From ce524d31c89a74527b65fbf2e8a6ed2eb5d4bbb6 Mon Sep 17 00:00:00 2001 From: Kong Team Gateway Bot <98048765+team-gateway-bot@users.noreply.github.com> Date: Wed, 16 Oct 2024 16:20:14 +0800 Subject: [PATCH] fix(rate-limiting): do not set response headers if `conf.hide_client_headers` is `true` (#13759) Fix https://github.com/Kong/kong/issues/13715; we should not set the response header if `conf.hide_client_headers` is `true`. Backport https://github.com/Kong/kong/pull/13722 Co-authored-by: Qi --- .gitignore | 7 +++++-- .../unreleased/kong/fix-rl-plugin-resp-hdr.yml | 6 ++++++ kong/plugins/rate-limiting/handler.lua | 11 ++++++++--- .../23-rate-limiting/04-access_spec.lua | 15 +++++++++++++++ 4 files changed, 34 insertions(+), 5 deletions(-) create mode 100644 changelog/unreleased/kong/fix-rl-plugin-resp-hdr.yml diff --git a/.gitignore b/.gitignore index 5651c0f40c44..8d07d62e272a 100644 --- a/.gitignore +++ b/.gitignore @@ -31,8 +31,6 @@ bin/grpcurl *.bak *.rock -bazel-* - worktree/ bin/bazel bin/h2client @@ -41,3 +39,8 @@ bin/h2client *.wasm spec/fixtures/proxy_wasm_filters/build spec/fixtures/proxy_wasm_filters/target + +# bazel +bazel-* +# remove it after migrating from WORKSPACE to Bzlmod +MODULE.bazel.lock diff --git a/changelog/unreleased/kong/fix-rl-plugin-resp-hdr.yml b/changelog/unreleased/kong/fix-rl-plugin-resp-hdr.yml new file mode 100644 index 000000000000..4de2eec659ba --- /dev/null +++ b/changelog/unreleased/kong/fix-rl-plugin-resp-hdr.yml @@ -0,0 +1,6 @@ +message: > + **Rate-Limiting**: Fixed an issue that caused an + HTTP 500 error when `hide_client_headers` + is set to `true` and the request exceeds the rate limit. +type: bugfix +scope: Plugin diff --git a/kong/plugins/rate-limiting/handler.lua b/kong/plugins/rate-limiting/handler.lua index c1e98c7deccd..91c5dfbf9309 100644 --- a/kong/plugins/rate-limiting/handler.lua +++ b/kong/plugins/rate-limiting/handler.lua @@ -192,12 +192,17 @@ function RateLimitingHandler:access(conf) -- If limit is exceeded, terminate the request if stop then - pdk_rl_store_response_header(ngx_ctx, RETRY_AFTER, reset) - pdk_rl_apply_response_headers(ngx_ctx) + if not conf.hide_client_headers then + pdk_rl_store_response_header(ngx_ctx, RETRY_AFTER, reset) + pdk_rl_apply_response_headers(ngx_ctx) + end + return kong.response.error(conf.error_code, conf.error_message) end - pdk_rl_apply_response_headers(ngx_ctx) + if not conf.hide_client_headers then + pdk_rl_apply_response_headers(ngx_ctx) + end end if conf.sync_rate ~= SYNC_RATE_REALTIME and conf.policy == "redis" then diff --git a/spec/03-plugins/23-rate-limiting/04-access_spec.lua b/spec/03-plugins/23-rate-limiting/04-access_spec.lua index 140dcf0e0ac5..ef8caa8c3663 100644 --- a/spec/03-plugins/23-rate-limiting/04-access_spec.lua +++ b/spec/03-plugins/23-rate-limiting/04-access_spec.lua @@ -650,7 +650,22 @@ if limit_by == "ip" then }) local res = assert(GET(test_path)) + assert.res_status(200, res) + + assert.is_nil(res.headers["X-Ratelimit-Limit-Minute"]) + assert.is_nil(res.headers["X-Ratelimit-Remaining-Minute"]) + assert.is_nil(res.headers["Ratelimit-Limit"]) + assert.is_nil(res.headers["Ratelimit-Remaining"]) + assert.is_nil(res.headers["Ratelimit-Reset"]) + assert.is_nil(res.headers["Retry-After"]) + + -- repeat until get rate-limited + helpers.wait_until(function() + res = assert(GET(test_path)) + return res.status == 429, "should be rate-limited (429), got " .. res.status + end, 10) + assert.res_status(429, res) assert.is_nil(res.headers["X-Ratelimit-Limit-Minute"]) assert.is_nil(res.headers["X-Ratelimit-Remaining-Minute"]) assert.is_nil(res.headers["Ratelimit-Limit"])