This is an automated email from the ASF dual-hosted git repository.

shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new d7f6f9537 fix(balancer): separate keepalive pool by referenced client 
cert (#13587)
d7f6f9537 is described below

commit d7f6f953765860ab53a81d06ec68c1460a7ca203
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Tue Jun 23 10:06:42 2026 +0800

    fix(balancer): separate keepalive pool by referenced client cert (#13587)
---
 apisix/balancer.lua              |   4 ++
 t/node/upstream-keepalive-pool.t | 137 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 141 insertions(+)

diff --git a/apisix/balancer.lua b/apisix/balancer.lua
index ce8277b4f..1647bab2f 100644
--- a/apisix/balancer.lua
+++ b/apisix/balancer.lua
@@ -398,8 +398,12 @@ do
                 local sni = ctx.var.upstream_host
                 pool = pool .. "#" .. sni
 
+                -- separate the pool by client cert so referenced SSL objects
+                -- don't share a connection
                 if up_conf.tls and up_conf.tls.client_cert then
                     pool = pool .. "#" .. up_conf.tls.client_cert
+                elseif up_conf.tls and up_conf.tls.client_cert_id then
+                    pool = pool .. "#" .. up_conf.tls.client_cert_id
                 end
             end
             pool_opt.pool = pool
diff --git a/t/node/upstream-keepalive-pool.t b/t/node/upstream-keepalive-pool.t
index 4fc4a1ae1..226b298d1 100644
--- a/t/node/upstream-keepalive-pool.t
+++ b/t/node/upstream-keepalive-pool.t
@@ -805,3 +805,140 @@ grpcurl -import-path ./t/grpc_server_example/proto -proto 
helloworld.proto -plai
 {
   "message": "Hello apisix"
 }
+
+
+
+=== TEST 19: upstreams with different client cert referenced by id
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin")
+            local test = require("lib.test_admin").test
+            local json = require("toolkit.json")
+            local ssl_cert = t.read_file("t/certs/mtls_client.crt")
+            local ssl_key = t.read_file("t/certs/mtls_client.key")
+            local ssl_cert2 = t.read_file("t/certs/apisix.crt")
+            local ssl_key2 = t.read_file("t/certs/apisix.key")
+
+            local code, body = test('/apisix/admin/ssls/1',
+                ngx.HTTP_PUT,
+                json.encode({type = "client", cert = ssl_cert, key = ssl_key})
+            )
+            if code >= 300 then
+                ngx.status = code
+                ngx.print(body)
+                return
+            end
+
+            local code, body = test('/apisix/admin/ssls/2',
+                ngx.HTTP_PUT,
+                json.encode({type = "client", cert = ssl_cert2, key = 
ssl_key2})
+            )
+            if code >= 300 then
+                ngx.status = code
+                ngx.print(body)
+                return
+            end
+
+            local code, body = test('/apisix/admin/upstreams/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "scheme": "https",
+                    "type": "roundrobin",
+                    "nodes": {
+                        "127.0.0.1:1983": 1
+                    },
+                    "keepalive_pool": {
+                        "size": 4
+                    }
+                }]]
+            )
+            if code >= 300 then
+                ngx.status = code
+                ngx.print(body)
+                return
+            end
+
+            local code, body = test('/apisix/admin/upstreams/2',
+                ngx.HTTP_PUT,
+                json.encode({
+                    scheme = "https",
+                    type = "roundrobin",
+                    nodes = {["127.0.0.1:1983"] = 1},
+                    tls = {client_cert_id = 1},
+                    keepalive_pool = {size = 8}
+                })
+            )
+            if code >= 300 then
+                ngx.status = code
+                ngx.print(body)
+                return
+            end
+
+            local code, body = test('/apisix/admin/upstreams/3',
+                ngx.HTTP_PUT,
+                json.encode({
+                    scheme = "https",
+                    type = "roundrobin",
+                    nodes = {["127.0.0.1:1983"] = 1},
+                    tls = {client_cert_id = 2},
+                    keepalive_pool = {size = 16}
+                })
+            )
+            if code >= 300 then
+                ngx.status = code
+                ngx.print(body)
+                return
+            end
+
+            for i = 1, 3 do
+                local code, body = test('/apisix/admin/routes/' .. i,
+                    ngx.HTTP_PUT,
+                    [[{
+                        "uri":"/hello/]] .. i .. [[",
+                        "plugins": {
+                            "proxy-rewrite": {
+                                "uri": "/hello"
+                            }
+                        },
+                        "upstream_id": ]] .. i .. [[
+                    }]])
+                if code >= 300 then
+                    ngx.status = code
+                    ngx.print(body)
+                    return
+                end
+            end
+        }
+    }
+--- response_body
+
+
+
+=== TEST 20: hit
+--- upstream_server_config
+    ssl_client_certificate ../../certs/mtls_ca.crt;
+    ssl_verify_client on;
+--- config
+    location /t {
+        content_by_lua_block {
+            local http = require "resty.http"
+            local uri = "http://127.0.0.1:"; .. ngx.var.server_port
+
+            for i = 1, 12 do
+                local idx = (i % 3) + 1
+                local httpc = http.new()
+                local res, err = httpc:request_uri(uri .. "/hello/" .. idx)
+                if not res then
+                    ngx.say(err)
+                    return
+                end
+
+                if idx == 2 then
+                    assert(res.status == 200)
+                else
+                    assert(res.status == 400)
+                end
+            end
+        }
+    }

Reply via email to