sina-devel commented on issue #12704:
URL: https://github.com/apache/apisix/issues/12704#issuecomment-3506599631
Hi @Baoyuantop,
1. In Dashboard, go to Global Rules
2. Click Add Global Rule, add `ip-restriction` plugin first:
```
{
"whitelist": ["<your-ip-here>"]
}
```
Save ā This becomes GlobalRule #1
3. Click Add Global Rule again, add `real-ip` plugin:
```
{
"source": "http_x_real_ip"
}
```
Save ā This becomes GlobalRule #2
Result:
The actual runtime plugin order becomes:
```
(ip-restriction from GlobalRule #1) -> (real-ip from GlobalRule #2)
```
So `ip-restriction` sees the CDN edge IP and returns 403.
If I whitelist the edge IP temporarily, then real-ip runs afterward and
access logs show the correct client IP.
---
Also, regarding the related discussion in
https://github.com/apache/apisix/issues/9433#issuecomment-1549431136
In that issue, @kayx23 tested with two separate Global Rules and reported
that the execution order was correct.
However, after re-testing, I noticed that the result there was influenced by
the order in which the Global Rules were created.
In their test, the Global Rule containing `real-ip` was created before the
Global Rule containing `ip-restriction`.
So the runtime chain became:
```
real-ip -> ip-restriction
```
but only because the `real-ip` Global Rule had the earlier creation
timestamp.
If the same two Global Rules are created in the opposite order:
1. Create Global Rule with `ip-restriction` first
2. Then create Global Rule with `real-ip`
the execution order flips to:
```
ip-restriction -> real-ip
```
which matches the issue Iām reporting here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
