-
Notifications
You must be signed in to change notification settings - Fork 4.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(runloop): upstream ssl failure when plugins use response handler (#…
…11502) * fix(runloop): upstream ssl failure when plugins use response handler If a plugin has response() handler, in `Kong.response` it will emits a subrequest by calling `ngx.location.capture("/kong_buffered_http", options)`. `ngx.location.capture` will create a new nginx request, so the overwritten ssl info (client key & cert etc.) get lost in the new nginx request. To fix this, those ssl info need to be re-set in the new request context. We choose to do this in the early rewrite phase of the new request before `Kong.balancer()` getting executed. [FTI-5347](https://konghq.atlassian.net/browse/FTI-5347)
- Loading branch information
Showing
7 changed files
with
447 additions
and
87 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
message: Fix upstream ssl failure when plugins use response handler | ||
type: bugfix | ||
scope: Core | ||
prs: | ||
- 11502 | ||
jiras: | ||
- "FTI-5347" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
local certificate = require "kong.runloop.certificate" | ||
local ktls = require "resty.kong.tls" | ||
|
||
|
||
local kong = kong | ||
local ngx = ngx | ||
local log = ngx.log | ||
local ERR = ngx.ERR | ||
local CRIT = ngx.CRIT | ||
|
||
local get_certificate = certificate.get_certificate | ||
local get_ca_certificate_store = certificate.get_ca_certificate_store | ||
local set_upstream_cert_and_key = ktls.set_upstream_cert_and_key | ||
local set_upstream_ssl_verify = ktls.set_upstream_ssl_verify | ||
local set_upstream_ssl_verify_depth = ktls.set_upstream_ssl_verify_depth | ||
local set_upstream_ssl_trusted_store = ktls.set_upstream_ssl_trusted_store | ||
|
||
|
||
local function set_service_ssl(ctx) | ||
local service = ctx and ctx.service | ||
|
||
if service then | ||
local res, err | ||
local client_certificate = service.client_certificate | ||
|
||
if client_certificate then | ||
local cert, err = get_certificate(client_certificate) | ||
if not cert then | ||
log(ERR, "unable to fetch upstream client TLS certificate ", | ||
client_certificate.id, ": ", err) | ||
return | ||
end | ||
|
||
res, err = set_upstream_cert_and_key(cert.cert, cert.key) | ||
if not res then | ||
log(ERR, "unable to apply upstream client TLS certificate ", | ||
client_certificate.id, ": ", err) | ||
end | ||
end | ||
|
||
local tls_verify = service.tls_verify | ||
if tls_verify then | ||
res, err = set_upstream_ssl_verify(tls_verify) | ||
if not res then | ||
log(CRIT, "unable to set upstream TLS verification to: ", | ||
tls_verify, ", err: ", err) | ||
end | ||
end | ||
|
||
local tls_verify_depth = service.tls_verify_depth | ||
if tls_verify_depth then | ||
res, err = set_upstream_ssl_verify_depth(tls_verify_depth) | ||
if not res then | ||
log(CRIT, "unable to set upstream TLS verification to: ", | ||
tls_verify, ", err: ", err) | ||
-- in case verify can not be enabled, request can no longer be | ||
-- processed without potentially compromising security | ||
return kong.response.exit(500) | ||
end | ||
end | ||
|
||
local ca_certificates = service.ca_certificates | ||
if ca_certificates then | ||
res, err = get_ca_certificate_store(ca_certificates) | ||
if not res then | ||
log(CRIT, "unable to get upstream TLS CA store, err: ", err) | ||
|
||
else | ||
res, err = set_upstream_ssl_trusted_store(res) | ||
if not res then | ||
log(CRIT, "unable to set upstream TLS CA store, err: ", err) | ||
end | ||
end | ||
end | ||
end | ||
end | ||
|
||
local function fallback_upstream_client_cert(ctx, upstream) | ||
if not ctx then | ||
return | ||
end | ||
|
||
upstream = upstream or (ctx.balancer_data and ctx.balancer_data.upstream) | ||
|
||
if not upstream then | ||
return | ||
end | ||
|
||
if ctx.service and not ctx.service.client_certificate then | ||
-- service level client_certificate is not set | ||
local cert, res, err | ||
local client_certificate = upstream.client_certificate | ||
|
||
-- does the upstream object contains a client certificate? | ||
if client_certificate then | ||
cert, err = get_certificate(client_certificate) | ||
if not cert then | ||
log(ERR, "unable to fetch upstream client TLS certificate ", | ||
client_certificate.id, ": ", err) | ||
return | ||
end | ||
|
||
res, err = set_upstream_cert_and_key(cert.cert, cert.key) | ||
if not res then | ||
log(ERR, "unable to apply upstream client TLS certificate ", | ||
client_certificate.id, ": ", err) | ||
end | ||
end | ||
end | ||
end | ||
|
||
return { | ||
set_service_ssl = set_service_ssl, | ||
fallback_upstream_client_cert = fallback_upstream_client_cert, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
54468c4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bazel Build
Docker image available
kong/kong:54468c44063269d73c5be1cc369e4d612e5bf2e9
Artifacts available https://github.com/Kong/kong/actions/runs/6231656724