From 8833e3b639dc758d8e8c143d64951f45f1fbd96e Mon Sep 17 00:00:00 2001 From: An Tran Date: Tue, 16 Jul 2024 15:58:50 +1000 Subject: [PATCH 1/2] [find_service] Update warning message Previously APIcast outputs the warning message said would switch over using host routing if TLS and APICAST_PATH_ROUTING are enabled. However this is not true because the service lookup is handled during the rewrite phase and path_routing still works normally. This PR modifies the output message to reflect this fact. --- CHANGELOG.md | 2 ++ gateway/src/apicast/policy/find_service/find_service.lua | 6 +++--- t/listen-https.t | 8 ++++---- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cfe68a2f3..81c81ce9e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/). - Fixed config reloading even when reloading is disabled [PR #1468](https://github.com/3scale/APIcast/pull/1468) +- Fixed confusing log display when APIcast listens on HTTPS and path routing is enabled [PR #1486](https://github.com/3scale/APIcast/pull/1486/files) [THREESCALE #8486](https://issues.redhat.com/browse/THREESCALE-8486) + ### Added - Bump openresty to 1.21.4.3 [PR #1461](https://github.com/3scale/APIcast/pull/1461) [THREESCALE-10601](https://issues.redhat.com/browse/THREESCALE-10601) diff --git a/gateway/src/apicast/policy/find_service/find_service.lua b/gateway/src/apicast/policy/find_service/find_service.lua index 36567fb26..e48e4ec66 100644 --- a/gateway/src/apicast/policy/find_service/find_service.lua +++ b/gateway/src/apicast/policy/find_service/find_service.lua @@ -52,11 +52,11 @@ _M.rewrite = find_service -- ssl_certificate is the first phase executed when request arrives on HTTPS -- therefore it needs to find a service to build a policy chain. -- The method and the path are not available in the ssl_certificate phase, so --- path-based routing does not work. It should always find the service by host. +-- path-based routing does not compatible with this phase. function _M:ssl_certificate(context) if self.find_service ~= host_based_finder.find_service then - ngx.log(ngx.WARN, 'Configured to do path-based routing, but it is not', - 'compatible with TLS. Falling back to routing by host.') + ngx.log(ngx.DEBUG, 'Configured to do path-based routing, but it is not', + ' compatible with ssl_certificate phase. Skipping ssl_certificate phase...') return end context.service = context.service or diff --git a/t/listen-https.t b/t/listen-https.t index 13e0e18d2..5cc890e45 100644 --- a/t/listen-https.t +++ b/t/listen-https.t @@ -132,7 +132,7 @@ VZ5Wr10wCgYIKoZIzj0EAwIDSAAwRQIhAPRkfbxowt0H7p5xZYpwoMKanUXz9eKQ Regression test. APIcast was crashing because path-based routing needs the http method and the path. However, those are not available when trying to find the service in the ssl_certificate phase. -This test checks that APIcast falls back to finding the service by host. +This test checks that APIcast able to route request to correct service in rewrite phase. --- env eval ( 'APICAST_HTTPS_PORT' => "$Test::Nginx::Util::ServerPortForClient", @@ -217,10 +217,10 @@ connected: 1 ssl handshake: cdata HTTP/1.1 202 Accepted --- error_code: 200 ---- grep_error_log eval: qr/Falling back to routing by host/ +--- grep_error_log eval: qr/Skipping ssl_certificate phase/ --- grep_error_log_out -Falling back to routing by host -Falling back to routing by host +Skipping ssl_certificate phase +Skipping ssl_certificate phase --- no_error_log [error] --- user_files From 9cf87e74c00b6b428dd6ad2ed38854fc8bc23a16 Mon Sep 17 00:00:00 2001 From: An Tran Date: Tue, 16 Jul 2024 16:01:21 +1000 Subject: [PATCH 2/2] [tls] Update README to mention incompatibility with path routing --- gateway/src/apicast/policy/tls/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/gateway/src/apicast/policy/tls/README.md b/gateway/src/apicast/policy/tls/README.md index a5dd5cf2c..9a4cc6dbf 100644 --- a/gateway/src/apicast/policy/tls/README.md +++ b/gateway/src/apicast/policy/tls/README.md @@ -8,6 +8,7 @@ certificate to the given service. For this policy `APICAST_HTTPS_PORT` variable need to be defined to be able to listen in TLS in any port. +NOTE: This policy is not compatible with `APICAST_PATH_ROUTING` or `APICAST_PATH_ROUTING_ONLY` ### Embedded certificate: