[GitHub] [apisix] moonming commented on pull request #2357: bugfix: set random seed for each worker process at `init_worker` phase, only `init` phase is not enough.
moonming commented on pull request #2357: URL: https://github.com/apache/apisix/pull/2357#issuecomment-703380224 And we should remove random in `init` phase if add random in `init_worker` phase. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on pull request #2357: bugfix: set random seed for each worker process at `init_worker` phase, only `init` phase is not enough.
moonming commented on pull request #2357: URL: https://github.com/apache/apisix/pull/2357#issuecomment-703379891 > related PR: #2306 I don't understand what it has to do with this PR This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming edited a comment on pull request #2357: bugfix: set random seed for each worker process at `init_worker` phase, only `init` phase is not enough.
moonming edited a comment on pull request #2357: URL: https://github.com/apache/apisix/pull/2357#issuecomment-703379891 > related PR: #2306 I don't understand what it has to do with this PR. https://github.com/apache/apisix/pull/2306 did not show any details. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on pull request #2357: bugfix: set random seed for each worker process at `init_worker` phase, only `init` phase is not enough.
membphis commented on pull request #2357: URL: https://github.com/apache/apisix/pull/2357#issuecomment-703379020 > why only `init` phase is not enough? `init` works in `master` process if the [lua_code_cache](https://github.com/openresty/lua-nginx-module#lua_code_cache) is `on`. We want to set different `seed` for different work processes, so we should use `init_worker` phase. we can delete those code https://github.com/apache/apisix/pull/2357/files#diff-d982d52466e7c93c7b604358339b2a29R85-R90 . And run the test case, then we will get the same random number which is wrong. ![image](https://user-images.githubusercontent.com/6814606/95037817-dc27fc80-06fe-11eb-8d74-160d68ebf022.png) Here is the right one: ![image](https://user-images.githubusercontent.com/6814606/95037874-1db8a780-06ff-11eb-8b5c-e79016eb441b.png) ![image](https://user-images.githubusercontent.com/6814606/95037656-43917c80-06fe-11eb-8444-f00a930cac9b.png) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on issue #2330: request help: Apisix host configuration of route can not be '*' ?
moonming commented on issue #2330: URL: https://github.com/apache/apisix/issues/2330#issuecomment-703370940 @membphis please take a look This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on pull request #2357: bugfix: set random seed for each worker process at `init_worker` phase, only `init` phase is not enough.
moonming commented on pull request #2357: URL: https://github.com/apache/apisix/pull/2357#issuecomment-703370308 why only `init` phase is not enough? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on pull request #2357: bugfix: set random seed for each worker process at `init_worker` phase, only `init` phase is not enough.
membphis commented on pull request #2357: URL: https://github.com/apache/apisix/pull/2357#issuecomment-703362701 @zlm0125 welcome to review and make a test with this PR. I think it should work fine for your case This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis merged pull request #2312: bugfix: create etcd object in `xpcall`, this step may fail
membphis merged pull request #2312: URL: https://github.com/apache/apisix/pull/2312 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated: bugfix: create etcd object in `xpcall`, this step may fail (#2312)
This is an automated email from the ASF dual-hosted git repository. membphis pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git The following commit(s) were added to refs/heads/master by this push: new 50c99a5 bugfix: create etcd object in `xpcall`, this step may fail (#2312) 50c99a5 is described below commit 50c99a5e3ba9b6bb2cd1422b903de038bbce256c Author: YuanSheng Wang AuthorDate: Mon Oct 5 10:22:28 2020 +0800 bugfix: create etcd object in `xpcall`, this step may fail (#2312) * bugfix: create the etcd object in `xpcall`, it may fail, the return values of `etcd.new` should be `res, err`. fix issue: #2310 1. The old process, if creating etcd fails, etcd data will no longer be synchronized. We need to create the etcd object in xpcall. 2. the return value should be res, err of etcd.new. * test: old test case is unstable, should delete some checkpoint which is wrong. --- apisix/core/config_etcd.lua | 23 - t/core/config_etcd.t| 49 + t/node/invalid-service.t| 13 +--- 3 files changed, 68 insertions(+), 17 deletions(-) diff --git a/apisix/core/config_etcd.lua b/apisix/core/config_etcd.lua index 28590e3..4f3fd55 100644 --- a/apisix/core/config_etcd.lua +++ b/apisix/core/config_etcd.lua @@ -82,13 +82,13 @@ end local function readdir(etcd_cli, key) if not etcd_cli then -return nil, nil, "not inited" +return nil, "not inited" end local res, err = etcd_cli:readdir(key) if not res then -- log.error("failed to get key from etcd: ", err) -return nil, nil, err +return nil, err end if type(res.body) ~= "table" then @@ -407,16 +407,20 @@ local function _automatic_fetch(premature, self) return end -local etcd_cli, _, err = etcd.new(self.etcd_conf) -if not etcd_cli then -error("failed to start a etcd instance: " .. err) -end -self.etcd_cli = etcd_cli - local i = 0 while not exiting() and self.running and i <= 32 do i = i + 1 + local ok, err = xpcall(function() +if not self.etcd_cli then +local etcd_cli, err = etcd.new(self.etcd_conf) +if not etcd_cli then +error("failed to create etcd instance for key [" + .. self.key .. "]: " .. (err or "unknown")) +end +self.etcd_cli = etcd_cli +end + local ok, err = sync_data(self) if err then if err ~= "timeout" and err ~= "Key not found" @@ -437,6 +441,7 @@ local function _automatic_fetch(premature, self) elseif not ok then ngx_sleep(0.05) end + end, debug.traceback) if not ok then @@ -499,7 +504,7 @@ function _M.new(key, opts) ngx_timer_at(0, _automatic_fetch, obj) else -local etcd_cli, _, err = etcd.new(etcd_conf) +local etcd_cli, err = etcd.new(etcd_conf) if not etcd_cli then return nil, "failed to start a etcd instance: " .. err end diff --git a/t/core/config_etcd.t b/t/core/config_etcd.t new file mode 100644 index 000..7944537 --- /dev/null +++ b/t/core/config_etcd.t @@ -0,0 +1,49 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +log_level("info"); + +run_tests; + +__DATA__ + +=== TEST 1: wrong etcd port +--- yaml_config +apisix: + node_listen: 1984 +etcd: + host: +- "http://127.0.0.1:; -- wrong etcd port + timeout: 1 +--- config +location /t { +content_by_lua_block { +ngx.sleep(8) +ngx.say(body) +} +} +--- timeout: 12 +--- request +GET /t +--- grep_error_log eval +qr{failed to fetch data from etcd: connection refused, etcd key: .*routes} +--- grep_error_log_out eval +qr/(failed to fetch data from etcd: connection refused, etcd key: .*routes\n){1,}/ diff --git a/t/node/invalid-service.t b/t/node/invalid-service.t index 1ba86f0..8764dc4 100644 ---
[GitHub] [apisix] membphis opened a new pull request #2357: bugfix: set random seed for each worker process at `init_worker` phase, only `init` phase is not enough.
membphis opened a new pull request #2357: URL: https://github.com/apache/apisix/pull/2357 ### What this PR does / why we need it: related PR: https://github.com/apache/apisix/pull/2306 ### Pre-submission checklist: * [ ] Did you explain what problem does this PR solve? Or what new features have been added? * [ ] Have you added corresponding test cases? * [ ] Have you modified the corresponding document? * [ ] Is this PR backward compatible? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on issue #637: feature: supported cluster limit-conn with redis server.
membphis commented on issue #637: URL: https://github.com/apache/apisix/issues/637#issuecomment-703347367 please feel free if you would like to contribute this feature @liuhengloveyou This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on pull request #2273: test: add integration test
membphis commented on pull request #2273: URL: https://github.com/apache/apisix/pull/2273#issuecomment-703346988 ping @idbeta This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis closed issue #1962: need test case: redirect plugin
membphis closed issue #1962: URL: https://github.com/apache/apisix/issues/1962 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on issue #1962: need test case: redirect plugin
membphis commented on issue #1962: URL: https://github.com/apache/apisix/issues/1962#issuecomment-703346763 it has been fixed https://github.com/apache/apisix/commit/ce6dc643ddc92056deb035893df0831c049c042d so we can close this issue This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on pull request #2304: fix: Update error message when Route doesn't exist
membphis commented on pull request #2304: URL: https://github.com/apache/apisix/pull/2304#issuecomment-703343321 @liuhengloveyou pls update your branch. ![image](https://user-images.githubusercontent.com/6814606/95031377-44b7af00-06e8-11eb-88af-3529b207897d.png) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis merged pull request #2348: test: use the absolute path of `$apisix_home` instead of `.`, search …
membphis merged pull request #2348: URL: https://github.com/apache/apisix/pull/2348 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated: test: use the absolute path of `$apisix_home` instead of `.`, search the lua source fine in the folder `$apisix_home`. (#2348)
This is an automated email from the ASF dual-hosted git repository. membphis pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git The following commit(s) were added to refs/heads/master by this push: new 5d172d6 test: use the absolute path of `$apisix_home` instead of `.`, search the lua source fine in the folder `$apisix_home`. (#2348) 5d172d6 is described below commit 5d172d606f4debd0034b8061b5865d46738d47ac Author: YuanSheng Wang AuthorDate: Mon Oct 5 08:42:13 2020 +0800 test: use the absolute path of `$apisix_home` instead of `.`, search the lua source fine in the folder `$apisix_home`. (#2348) --- t/APISIX.pm | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/t/APISIX.pm b/t/APISIX.pm index c951cd9..7d90a9b 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -141,8 +141,8 @@ _EOC_ my $stream_enable = $block->stream_enable; my $stream_config = $block->stream_config // <<_EOC_; -lua_package_path "./?.lua;./?/init.lua;$apisix_home/deps/share/lua/5.1/?.lua;$apisix_home/apisix/?.lua;$apisix_home/t/?.lua;;"; -lua_package_cpath "./?.so;$apisix_home/deps/lib/lua/5.1/?.so;$apisix_home/deps/lib64/lua/5.1/?.so;;"; +lua_package_path "$apisix_home/?.lua;$apisix_home/?/init.lua;$apisix_home/deps/share/lua/5.1/?.lua;$apisix_home/apisix/?.lua;$apisix_home/t/?.lua;;"; +lua_package_cpath "$apisix_home/?.so;$apisix_home/deps/lib/lua/5.1/?.so;$apisix_home/deps/lib64/lua/5.1/?.so;;"; lua_socket_log_errors off; @@ -222,8 +222,8 @@ _EOC_ my $http_config = $block->http_config // ''; $http_config .= <<_EOC_; -lua_package_path "./?.lua;./?/init.lua;$apisix_home/deps/share/lua/5.1/?.lua;$apisix_home/apisix/?.lua;$apisix_home/t/?.lua;;"; -lua_package_cpath "./?.so;$apisix_home/deps/lib/lua/5.1/?.so;$apisix_home/deps/lib64/lua/5.1/?.so;;"; +lua_package_path "$apisix_home/?.lua;$apisix_home/?/init.lua;$apisix_home/deps/share/lua/5.1/?.lua;$apisix_home/apisix/?.lua;$apisix_home/t/?.lua;;"; +lua_package_cpath "$apisix_home/?.so;$apisix_home/deps/lib/lua/5.1/?.so;$apisix_home/deps/lib64/lua/5.1/?.so;;"; lua_shared_dict plugin-limit-req 10m; lua_shared_dict plugin-limit-count 10m;
[GitHub] [apisix] membphis commented on issue #2196: feature(kafka-logger): need to read the request body data if it was cached to local file
membphis commented on issue #2196: URL: https://github.com/apache/apisix/issues/2196#issuecomment-703340989 > Does it occur if the data is too big? you are right. for more detail information, you can take a look at: https://github.com/openresty/lua-nginx-module#ngxreqread_body I think that if the request body is big, we can only read the first 1 MB of the request body data. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated: bugfix: remove unsupported algorithm in jwt plugin. (#2356)
This is an automated email from the ASF dual-hosted git repository. wenming pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git The following commit(s) were added to refs/heads/master by this push: new a4e3526 bugfix: remove unsupported algorithm in jwt plugin. (#2356) a4e3526 is described below commit a4e35260494069c909d93b618bf101eaa3f486f7 Author: Wen Ming AuthorDate: Mon Oct 5 07:26:40 2020 +0800 bugfix: remove unsupported algorithm in jwt plugin. (#2356) * bugfix: remove unsupported algorithm in jwt plugin. support algorithm: https://github.com/SkyLothar/lua-resty-jwt/blob/master/lib/resty/jwt.lua#L505 * revert doc auto-format Signed-off-by: yiyiyimu Co-authored-by: yiyiyimu --- apisix/plugins/jwt-auth.lua | 11 --- doc/plugins/jwt-auth.md | 2 +- doc/zh-cn/plugins/jwt-auth.md | 2 +- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 0d33346..8209aa5 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -35,7 +35,8 @@ local schema = { secret = {type = "string"}, algorithm = { type = "string", -enum = {"HS256", "HS384", "HS512", "RS256", "ES256"} +enum = {"HS256", "HS512", "RS256"}, +default = "HS256" }, exp = {type = "integer", minimum = 1}, base64_secret = { @@ -85,10 +86,6 @@ function _M.check_schema(conf) conf.secret = ngx_encode_base64(resty_random.bytes(32, true)) end -if not conf.algorithm then -conf.algorithm = "HS256" -end - if not conf.exp then conf.exp = 60 * 60 * 24 end @@ -207,11 +204,11 @@ local function gen_token() local jwt_token = jwt:sign( auth_secret, { -header={ +header = { typ = "JWT", alg = consumer.auth_conf.algorithm }, -payload={ +payload = { key = key, exp = ngx_time() + consumer.auth_conf.exp } diff --git a/doc/plugins/jwt-auth.md b/doc/plugins/jwt-auth.md index 03b6c92..1f5aa1e 100644 --- a/doc/plugins/jwt-auth.md +++ b/doc/plugins/jwt-auth.md @@ -41,7 +41,7 @@ For more information on JWT, refer to [JWT](https://jwt.io/) for more informatio | - | --- | --- | --- | - | | | key | string | required| | | different `consumer` have different value, it's unique. different `consumer` use the same `key`, and there will be a request matching exception. | | secret| string | optional| | | encryption key. if you do not specify, the value is auto-generated in the background. | -| algorithm | string | optional| "HS256" | ["HS256", "HS384", "HS512", "RS256", "ES256"] | encryption algorithm. | +| algorithm | string | optional| "HS256" | ["HS256", "HS512", "RS256"] | encryption algorithm. | | exp | integer | optional| 86400 | [1,...] | token's expire time, in seconds | | base64_secret | boolean | optional| false | | whether secret is base64 encoded | diff --git a/doc/zh-cn/plugins/jwt-auth.md b/doc/zh-cn/plugins/jwt-auth.md index aa7126c..2d431e4 100644 --- a/doc/zh-cn/plugins/jwt-auth.md +++ b/doc/zh-cn/plugins/jwt-auth.md @@ -42,7 +42,7 @@ | - | --- | -- | --- | - | - | | key | string | 必须 | | | 不同的 `consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `key` ,将会出现请求匹配异常。 | | secret| string | 可选 | | | 加密秘钥。如果您未指定,后台将会自动帮您生成。 | -| algorithm | string | 可选 | "HS256" | ["HS256",
[apisix] branch master updated: bugfix: remove unsupported algorithm in jwt plugin. (#2356)
This is an automated email from the ASF dual-hosted git repository. wenming pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git The following commit(s) were added to refs/heads/master by this push: new a4e3526 bugfix: remove unsupported algorithm in jwt plugin. (#2356) a4e3526 is described below commit a4e35260494069c909d93b618bf101eaa3f486f7 Author: Wen Ming AuthorDate: Mon Oct 5 07:26:40 2020 +0800 bugfix: remove unsupported algorithm in jwt plugin. (#2356) * bugfix: remove unsupported algorithm in jwt plugin. support algorithm: https://github.com/SkyLothar/lua-resty-jwt/blob/master/lib/resty/jwt.lua#L505 * revert doc auto-format Signed-off-by: yiyiyimu Co-authored-by: yiyiyimu --- apisix/plugins/jwt-auth.lua | 11 --- doc/plugins/jwt-auth.md | 2 +- doc/zh-cn/plugins/jwt-auth.md | 2 +- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 0d33346..8209aa5 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -35,7 +35,8 @@ local schema = { secret = {type = "string"}, algorithm = { type = "string", -enum = {"HS256", "HS384", "HS512", "RS256", "ES256"} +enum = {"HS256", "HS512", "RS256"}, +default = "HS256" }, exp = {type = "integer", minimum = 1}, base64_secret = { @@ -85,10 +86,6 @@ function _M.check_schema(conf) conf.secret = ngx_encode_base64(resty_random.bytes(32, true)) end -if not conf.algorithm then -conf.algorithm = "HS256" -end - if not conf.exp then conf.exp = 60 * 60 * 24 end @@ -207,11 +204,11 @@ local function gen_token() local jwt_token = jwt:sign( auth_secret, { -header={ +header = { typ = "JWT", alg = consumer.auth_conf.algorithm }, -payload={ +payload = { key = key, exp = ngx_time() + consumer.auth_conf.exp } diff --git a/doc/plugins/jwt-auth.md b/doc/plugins/jwt-auth.md index 03b6c92..1f5aa1e 100644 --- a/doc/plugins/jwt-auth.md +++ b/doc/plugins/jwt-auth.md @@ -41,7 +41,7 @@ For more information on JWT, refer to [JWT](https://jwt.io/) for more informatio | - | --- | --- | --- | - | | | key | string | required| | | different `consumer` have different value, it's unique. different `consumer` use the same `key`, and there will be a request matching exception. | | secret| string | optional| | | encryption key. if you do not specify, the value is auto-generated in the background. | -| algorithm | string | optional| "HS256" | ["HS256", "HS384", "HS512", "RS256", "ES256"] | encryption algorithm. | +| algorithm | string | optional| "HS256" | ["HS256", "HS512", "RS256"] | encryption algorithm. | | exp | integer | optional| 86400 | [1,...] | token's expire time, in seconds | | base64_secret | boolean | optional| false | | whether secret is base64 encoded | diff --git a/doc/zh-cn/plugins/jwt-auth.md b/doc/zh-cn/plugins/jwt-auth.md index aa7126c..2d431e4 100644 --- a/doc/zh-cn/plugins/jwt-auth.md +++ b/doc/zh-cn/plugins/jwt-auth.md @@ -42,7 +42,7 @@ | - | --- | -- | --- | - | - | | key | string | 必须 | | | 不同的 `consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `key` ,将会出现请求匹配异常。 | | secret| string | 可选 | | | 加密秘钥。如果您未指定,后台将会自动帮您生成。 | -| algorithm | string | 可选 | "HS256" | ["HS256",
[GitHub] [apisix] moonming closed issue #2325: bug: jwt-auth 500 error with not HS256 algorithm
moonming closed issue #2325: URL: https://github.com/apache/apisix/issues/2325 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming merged pull request #2356: bugfix: remove unsupported algorithm in jwt plugin.
moonming merged pull request #2356: URL: https://github.com/apache/apisix/pull/2356 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on pull request #2352: feat: add referer-restriction plugin
membphis commented on pull request #2352: URL: https://github.com/apache/apisix/pull/2352#issuecomment-703274516 need to update those docs too(add reference): https://github.com/apache/apisix/blob/master/README.md https://github.com/apache/apisix/blob/master/doc/README.md https://github.com/apache/apisix/blob/master/doc/_sidebar.md This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] Yiyiyimu commented on a change in pull request #2356: bugfix: remove unsupported algorithm in jwt plugin.
Yiyiyimu commented on a change in pull request #2356: URL: https://github.com/apache/apisix/pull/2356#discussion_r499259234 ## File path: doc/plugins/jwt-auth.md ## @@ -20,11 +20,14 @@ - [中文](../zh-cn/plugins/jwt-auth.md) # Summary -- [**Name**](#name) -- [**Attributes**](#attributes) -- [**How To Enable**](#how-to-enable) -- [**Test Plugin**](#test-plugin) -- [**Disable Plugin**](#disable-plugin) +- [Summary](#summary) + - [Name](#name) + - [Attributes](#attributes) + - [How To Enable](#how-to-enable) + - [Test Plugin](#test-plugin) + - [get the token in `jwt-auth` plugin:](#get-the-token-in-jwt-auth-plugin) + - [try request with token](#try-request-with-token) + - [Disable Plugin](#disable-plugin) Review comment: revert the change. fixed This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on issue #2256: request: add the dependency of lua-resty-hmac
membphis commented on issue #2256: URL: https://github.com/apache/apisix/issues/2256#issuecomment-703267872 https://luarocks.org/modules/jkeys089/lua-resty-hmac-ffi we can fetch the `lua-resty-hmac` from here now. I create a new issue: https://github.com/SkyLothar/lua-resty-jwt/issues/95 We can wait more time. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix-docker] membphis commented on pull request #79: fix missing conf that cause docker startup to fail
membphis commented on pull request #79: URL: https://github.com/apache/apisix-docker/pull/79#issuecomment-703265697 the CI failed, here is the reason: https://github.com/apache/apisix-docker/issues/80 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix-dashboard] nic-chen opened a new pull request #535: feat: refactor apis for existing check and other apis
nic-chen opened a new pull request #535: URL: https://github.com/apache/apisix-dashboard/pull/535 Please answer these questions before submitting a pull request - Why submit this pull request? - [ ] Bug fix - [x] New feature provided - [ ] Improve performance ___ ### New feature or improvement - Describe the details and related test reports. feat: refactor apis for existing check and other apis such as: `/apisix/admin/notexist/upstreams` `/apisix/admin/names/upstreams` `/apisix/admin/notexist/routes` `/apisix/admin/check_ssl_exists` and so on. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix-control-plane] membphis commented on a change in pull request #27: doc: enrich readme
membphis commented on a change in pull request #27: URL: https://github.com/apache/apisix-control-plane/pull/27#discussion_r499250973 ## File path: README.md ## @@ -21,25 +21,27 @@ ## What is apisix-control-plane -apisix-control-plane is an implementation of providing a control plane for DPs (Data Plane) like apache apisix or other gateways. with a `yml` configuration capability, We can use `yml` to define the behavior of any DP. +apisix-control-plane is an implementation of providing a control plane for DPs (Data Plane) like Apache APISIX or other gateways. with a `yaml` configuration capability, We can use `yaml` to define the behavior of any DP. ## Why do we need to implement a control-plane -for now, we have a default implementation for apache APISIX. +For now, we have a default implementation for Apache APISIX. -As we knows, apache APISIX is a high-performance gateway. When using APISIX we need to inform apisix of some proxy rules, and distribute these rules to apisix modules. We can call it contol-plane, similar to pilot in istio. Of course, the distribution configuration is only the most basic function of the control plane. +As we knows, Apache APISIX is a high-performance gateway. When using APISIX we need to inform apisix of some proxy rules, and distribute these rules to apisix modules. We can call it contol-plane, similar to pilot in istio. Of course, the distribution configuration is only the most basic function of the control plane. Review comment: `When using APISIX we need to inform apisix` Please pay attention to "apisix", they are wrong styles. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on a change in pull request #2356: bugfix: remove unsupported algorithm in jwt plugin.
moonming commented on a change in pull request #2356: URL: https://github.com/apache/apisix/pull/2356#discussion_r499243591 ## File path: doc/plugins/jwt-auth.md ## @@ -20,11 +20,14 @@ - [中文](../zh-cn/plugins/jwt-auth.md) # Summary -- [**Name**](#name) -- [**Attributes**](#attributes) -- [**How To Enable**](#how-to-enable) -- [**Test Plugin**](#test-plugin) -- [**Disable Plugin**](#disable-plugin) +- [Summary](#summary) + - [Name](#name) + - [Attributes](#attributes) + - [How To Enable](#how-to-enable) + - [Test Plugin](#test-plugin) + - [get the token in `jwt-auth` plugin:](#get-the-token-in-jwt-auth-plugin) + - [try request with token](#try-request-with-token) + - [Disable Plugin](#disable-plugin) Review comment: Ok i didn't notice This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] nic-chen commented on a change in pull request #2352: feat: add referer-restriction plugin
nic-chen commented on a change in pull request #2352: URL: https://github.com/apache/apisix/pull/2352#discussion_r499240977 ## File path: apisix/plugins/referer-restriction.lua ## @@ -0,0 +1,124 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local ipairs= ipairs +local core = require("apisix.core") +local http = require "resty.http" +local lrucache = core.lrucache.new({ +ttl = 300, count = 512 +}) + + +local schema = { +type = "object", +properties = { +optional = { Review comment: It’s still a bit confused, maybe we could use ʻallow_no_referer` or something. just a suggestion This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated (20c670c -> 3e95903)
This is an automated email from the ASF dual-hosted git repository. wenming pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git. from 20c670c change(hmac-auth): update the organization of `signing_string` . (#2337) add 3e95903 CI: skip run tengine test cases. (#2354) No new revisions were added by this update. Summary of changes: .travis/linux_tengine_runner.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
[GitHub] [apisix] moonming merged pull request #2354: CI: skip run tengine test cases.
moonming merged pull request #2354: URL: https://github.com/apache/apisix/pull/2354 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] nic-chen commented on a change in pull request #2352: feat: add referer-restriction plugin
nic-chen commented on a change in pull request #2352: URL: https://github.com/apache/apisix/pull/2352#discussion_r499239677 ## File path: t/plugin/referer-restriction.t ## @@ -0,0 +1,189 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +add_block_preprocessor(sub { +my ($block) = @_; + +$block->set_value("no_error_log", "[error]"); + +$block; +}); + +repeat_each(1); +no_long_string(); +no_root_location(); +no_shuffle(); +run_tests; + +__DATA__ + +=== TEST 1: set whitelist +--- config +location /t { +content_by_lua_block { +local t = require("lib.test_admin").test +local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ +"uri": "/hello", +"upstream": { +"type": "roundrobin", +"nodes": { +"127.0.0.1:1980": 1 +} +}, +"plugins": { +"referer-restriction": { + "whitelist": [ + "*.xx.com", + "yy.com" + ] +} +} +}]] +) + +if code >= 300 then +ngx.status = code +end +ngx.say(body) +} +} +--- request +GET /t +--- response_body +passed + + + +=== TEST 2: hit route and in the whitelist (wildcard) +--- request +GET /hello +--- more_headers +Referer: http://www.xx.com +--- response_body +hello world + + + +=== TEST 3: hit route and in the whitelist +--- request +GET /hello +--- more_headers +Referer: https://yy.com/am +--- response_body +hello world + + + +=== TEST 4: hit route and not in the whitelist +--- request +GET /hello +--- more_headers +Referer: https://www.yy.com/am +--- error_code: 403 + + + +=== TEST 5: hit route and without Referer +--- request +GET /hello +--- error_code: 403 + + + +=== TEST 6: set whitelist, allow Referer missing +--- config +location /t { +content_by_lua_block { +local t = require("lib.test_admin").test +local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ +"uri": "/hello", +"upstream": { +"type": "roundrobin", +"nodes": { +"127.0.0.1:1980": 1 +} +}, +"plugins": { +"referer-restriction": { +"optional": true, + "whitelist": [ + "*.xx.com", + "yy.com" + ] +} +} +}]] +) + +if code >= 300 then +ngx.status = code +end +ngx.say(body) +} +} +--- request +GET /t +--- response_body +passed + + + +=== TEST 7: hit route and without Referer +--- request +GET /hello +--- response_body +hello world + + + +=== TEST 8: malformed Referer is treated as missing +--- request +GET /hello +--- more_headers +Referer: www.yy.com +--- response_body +hello world + + + +=== TEST 9: invalid schema +--- config +location /t { +content_by_lua_block { +local plugin = require("apisix.plugins.referer-restriction") +local cases = { +"x.*", +"~y.xn", +"::1", +} +for _, c in ipairs(cases) do +local ok, err = plugin.check_schema({ +whitelist = {c} +}) +if ok then +ngx.log(ngx.ERR, c) +end +end +} +} +--- request +GET /t Review comment: OK
[GitHub] [apisix] spacewander merged pull request #2337: change(hmac-auth): update the organization of `signing_string` .
spacewander merged pull request #2337: URL: https://github.com/apache/apisix/pull/2337 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander closed issue #2336: request help: We’d better change the organization of `signing_string` for hmac-auth
spacewander closed issue #2336: URL: https://github.com/apache/apisix/issues/2336 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated: change(hmac-auth): update the organization of `signing_string` . (#2337)
This is an automated email from the ASF dual-hosted git repository. spacewander pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git The following commit(s) were added to refs/heads/master by this push: new 20c670c change(hmac-auth): update the organization of `signing_string` . (#2337) 20c670c is described below commit 20c670ce097af6bbd1bdb150f26faa77d582d61e Author: YuanSheng Wang AuthorDate: Sun Oct 4 19:57:57 2020 +0800 change(hmac-auth): update the organization of `signing_string` . (#2337) fix #2336 . ref: https://help.aliyun.com/document_detail/29475.html?spm=a2c4g.11186623.2.15.62c73e789LVg02 https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationConstructingCanonicalizedAmzHeaders --- apisix/plugins/hmac-auth.lua| 20 -- doc/plugins/hmac-auth.md| 27 +++ doc/zh-cn/plugins/hmac-auth.md | 26 ++ t/plugin/consumer-restriction.t | 50 --- t/plugin/custom_hmac_auth.t | 13 +++-- t/plugin/hmac-auth.t| 58 - 6 files changed, 153 insertions(+), 41 deletions(-) diff --git a/apisix/plugins/hmac-auth.lua b/apisix/plugins/hmac-auth.lua index 0c37ad7..2c9d0ac 100644 --- a/apisix/plugins/hmac-auth.lua +++ b/apisix/plugins/hmac-auth.lua @@ -201,27 +201,31 @@ local function generate_signature(ctx, secret_key, params) canonical_query_string = core.table.concat(query_tab, "&") end -local canonical_headers = {} - core.log.info("all headers: ", core.json.delay_encode(core.request.headers(ctx), true)) +local signing_string_items = { +request_method, +canonical_uri, +canonical_query_string, +params.access_key, +params.date, +} + if params.signed_headers then for _, h in ipairs(params.signed_headers) do local canonical_header = core.request.header(ctx, h) or "" -core.table.insert(canonical_headers, canonical_header) +core.table.insert(signing_string_items, + h .. ":" .. canonical_header) core.log.info("canonical_header name:", core.json.delay_encode(h)) core.log.info("canonical_header value: ", core.json.delay_encode(canonical_header)) end end -local signing_string = request_method .. canonical_uri -.. canonical_query_string -.. params.access_key .. params.date -.. core.table.concat(canonical_headers, "") +local signing_string = core.table.concat(signing_string_items, "\n") -core.log.info("signing_string:", signing_string, +core.log.info("signing_string: ", signing_string, " params.signed_headers:", core.json.delay_encode(params.signed_headers)) diff --git a/doc/plugins/hmac-auth.md b/doc/plugins/hmac-auth.md index a3d31e2..753addd 100644 --- a/doc/plugins/hmac-auth.md +++ b/doc/plugins/hmac-auth.md @@ -20,13 +20,13 @@ - [中文](../zh-cn/plugins/hmac-auth.md) # Summary + - [**Name**](#name) - [**Attributes**](#attributes) - [**How To Enable**](#how-to-enable) - [**Test Plugin**](#test-plugin) - [**Disable Plugin**](#disable-plugin) - ## Name `hmac-auth` is an authentication plugin that need to work with `consumer`. Add HMAC Authentication to a `service` or `route`. @@ -83,7 +83,8 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13 ## Test Plugin ### generate signature: -The calculation formula of the signature is `signature = HMAC-SHAx-HEX(secret_key, signing_string)`. From the formula, it can be seen that in order to obtain the signature, two parameters, `SECRET_KEY` and `signing_STRING`, are required. Where secret_key is configured by the corresponding consumer, the calculation formula of `signing_STRING` is `signing_string = HTTP Method + HTTP URI + canonical_query_string + access_key + Date + signed_headers_string` + +The calculation formula of the signature is `signature = HMAC-SHAx-HEX(secret_key, signing_string)`. From the formula, it can be seen that in order to obtain the signature, two parameters, `SECRET_KEY` and `signing_STRING`, are required. Where secret_key is configured by the corresponding consumer, the calculation formula of `signing_STRING` is `signing_string = signing_string = HTTP Method + \n + HTTP URI + \n + canonical_query_string + \n + access_key + \n + Date + \n + signed_headers_ [...] 1. **HTTP Method** : Refers to the GET, PUT, POST and other request methods defined in the HTTP protocol, and must be in all uppercase. 2. **HTTP URI** : `HTTP URI` requirements must start with "/", those that do not start with "/" need to be added, and the empty path is "/". @@ -96,7 +97,6 @@ The
[GitHub] [apisix-docker] moonming commented on issue #80: CI: fail to fetch dashboard
moonming commented on issue #80: URL: https://github.com/apache/apisix-docker/issues/80#issuecomment-703243740 We can remove dashboard until new dashboard released This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix-docker] moonming commented on pull request #79: fix missing conf that cause docker startup to fail
moonming commented on pull request #79: URL: https://github.com/apache/apisix-docker/pull/79#issuecomment-703243604 @gxthrj I remember this file will be sync from apisix repo,right? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix-control-plane] moonming commented on a change in pull request #27: doc: enrich readme
moonming commented on a change in pull request #27: URL: https://github.com/apache/apisix-control-plane/pull/27#discussion_r499237160 ## File path: README.md ## @@ -17,18 +17,50 @@ # --> -# apisix-control-plane +# APISIX-CONTROL-PLANE -## what is apisix-control-plane? -apisix-control-plane provide APISIX with a `yml` configuration capability, -We can use `yml` to define the proxy behavior of APISIX +## What is apisix-control-plane -## Why do you want to do this? -1. In order to facilitate the integration of k8s, use `yml` to define APISIX; -2. For easier synchronization across clusters; -3. Can be better adapted to multiple platforms (k8s, vm); +apisix-control-plane is an implementation of providing a control plane for DPs (Data Plane) like Apache APISIX or other gateways. with a `yaml` configuration capability, We can use `yaml` to define the behavior of any DP. + +## Why do we need to implement a control-plane + +For now, we have a default implementation for Apache APISIX. + +As we knows, Apache APISIX is a high-performance gateway. When using APISIX we need to inform apisix of some proxy rules, and distribute these rules to apisix modules. We can call it contol-plane, similar to pilot in istio. Of course, the distribution configuration is only the most basic function of the control plane. + +We know that apisix already has Admin API, so why do we need to implement a control-plane? + +First of all, Apache APISIX Admin API is a way to define a single object, such as a single object such as route / service / upstream / consumer, although it is also possible to completely define a route through a huge route object, and the upstream object is embedded in the route , But any minor changes will trigger the reconstruction of the route. Rebuilding the route is definitely not a good idea and reduce performance. + +In fact, leaving aside the Admin API, what we need is a description method that can completely define the rules while maintaining the legibility of the Admin API. Therefore, we have [discussion here](https://github.com/apache/apisix-control-plane/blob/master/doc/yaml_struct.md), and we have implemented a version of the basic functions according to this data structure , I hope everyone puts forward their views. We can also submit a PR to modify this [document](doc/yaml_struct.md). + +Secondly, Apache APISIX Admin API uses id associations to strongly bind objects to express the relationship between objects. For example, the route object uses `service_id` and `upstream_id` to bind the relationship with service and upstream respectively. + +This kind of representation, like the well-known relational database, is easier to understand and reduces redundant configurations. But it also brings some other problems. For example, rely on verification. When we want to bind an `upstream_id` to a route, we must first create the upstream, and then bind the generated `upstream_id` to the route. This process corresponds to two Admin APIs, and there is no transaction management. + +We hope that the emergence of control-plane can solve the above two problems. +1. Use yaml declarative definition method to define complete rules. +2. Block DP implementation details, describe object relationships in a unified way. + +Of course, with control-plane we can do more. + +For example, based on gitops configuration version management, it is also more convenient to use yaml to define apisix in k8s. + +Realize the prototype of cross-cluster synchronization configuration through the control panel. In the future, we can also enrich the functions of the control plane and simplify management under the cluster mode of multi-platform hybrid deployment (k8s/vm). We can also shield specific implementations of APISIX and provide configuration functions for more types of gateways. + +## Feature support + +1. Support the declarative definition of yaml. +2. Use the memory database to synchronize the gateway status. +3. Diff capabilities based on memory objects. +4. Sync / update the apisix configuration. +5. Support incremental synchronization. +6. Support transaction processing. + Review comment: What's the plan for other DPs? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander merged pull request #2333: feat: support to fetch `consumer_name` or `consumer_id` via `ctx.var`
spacewander merged pull request #2333: URL: https://github.com/apache/apisix/pull/2333 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated (c228675 -> dd5a36e)
This is an automated email from the ASF dual-hosted git repository. spacewander pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git. from c228675 doc: update etcd installation step for v3.4 (#2346) add dd5a36e feat: support to fetch `consumer_name` or `consumer_id` via `ctx.var` (#2333) No new revisions were added by this update. Summary of changes: apisix/core/ctx.lua | 3 + t/core/ctx.t| 246 2 files changed, 249 insertions(+)
[GitHub] [apisix] spacewander closed issue #2344: doc: update etcd installation method in install-dependencies.md
spacewander closed issue #2344: URL: https://github.com/apache/apisix/issues/2344 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander closed issue #2297: feat: support to fetch `consumer_name` or `consumer_id` via `ctx.var`
spacewander closed issue #2297: URL: https://github.com/apache/apisix/issues/2297 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander closed issue #2353: bug: remove hint for etcd v2
spacewander closed issue #2353: URL: https://github.com/apache/apisix/issues/2353 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander merged pull request #2346: doc: update etcd installation step for v3.4
spacewander merged pull request #2346: URL: https://github.com/apache/apisix/pull/2346 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated: doc: update etcd installation step for v3.4 (#2346)
This is an automated email from the ASF dual-hosted git repository. spacewander pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git The following commit(s) were added to refs/heads/master by this push: new c228675 doc: update etcd installation step for v3.4 (#2346) c228675 is described below commit c228675a81f2ecbeca8b9897f0b7b83c8a22a485 Author: Shuyang Wu AuthorDate: Sun Oct 4 19:15:58 2020 +0800 doc: update etcd installation step for v3.4 (#2346) --- README.md | 9 +++ README_CN.md | 9 +++ bin/apisix| 14 +-- doc/install-dependencies.md | 50 --- doc/zh-cn/install-dependencies.md | 6 + 5 files changed, 45 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index d26056e..c856505 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ There are several ways to install the Apache Release version of APISIX: ```shell ./bin/apisix version ``` -- start APISIX (Please make sure that etcd is started and enabled the v2 protocol): +- start APISIX: ```shell ./bin/apisix start ``` @@ -163,15 +163,12 @@ There are several ways to install the Apache Release version of APISIX: ```shell apisix version ``` -- start APISIX (Please make sure that etcd is started and enabled the v2 protocol): +- start APISIX: ```shell apisix start ``` -**Note**: Apache APISIX would not support the v2 protocol of etcd anymore since APISIX v2.0, so you need to enable v3 protocol when starting etcd, if etcd version is below v3.4. -```shell -export ETCDCTL_API=3 -``` +**Note**: Apache APISIX would not support the v2 protocol of etcd anymore since APISIX v2.0, and the minimum etcd version supported is v3.4.0. Please update etcd when needed. If you need to migrate your data from etcd v2 to v3, please follow [etcd migration guide](https://etcd.io/docs/v3.4.0/op-guide/v2-migration/). ## For Developer diff --git a/README_CN.md b/README_CN.md index 0f44e46..829633f 100644 --- a/README_CN.md +++ b/README_CN.md @@ -138,7 +138,7 @@ CentOS 7, Ubuntu 16.04, Ubuntu 18.04, Debian 9, Debian 10, macOS, **ARM64** Ubun ```shell ./bin/apisix version ``` -- 启动 APISIX (请先确保已经启动了 etcd,并打开了 v2 协议): +- 启动 APISIX: ```shell ./bin/apisix start ``` @@ -162,15 +162,12 @@ CentOS 7, Ubuntu 16.04, Ubuntu 18.04, Debian 9, Debian 10, macOS, **ARM64** Ubun ```shell apisix version ``` -- 启动 APISIX (请先确保已经启动了 etcd,并打开了 v2 协议): +- 启动 APISIX: ```shell apisix start ``` -**注意**:Apache APISIX 从 v2.0 开始不再支持 etcd v2 协议,如果 etcd 版本低于 v3.4,启动 etcd 时需要开启 v3 协议的支持。 -```shell -export ETCDCTL_API=3 -``` +**注意**:Apache APISIX 从 v2.0 开始不再支持 etcd v2 协议,并且 etcd 最低支持版本为 v3.4.0,如果有需要请进行升级。如果需要将数据迁移至 etcd v3,请按照 [etcd 迁移指南](https://etcd.io/docs/v3.4.0/op-guide/v2-migration/) 进行迁移。 ## 针对开发者 diff --git a/bin/apisix b/bin/apisix index 42309f3..32519a6 100755 --- a/bin/apisix +++ b/bin/apisix @@ -993,24 +993,24 @@ local function init_etcd(show_output) uri = host .. "/version" local cmd = string.format("curl -s -m %d %s", timeout * 2, uri) local res = execute_cmd(cmd) -local errmsg = string.format("got malformed version message: \"%s\" from etcd", res) +local errmsg = string.format("got malformed version message: \"%s\" from etcd\n", res) local body, _, err = dkjson.decode(res) if err then io.stderr:write(errmsg) -return +os.exit(1) end local cluster_version = body["etcdcluster"] if not cluster_version then io.stderr:write(errmsg) -return +os.exit(1) end if compare_semantic_version(cluster_version, min_etcd_version) then -io.stderr:write("etcd cluster version ", cluster_version, -" is less than the required version ", min_etcd_version, -", please upgrade your etcd cluster") -return +io.stderr:write("etcd cluster version ".. cluster_version .. +" is less than the required version ".. min_etcd_version .. +", please upgrade your etcd cluster\n") +os.exit(1) end break diff --git a/doc/install-dependencies.md b/doc/install-dependencies.md index 99ec723..827d698 100644 --- a/doc/install-dependencies.md +++ b/doc/install-dependencies.md @@ -28,13 +28,7 @@ Note -- Apache APISIX would not support the v2 protocol storage to etcd anymore. If etcd version is below 3.4, the default protocol is still v2 and you need to turn on v3 protocol mannually. - -You need to
[GitHub] [apisix] spacewander commented on a change in pull request #2352: feat: add referer-restriction plugin
spacewander commented on a change in pull request #2352: URL: https://github.com/apache/apisix/pull/2352#discussion_r499229809 ## File path: t/plugin/referer-restriction.t ## @@ -0,0 +1,189 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +add_block_preprocessor(sub { +my ($block) = @_; + +$block->set_value("no_error_log", "[error]"); + +$block; +}); + +repeat_each(1); +no_long_string(); +no_root_location(); +no_shuffle(); +run_tests; + +__DATA__ + +=== TEST 1: set whitelist +--- config +location /t { +content_by_lua_block { +local t = require("lib.test_admin").test +local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ +"uri": "/hello", +"upstream": { +"type": "roundrobin", +"nodes": { +"127.0.0.1:1980": 1 +} +}, +"plugins": { +"referer-restriction": { + "whitelist": [ + "*.xx.com", + "yy.com" + ] +} +} +}]] +) + +if code >= 300 then +ngx.status = code +end +ngx.say(body) +} +} +--- request +GET /t +--- response_body +passed + + + +=== TEST 2: hit route and in the whitelist (wildcard) +--- request +GET /hello +--- more_headers +Referer: http://www.xx.com +--- response_body +hello world + + + +=== TEST 3: hit route and in the whitelist +--- request +GET /hello +--- more_headers +Referer: https://yy.com/am +--- response_body +hello world + + + +=== TEST 4: hit route and not in the whitelist +--- request +GET /hello +--- more_headers +Referer: https://www.yy.com/am +--- error_code: 403 + + + +=== TEST 5: hit route and without Referer +--- request +GET /hello +--- error_code: 403 + + + +=== TEST 6: set whitelist, allow Referer missing +--- config +location /t { +content_by_lua_block { +local t = require("lib.test_admin").test +local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ +"uri": "/hello", +"upstream": { +"type": "roundrobin", +"nodes": { +"127.0.0.1:1980": 1 +} +}, +"plugins": { +"referer-restriction": { +"optional": true, + "whitelist": [ + "*.xx.com", + "yy.com" + ] +} +} +}]] +) + +if code >= 300 then +ngx.status = code +end +ngx.say(body) +} +} +--- request +GET /t +--- response_body +passed + + + +=== TEST 7: hit route and without Referer +--- request +GET /hello +--- response_body +hello world + + + +=== TEST 8: malformed Referer is treated as missing +--- request +GET /hello +--- more_headers +Referer: www.yy.com +--- response_body +hello world + + + +=== TEST 9: invalid schema +--- config +location /t { +content_by_lua_block { +local plugin = require("apisix.plugins.referer-restriction") +local cases = { +"x.*", +"~y.xn", +"::1", +} +for _, c in ipairs(cases) do +local ok, err = plugin.check_schema({ +whitelist = {c} +}) +if ok then +ngx.log(ngx.ERR, c) +end +end +} +} +--- request +GET /t Review comment: @nic-chen All tests
[GitHub] [apisix] Yiyiyimu commented on a change in pull request #2356: bugfix: remove unsupported algorithm in jwt plugin.
Yiyiyimu commented on a change in pull request #2356: URL: https://github.com/apache/apisix/pull/2356#discussion_r499223082 ## File path: doc/plugins/jwt-auth.md ## @@ -20,11 +20,14 @@ - [中文](../zh-cn/plugins/jwt-auth.md) # Summary -- [**Name**](#name) -- [**Attributes**](#attributes) -- [**How To Enable**](#how-to-enable) -- [**Test Plugin**](#test-plugin) -- [**Disable Plugin**](#disable-plugin) +- [Summary](#summary) + - [Name](#name) + - [Attributes](#attributes) + - [How To Enable](#how-to-enable) + - [Test Plugin](#test-plugin) + - [get the token in `jwt-auth` plugin:](#get-the-token-in-jwt-auth-plugin) + - [try request with token](#try-request-with-token) + - [Disable Plugin](#disable-plugin) Review comment: Maybe we need to revert the auto-format This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated: feat(proxy-cache): store the temporary file under cache directory. (#2317)
This is an automated email from the ASF dual-hosted git repository. spacewander pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git The following commit(s) were added to refs/heads/master by this push: new a6611d3 feat(proxy-cache): store the temporary file under cache directory. (#2317) a6611d3 is described below commit a6611d3058d44948ed0992acccbf512e4445fd41 Author: 罗泽轩 AuthorDate: Sun Oct 4 16:23:32 2020 +0800 feat(proxy-cache): store the temporary file under cache directory. (#2317) When the temporary file directory and cache directory are under different disk, this option can avoid unexpected performance hurt. --- bin/apisix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/apisix b/bin/apisix index 5636384..42309f3 100755 --- a/bin/apisix +++ b/bin/apisix @@ -206,7 +206,7 @@ http { {% if enabled_plugins["proxy-cache"] then %} # for proxy cache {% for _, cache in ipairs(proxy_cache.zones) do %} -proxy_cache_path {* cache.disk_path *} levels={* cache.cache_levels *} keys_zone={* cache.name *}:{* cache.memory_size *} inactive=1d max_size={* cache.disk_size *}; +proxy_cache_path {* cache.disk_path *} levels={* cache.cache_levels *} keys_zone={* cache.name *}:{* cache.memory_size *} inactive=1d max_size={* cache.disk_size *} use_temp_path=off; {% end %} {% end %}
[GitHub] [apisix] spacewander merged pull request #2317: feat(proxy-cache): store the temporary file under cache directory.
spacewander merged pull request #2317: URL: https://github.com/apache/apisix/pull/2317 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming opened a new pull request #2356: bugfix: remove unsupported algorithm in jwt plugin.
moonming opened a new pull request #2356: URL: https://github.com/apache/apisix/pull/2356 support algorithm: https://github.com/SkyLothar/lua-resty-jwt/blob/master/lib/resty/jwt.lua#L505 ### What this PR does / why we need it: fix https://github.com/apache/apisix/issues/2325 ### Pre-submission checklist: * [ ] Did you explain what problem does this PR solve? Or what new features have been added? * [ ] Have you added corresponding test cases? * [ ] Have you modified the corresponding document? * [ ] Is this PR backward compatible? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming opened a new issue #2355: test case: add more test cases for jwt plugin.
moonming opened a new issue #2355: URL: https://github.com/apache/apisix/issues/2355 - we only test `HS256` algorithm, not cover `HS512` and `RS256` - not test unsupported algorithm, for example `HS384`. we need throw the `unsupported alg` msg from https://github.com/SkyLothar/lua-resty-jwt/blob/master/lib/resty/jwt.lua#L505 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on issue #2325: bug: jwt-auth 500 error with not HS256 algorithm
moonming commented on issue #2325: URL: https://github.com/apache/apisix/issues/2325#issuecomment-703216835 https://github.com/SkyLothar/lua-resty-jwt/blob/master/lib/resty/jwt.lua#L505 `lua-resty-jwt` not support `HS384` now, it's a bug of APISIX. I will fix it later. thanks for your report. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated: chore: remove apisix_cores (#2260)
This is an automated email from the ASF dual-hosted git repository. spacewander pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git The following commit(s) were added to refs/heads/master by this push: new 385f2a4 chore: remove apisix_cores (#2260) 385f2a4 is described below commit 385f2a471be0e0b3cd7d43e1cc86798fcc5902fe Author: Swayam Raina AuthorDate: Sun Oct 4 12:53:42 2020 +0530 chore: remove apisix_cores (#2260) --- Makefile | 1 - bin/apisix | 2 -- 2 files changed, 3 deletions(-) diff --git a/Makefile b/Makefile index 36a045c..665271e 100644 --- a/Makefile +++ b/Makefile @@ -81,7 +81,6 @@ init: default run: default ifeq ("$(wildcard logs/nginx.pid)", "") mkdir -p logs - mkdir -p /tmp/apisix_cores/ $(OR_EXEC) -p $$PWD/ -c $$PWD/conf/nginx.conf else @echo "APISIX is running..." diff --git a/bin/apisix b/bin/apisix index 342c0fc..5636384 100755 --- a/bin/apisix +++ b/bin/apisix @@ -33,8 +33,6 @@ local function execute_cmd(cmd) return data end -execute_cmd("install -d -m 777 /tmp/apisix_cores/") - local pkg_cpath_org = package.cpath local pkg_path_org = package.path
[GitHub] [apisix] spacewander closed issue #2228: bug: remove `/tmp/apisix_cores/` in makefile and bin/apisix.
spacewander closed issue #2228: URL: https://github.com/apache/apisix/issues/2228 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander merged pull request #2260: remove apisix_cores
spacewander merged pull request #2260: URL: https://github.com/apache/apisix/pull/2260 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming opened a new pull request #2354: CI: skip run tengine test cases.
moonming opened a new pull request #2354: URL: https://github.com/apache/apisix/pull/2354 ### What this PR does / why we need it: The CI of tengine often reports errors due to timeouts. Since tengine is no longer maintained, the skip unit tests ### Pre-submission checklist: * [ ] Did you explain what problem does this PR solve? Or what new features have been added? * [ ] Have you added corresponding test cases? * [ ] Have you modified the corresponding document? * [ ] Is this PR backward compatible? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on issue #2325: bug: jwt-auth 500 error with not HS256 algorithm
moonming commented on issue #2325: URL: https://github.com/apache/apisix/issues/2325#issuecomment-703212517 Reproduce in the mster branch, I am diging This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on pull request #2340: feature: limit-count use redis cluster
moonming commented on pull request #2340: URL: https://github.com/apache/apisix/pull/2340#issuecomment-703211444 @liuhengloveyou is this PR still a draft? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on pull request #2339: feature: breaker request by api
moonming commented on pull request #2339: URL: https://github.com/apache/apisix/pull/2339#issuecomment-703211414 @liuhengloveyou is this PR still a draft? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on issue #2353: bug: remove hint for etcd v2
moonming commented on issue #2353: URL: https://github.com/apache/apisix/issues/2353#issuecomment-703211269 got it This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated (2f3d678 -> 1db4236)
This is an automated email from the ASF dual-hosted git repository. spacewander pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git. from 2f3d678 doc: update router variable example (#2351) add 1db4236 fix(basic-auth): split schema to adapt different occasions (#2331) No new revisions were added by this update. Summary of changes: apisix/admin/consumers.lua| 2 +- apisix/admin/plugins.lua | 21 +++--- apisix/core/schema.lua| 5 +++- apisix/plugins/basic-auth.lua | 45 +++-- t/plugin/basic-auth.t | 66 +-- 5 files changed, 109 insertions(+), 30 deletions(-)
[GitHub] [apisix] spacewander merged pull request #2331: fix(basic-auth): split schema to adapt different occasions
spacewander merged pull request #2331: URL: https://github.com/apache/apisix/pull/2331 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on issue #2256: request: add the dependency of lua-resty-hmac
moonming commented on issue #2256: URL: https://github.com/apache/apisix/issues/2256#issuecomment-703211083 @membphis any update? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] Yiyiyimu commented on issue #2353: bug: remove hint for etcd v2
Yiyiyimu commented on issue #2353: URL: https://github.com/apache/apisix/issues/2353#issuecomment-703210920 thx! fixed in #2346 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming opened a new issue #2353: bug: remove hint for etcd v2
moonming opened a new issue #2353: URL: https://github.com/apache/apisix/issues/2353 1. remove ``` Please make sure that etcd is started and enabled the v2 protocol ``` in README.md 2. update doc in doc/install-dependencies.md for install and start etcd. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] nic-chen commented on a change in pull request #2352: feat: add referer-restriction plugin
nic-chen commented on a change in pull request #2352: URL: https://github.com/apache/apisix/pull/2352#discussion_r499209372 ## File path: apisix/plugins/referer-restriction.lua ## @@ -0,0 +1,124 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local ipairs= ipairs +local core = require("apisix.core") +local http = require "resty.http" +local lrucache = core.lrucache.new({ +ttl = 300, count = 512 +}) + + +local schema = { +type = "object", +properties = { +optional = { Review comment: may need a more meaningful name ## File path: t/plugin/referer-restriction.t ## @@ -0,0 +1,189 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +add_block_preprocessor(sub { +my ($block) = @_; + +$block->set_value("no_error_log", "[error]"); + +$block; +}); + +repeat_each(1); +no_long_string(); +no_root_location(); +no_shuffle(); +run_tests; + +__DATA__ + +=== TEST 1: set whitelist +--- config +location /t { +content_by_lua_block { +local t = require("lib.test_admin").test +local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ +"uri": "/hello", +"upstream": { +"type": "roundrobin", +"nodes": { +"127.0.0.1:1980": 1 +} +}, +"plugins": { +"referer-restriction": { + "whitelist": [ + "*.xx.com", + "yy.com" + ] +} +} +}]] +) + +if code >= 300 then +ngx.status = code +end +ngx.say(body) +} +} +--- request +GET /t +--- response_body +passed + + + +=== TEST 2: hit route and in the whitelist (wildcard) +--- request +GET /hello +--- more_headers +Referer: http://www.xx.com +--- response_body +hello world + + + +=== TEST 3: hit route and in the whitelist +--- request +GET /hello +--- more_headers +Referer: https://yy.com/am +--- response_body +hello world + + + +=== TEST 4: hit route and not in the whitelist +--- request +GET /hello +--- more_headers +Referer: https://www.yy.com/am +--- error_code: 403 + + + +=== TEST 5: hit route and without Referer +--- request +GET /hello +--- error_code: 403 + + + +=== TEST 6: set whitelist, allow Referer missing +--- config +location /t { +content_by_lua_block { +local t = require("lib.test_admin").test +local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ +"uri": "/hello", +"upstream": { +"type": "roundrobin", +"nodes": { +"127.0.0.1:1980": 1 +} +}, +"plugins": { +"referer-restriction": { +"optional": true, + "whitelist": [ + "*.xx.com", +