 1
}
@wavemoroc001
how did you send request?
wavemoroc001
commented
1 year ago @Hazel6869 I use postman to send request
This my request body
curl --location --request GET 'https://gateway-classroom.wavemoroc.app/student' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyYzZlZDk1MC0yOTZiLTRlNTgtOTdjZi04NmI2MGEwODRmNjMifQ.eyJleHAiOjE2NjgwOTA3NDEsImlhdCI6MTY2ODA1NDc0MSwianRpIjoiMjRlNTYyYTgtZmVlZS00YmZmLThmNTgtOGQ4NjM1M2RjNTBhIiwiaXNzIjoiaHR0cHM6Ly9nYXRld2F5LWNsYXNzcm9vbS53YXZlbW9yb2MuYXBwOjg0NDMvYXV0aC9yZWFsbXMvQXBpc2l4IiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImE1N2FjYWY1LWJkZTYtNDkwZC05NWMzLWNkZDcxMjg3MzhjMSIsInR5cCI6IkJlYXJlciIsImF6cCI6Im15Y2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjA5YWNjOWUzLTlkN2ItNDAyYS04MDE3LTBkNzNmMDNhMmU0NiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1hcGlzaXgiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsInNpZCI6IjA5YWNjOWUzLTlkN2ItNDAyYS04MDE3LTBkNzNmMDNhMmU0NiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdCIsImdpdmVuX25hbWUiOiIiLCJmYW1pbHlfbmFtZSI6IiJ9.zuwYSynNh0NPCsINcG4fGWh-anhA1Vuq6YcMT0UoauE' \
--header 'Cookie: cf_use_ob=0'
tzssangglass
commented
1 year ago ref: https://github.com/apache/apisix/issues/8183
Perhaps the Dashboard is not yet compatible with the APISIX v3.0 modification and you need to upload the certificate via the admin API
Description
I integrated keycloak with
authz-keycloakplugins and i want to allow each route by role.This is my config
and throw this error
Cloud you advice me some solution to archive my goal ?
Environment
apisix version): 3.0.0uname -a): 3.0.0-debian (Docker)curl http://127.0.0.1:9090/v1/server_info): 3.4.15authz-keycloak