Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(runloop): upstream ssl failure when plugins use response handler #11502

Merged
merged 8 commits into from
Sep 19, 2023
Merged

fix(runloop): upstream ssl failure when plugins use response handler #11502

merged 8 commits into from
Sep 19, 2023

Conversation

catbro666
Copy link
Contributor

@catbro666 catbro666 commented Aug 31, 2023
edited
Loading

Summary

If a plugin has response() handler, in Kong.response it will emits a subrequest by calling ngx.location.capture("/kong_buffered_http", options). ngx.location.capture will create a new nginx request, so the overwritten ssl info (client key & cert etc.) get lost in the new nginx request.

To fix this, those ssl info need to be re-set in the new request context. We choose to do this in the early rewrite phase of the new request before Kong.balancer() getting executed.

The normal flow is as below:

Kong.access.before            Kong.access.after             Kong.balancer(first try)    Kong.balancer(retry)
       v                             v                                     |                 v
balancer_prepare              balancer.execute(try_count=0)                |          balancer.execute(try_count~=0)
       v                             v                                     |                 |
set service ssl config        set upstream ssl config                      v                 v
                 \                /                                  init upstream ssl connection
                  \              /                                              |
                   v            v                                               v
                   ---------------                   set onto              ------------
                   | downstream r|        --------------------------->     |upstream c|
                   ---------------                                         ------------

For the buffered_proxying case, ngx.location.capture will create a new request, so the flow diagram become:

Kong.access.before            Kong.access.after             Kong.balancer(first try)    Kong.balancer(retry)
       v                             v                                     |                 v
balancer_prepare              balancer.execute(try_count=0)                |          balancer.execute(try_count~=0)
       v                             v                                     |                 |
set service ssl config        set upstream ssl config                      v                 v
                 \                /                                  init upstream ssl connection
                  \              /                                              |
                   v            v                                               v
                   ---------------                   set onto              ------------
                   | downstream r|        --------------------------->     |upstream c|
                   ---------------                                         ------------
ngx.location.capture     |
.........................+.............................................................................................
                         | ctx
                         | vars
                         v
                   ---------------                   set onto              ------------
                   |    sub r    |        --------------------------->     |upstream c|
                   ---------------                                         ------------
                         ^                                                      ^
                         |                                                      |
            -----------------------------                               ------------------
            |       Kong.rewrite        |                               |  Kong.balancer |
            |  set service ssl config   |                               |  same as above |
            |  set upstream ssl config  |                               ------------------
            -----------------------------

FTI-5347

@catbro666
fix(runloop): upstream ssl failure when plugins use response handler
8c43536 
If a plugin has response() handler, in `Kong.response` it will emits
a subrequest by calling `ngx.location.capture("/kong_buffered_http", options)`.
`ngx.location.capture` will create a new nginx request, so the overwritten
ssl info (client key & cert etc.) get lost in the new nginx request.

To fix this, those ssl info need to be re-set in the new request
context. We choose to do this in the early rewrite phase of the new
request before `Kong.balancer()` getting executed.

[FTI-5347](https://konghq.atlassian.net/browse/FTI-5347)
@catbro666 catbro666 force-pushed the fix-FTI-5347-kong-response-subrequest-lost-client-ssl-info branch from fede3ca to 8c43536 Compare August 31, 2023 08:40
@pull-request-size pull-request-size bot added size/XL and removed size/L labels Sep 6, 2023
@catbro666 catbro666 marked this pull request as ready for review September 6, 2023 16:14
oowl
oowl approved these changes Sep 12, 2023
View reviewed changes
Copy link
Member

@oowl oowl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@windmgc windmgc merged commit 54468c4 into master Sep 19, 2023
5 checks passed
@windmgc windmgc deleted the fix-FTI-5347-kong-response-subrequest-lost-client-ssl-info branch September 19, 2023 05:48
@team-gateway-bot team-gateway-bot mentioned this pull request Sep 19, 2023
Merged
@chronolaw chronolaw mentioned this pull request Sep 19, 2023
Merged
3 tasks
catbro666 added a commit that referenced this pull request Sep 21, 2023
@catbro666
fix(runloop): upstream ssl failure when plugins use response handler (#…
4672a21 
…11502)

* fix(runloop): upstream ssl failure when plugins use response handler

If a plugin has response() handler, in `Kong.response` it will emits
a subrequest by calling `ngx.location.capture("/kong_buffered_http", options)`.
`ngx.location.capture` will create a new nginx request, so the overwritten
ssl info (client key & cert etc.) get lost in the new nginx request.

To fix this, those ssl info need to be re-set in the new request
context. We choose to do this in the early rewrite phase of the new
request before `Kong.balancer()` getting executed.

[FTI-5347](https://konghq.atlassian.net/browse/FTI-5347)

(cherry picked from commit 54468c4)
windmgc pushed a commit that referenced this pull request Sep 21, 2023
@chronolaw
style(runloop): style clean for upstream_ssl (#11601)
ea369f4 
Only some style clean for #11502, applying early return.
windmgc pushed a commit that referenced this pull request Sep 22, 2023
@team-gateway-bot @catbro666
fix(runloop): upstream ssl failure when plugins use response handler (#…
eb33195 
…11600)

* fix(runloop): upstream ssl failure when plugins use response handler (#11502)

* fix(runloop): upstream ssl failure when plugins use response handler

If a plugin has response() handler, in `Kong.response` it will emits
a subrequest by calling `ngx.location.capture("/kong_buffered_http", options)`.
`ngx.location.capture` will create a new nginx request, so the overwritten
ssl info (client key & cert etc.) get lost in the new nginx request.

To fix this, those ssl info need to be re-set in the new request
context. We choose to do this in the early rewrite phase of the new
request before `Kong.balancer()` getting executed.

[FTI-5347](https://konghq.atlassian.net/browse/FTI-5347)

(cherry picked from commit 54468c4)

* update nginx template in spec

---------

Co-authored-by: Zhefeng C <[email protected]>
Co-authored-by: Zhefeng Chen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oowl oowl oowl approved these changes

Assignees

@catbro666 catbro666

Labels
core/balancer core/proxy core/templates size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catbro666 @oowl @windmgc