From a461c9856d7e1951b0307809edc573fd88ec0a52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=BD=97=E6=B3=BD=E8=BD=A9?= Date: Thu, 22 Jul 2021 11:08:10 +0800 Subject: [PATCH] fix(stream): sni router is broken when session reuses (#4607) --- apisix/ssl/router/radixtree_sni.lua | 2 -- apisix/stream/router/ip_port.lua | 15 ++------- t/APISIX.pm | 51 +++++++++++++++++------------ t/stream-node/sni.t | 34 ++++++++++++++----- 4 files changed, 58 insertions(+), 44 deletions(-) diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua index 96853900..6f44a2fe 100644 --- a/apisix/ssl/router/radixtree_sni.lua +++ b/apisix/ssl/router/radixtree_sni.lua @@ -171,8 +171,6 @@ function _M.match_and_set(api_ctx) end end - api_ctx.sni_rev = sni_rev - local matched_ssl = api_ctx.matched_ssl core.log.info("debug - matched: ", core.json.delay_encode(matched_ssl, true)) diff --git a/apisix/stream/router/ip_port.lua b/apisix/stream/router/ip_port.lua index 9d723345..44b0ab3e 100644 --- a/apisix/stream/router/ip_port.lua +++ b/apisix/stream/router/ip_port.lua @@ -19,7 +19,6 @@ local config_util = require("apisix.core.config_util") local plugin_checker = require("apisix.plugin").stream_plugin_checker local router_new = require("apisix.utils.router").new local ngx_ssl = require("ngx.ssl") -local ngx_lua_version = ngx.config.ngx_lua_version -- get the version of stream-lua-nginx-module local error = error local tonumber = tonumber local ipairs = ipairs @@ -135,17 +134,9 @@ do router_ver = user_routes.conf_version end - if ngx_lua_version < 9 then - -- be compatible with old OpenResty - local sni = ngx_ssl.server_name() - if sni then - local sni_rev = sni:reverse() - api_ctx.sni_rev = sni_rev - end - end - - if api_ctx.sni_rev and tls_router then - local sni_rev = api_ctx.sni_rev + local sni = ngx_ssl.server_name() + if sni and tls_router then + local sni_rev = sni:reverse() core.table.clear(match_opts) match_opts.vars = api_ctx.var diff --git a/t/APISIX.pm b/t/APISIX.pm index 82ca1b46..e1c5557b 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -258,34 +258,43 @@ _EOC_ } chomp $stream_tls_request; + my $repeat = "1"; + if (defined $block->stream_session_reuse) { + $repeat = "2"; + } + my $config = <<_EOC_; location /stream_tls_request { content_by_lua_block { - local sock = ngx.socket.tcp() - local ok, err = sock:connect("127.0.0.1", 2005) - if not ok then - ngx.say("failed to connect: ", err) - return - end + local sess + for _ = 1, $repeat do + local sock = ngx.socket.tcp() + local ok, err = sock:connect("127.0.0.1", 2005) + if not ok then + ngx.say("failed to connect: ", err) + return + end - local sess, err = sock:sslhandshake(nil, $sni, false) - if not sess then - ngx.say("failed to do SSL handshake: ", err) - return - end + sess, err = sock:sslhandshake(sess, $sni, false) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end - local bytes, err = sock:send("$stream_tls_request") - if not bytes then - ngx.say("send stream request error: ", err) - return - end - local data, err = sock:receive("*a") - if not data then + local bytes, err = sock:send("$stream_tls_request") + if not bytes then + ngx.say("send stream request error: ", err) + return + end + local data, err = sock:receive("*a") + if not data then + sock:close() + ngx.say("receive stream response error: ", err) + return + end + ngx.print(data) sock:close() - ngx.say("receive stream response error: ", err) - return end - ngx.print(data) } } _EOC_ diff --git a/t/stream-node/sni.t b/t/stream-node/sni.t index 4ff54c19..ab701172 100644 --- a/t/stream-node/sni.t +++ b/t/stream-node/sni.t @@ -128,7 +128,23 @@ proxy request to 127.0.0.1:1995 -=== TEST 3: hit route, wildcard SNI +=== TEST 3: hit route (session reuse) +--- stream_tls_request +mmm +--- stream_sni: a.test.com +--- stream_session_reuse +--- response_body +hello world +hello world +--- grep_error_log eval +qr/proxy request to 127.0.0.\d:1995/ +--- grep_error_log_out +proxy request to 127.0.0.1:1995 +proxy request to 127.0.0.1:1995 + + + +=== TEST 4: hit route, wildcard SNI --- stream_tls_request mmm --- stream_sni: b.test.com @@ -139,7 +155,7 @@ proxy request to 127.0.0.2:1995 -=== TEST 4: hit route, no TLS +=== TEST 5: hit route, no TLS --- stream_enable --- stream_request mmm @@ -150,7 +166,7 @@ proxy request to 127.0.0.3:1995 -=== TEST 5: set different stream route with the same sni +=== TEST 6: set different stream route with the same sni --- config location /t { content_by_lua_block { @@ -204,7 +220,7 @@ passed -=== TEST 6: hit route +=== TEST 7: hit route --- stream_tls_request mmm --- stream_sni: a.test.com @@ -215,7 +231,7 @@ proxy request to 127.0.0.4:1995 -=== TEST 7: change a.test.com route to fall back to wildcard route +=== TEST 8: change a.test.com route to fall back to wildcard route --- config location /t { content_by_lua_block { @@ -250,7 +266,7 @@ passed -=== TEST 8: hit route +=== TEST 9: hit route --- stream_tls_request mmm --- stream_sni: a.test.com @@ -261,7 +277,7 @@ proxy request to 127.0.0.2:1995 -=== TEST 9: no sni matched, fall back to non-sni route +=== TEST 10: no sni matched, fall back to non-sni route --- config location /t { content_by_lua_block { @@ -285,7 +301,7 @@ passed -=== TEST 10: hit route +=== TEST 11: hit route --- stream_tls_request mmm --- stream_sni: b.test.com @@ -296,7 +312,7 @@ proxy request to 127.0.0.3:1995 -=== TEST 11: clean up routes +=== TEST 12: clean up routes --- config location /t { content_by_lua_block {