[GitHub] [apisix] membphis commented on issue #2362: prometheus plugin publicly exposes metrics, even if not enabled
membphis commented on issue #2362: URL: https://github.com/apache/apisix/issues/2362#issuecomment-704674396 @poidl Thank you very much for your reminder, I think we need to solve this issue in version `2.0` . This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander commented on a change in pull request #2029: bugfix: only set one response header when enabled `enable_debug=true`
spacewander commented on a change in pull request #2029: URL: https://github.com/apache/apisix/pull/2029#discussion_r500713424 ## File path: apisix/plugin.lua ## @@ -228,13 +228,34 @@ function _M.api_routes() end -function _M.filter(user_route, plugins) +local function set_response_header_by_debug_flag(plugins, dry_run) +if dry_run then Review comment: And to avoid the conflict between global rule / route rule, it would be better to use `add_header`. Maybe we still need to pass the `global` flag to indicate if the current filtering rule is global or not? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander commented on a change in pull request #2029: bugfix: only set one response header when enabled `enable_debug=true`
spacewander commented on a change in pull request #2029: URL: https://github.com/apache/apisix/pull/2029#discussion_r500709172 ## File path: apisix/plugin.lua ## @@ -228,13 +228,34 @@ function _M.api_routes() end -function _M.filter(user_route, plugins) +local function set_response_header_by_debug_flag(plugins, dry_run) +if dry_run then Review comment: I think we can use `ngx.headers_sent` instead of passing flag manually. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander opened a new pull request #2363: doc(ip-restriction): IPv6 already supported
spacewander opened a new pull request #2363: URL: https://github.com/apache/apisix/pull/2363 ### What this PR does / why we need it: ### Pre-submission checklist: * [x] Did you explain what problem does this PR solve? Or what new features have been added? * [ ] Have you added corresponding test cases? * [x] Have you modified the corresponding document? * [ ] Is this PR backward compatible? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix-dashboard] juzhiyuan commented on issue #538: bug: authentication security issue
juzhiyuan commented on issue #538: URL: https://github.com/apache/apisix-dashboard/issues/538#issuecomment-704625515 would this be fixed in 1.6 before 16.10? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] tristan-tsl closed issue #2360: request help: i'm interesting in plugin orchestration, can you provide a video for use it? thank you
tristan-tsl closed issue #2360: URL: https://github.com/apache/apisix/issues/2360 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] tristan-tsl commented on issue #2360: request help: i'm interesting in plugin orchestration, can you provide a video for use it? thank you
tristan-tsl commented on issue #2360: URL: https://github.com/apache/apisix/issues/2360#issuecomment-704593091 oh, yes, thank you This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] poidl opened a new issue #2362: prometheus plugin publicly exposes metrics, even if not enabled
poidl opened a new issue #2362: URL: https://github.com/apache/apisix/issues/2362 I'm a beginner and want to return a 404 for a request to http://mydomain.example/apisix/prometheus/metrics. Additional to the issues (linked below) about exposing metrics publicly, which I find problematic too, they are even exposed if the Prometheus plugin is not enabled (I mean "enabled" by following https://github.com/apache/apisix/blob/master/doc/plugins/prometheus.md ). To get a 404, I have to open `config.yaml` and uncomment `- prometheus` the plugin, even if I didn't enable anything. Instead I think it should be the default. In case there are reasons for this, could you provide a list of plugins that publicly expose paths? When I query `/apisix/admin/routes`, I don't see `/apisix/prometheus/metrics`, even though the route exists. How can I find these routes? I'm concerned there are more exposed routes I'm not aware of. Related: https://github.com/apache/apisix/issues/1509 https://github.com/apache/apisix/issues/2296 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix-dashboard] nic-chen opened a new issue #538: bug: authentication security issue
nic-chen opened a new issue #538: URL: https://github.com/apache/apisix-dashboard/issues/538 Please answer these questions before submitting your issue. - Why do you submit this issue? - [ ] Question or discussion - [x] Bug - [ ] Requirements - [ ] Feature or performance improvement - [ ] Other ___ ### Bug We should not use a fixed value as the default secret key of jwt token. If the user does not modify the default Secret key, then others can generate tokens, and the account and password are useless. I think we need to randomly generate a secret key during the first run. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix-dashboard] nic-chen opened a new issue #537: bug: respond status of api should keep same as `admin api` do
nic-chen opened a new issue #537: URL: https://github.com/apache/apisix-dashboard/issues/537 Please answer these questions before submitting your issue. - Why do you submit this issue? - [ ] Question or discussion - [ x ] Bug - [ ] Requirements - [ ] Feature or performance improvement - [ ] Other ___ ### Bug after refactor, respond status of api should keep same as `admin api` do. but it's always 200 currently. I think we need to fix it in `github.com/shiningrush/droplet` @ShiningRush please take a look. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix-dashboard] nic-chen commented on issue #536: bug: race detected during execution of test
nic-chen commented on issue #536: URL: https://github.com/apache/apisix-dashboard/issues/536#issuecomment-704293013 @ShiningRush please take a look at https://github.com/nic-chen/incubator-apisix-dashboard/pull/7/checks?check_run_id=1212879646#step:6:274 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix-dashboard] nic-chen opened a new issue #536: bug: race detected during execution of test
nic-chen opened a new issue #536: URL: https://github.com/apache/apisix-dashboard/issues/536 Please answer these questions before submitting your issue. - Why do you submit this issue? - [ ] Question or discussion - [ x ] Bug - [ ] Requirements - [ ] Feature or performance improvement - [ ] Other ___ ### Bug on `refactor` branch, when running `go test -race -covermode atomic -coverprofile=covprofile ./...`, an error occurred: `Error: testing.go:969: race detected during execution of test`. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis opened a new issue #2361: perf: use `table.isarray` which is can be JIT compiled
membphis opened a new issue #2361: URL: https://github.com/apache/apisix/issues/2361 We can use `table.isarray` to check whether the Lua table is a pure array-like table. https://github.com/apache/apisix/blob/master/apisix/core/config_local.lua#L60 Here is the doc link: doc link: https://github.com/openresty/luajit2#tableisarray This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on pull request #2339: feature: breaker request by api
moonming commented on pull request #2339: URL: https://github.com/apache/apisix/pull/2339#issuecomment-704284586 The previous review was not fixed,and the CI failed. I don't think this pr is ready for review. So I will not review this pr until it is really ready This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on issue #2360: request help: i'm interesting in plugin orchestration, can you provide a video for use it? thank you
membphis commented on issue #2360: URL: https://github.com/apache/apisix/issues/2360#issuecomment-704280193 gif link: https://static.apiseven.com/low-code-api-gateway-example-en-US.gif mp4 link: https://static.apiseven.com/low-code-api-gateway-example-en-US.mp4 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on issue #2359: work process 都会执行脚本中的ngx_timer_every 调度吗
membphis commented on issue #2359: URL: https://github.com/apache/apisix/issues/2359#issuecomment-704278236 > 如何规避,让其中一个线程去执行就可以了 welcome PR for a better way ^_^ @sixinyiyu if possible, please use English in a public channel. We hope that more and more people from all over the world will join us for a better API gateway. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis commented on a change in pull request #2339: feature: breaker request by api
membphis commented on a change in pull request #2339: URL: https://github.com/apache/apisix/pull/2339#discussion_r500282768 ## File path: t/plugin/api-breaker.t ## @@ -0,0 +1,219 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); + +repeat_each(1); +no_long_string(); +no_shuffle(); +no_root_location(); +log_level('info'); +run_tests; + +__DATA__ + +=== TEST 1: sanity +--- config +location /t { +content_by_lua_block { +local plugin = require("apisix.plugins.api-breaker") +local ok, err = plugin.check_schema({ +unhealthy_response_code = 502, +unhealthy = { +http_statuses = {500}, +failures = 1, +}, +healthy = { +http_statuses = {200}, +successes = 1, +}, +}) +if not ok then +ngx.say(err) +end + +ngx.say("done") +} +} +--- request +GET /t +--- response_body +done +--- no_error_log +[error] + + +=== TEST 2: default http_statuses +--- config +location /t { +content_by_lua_block { +local plugin = require("apisix.plugins.api-breaker") +local ok, err = plugin.check_schema({ +unhealthy_response_code = 502, +unhealthy = { +failures = 1, +}, +healthy = { +successes = 1, +}, +}) +if not ok then +ngx.say(err) +end + +ngx.say("done") +} +} +--- request +GET /t +--- response_body +done +--- no_error_log +[error] + + +=== TEST 3: add plugin +--- config +location /t { +content_by_lua_block { +local t = require("lib.test_admin").test +local code, body = t('/apisix/admin/routes/1', +ngx.HTTP_PUT, +[[{ +"plugins": { +"api-breaker": { +"unhealthy_response_code": 502, +"unhealthy": { +"http_statuses": [500, 503], +"failures": 3 +}, +"healthy": { +"http_statuses": [200, 206], +"successes": 3 +} +} +}, +"upstream": { +"nodes": { +"127.0.0.1:1988": 1 +}, +"type": "roundrobin" +}, +"uri": "/hello" +}]] +) + +if code >= 300 then +ngx.status = code +end +ngx.say(body) +} +} +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + +=== TEST 4: trigger breaker +--- request eval +["GET /hello?r=200", "GET /hello?r=500", "GET /hello?r=503", "GET /hello?r=500", "GET /hello?r=500", "GET /hello?r=500"] +--- error_code eval +[200, 500, 503, 500, 502, 502] +--- no_error_log +[error] + + +=== TEST 5: trigger reset status +--- request eval +["GET /hello?r=500", "GET /hello?r=500", "GET /hello?r=200", "GET /hello?r=200", "GET /hello?r=200", "GET /hello?r=500", "GET /hello?r=500"] +--- error_code eval +[500, 500, 200, 200, 200, 500, 500] +--- no_error_log +[error] + + +=== TEST 6: trigger del healthy numeration +--- request eval +["GET /hello?r=500", "GET /hello?r=200", "GET /hello?r=500", "GET /hello?r=500", "GET /hello?r=500", "GET /hello?r=500", "GET /hello?r=500"] +--- error_code eval +[500, 200, 500, 500, 502, 502, 502] +--- no_error_log +[error] + + +=== TEST 7: add plugin with default config value +--- config +location /t { +content_by_lua_block { +local t = require("lib.test_admin").test +local code, body = t('/apisix/admin/routes/1', +ngx.HTTP_PUT, +[[{ +
[GitHub] [apisix] membphis commented on pull request #2339: feature: breaker request by api
membphis commented on pull request #2339: URL: https://github.com/apache/apisix/pull/2339#issuecomment-704275765 @liuhengloveyou and please take a look at the output of CI, you need to fix them at first This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] moonming commented on a change in pull request #2339: feature: breaker request by api
moonming commented on a change in pull request #2339: URL: https://github.com/apache/apisix/pull/2339#discussion_r500226929 ## File path: apisix/plugins/api-breaker.lua ## @@ -0,0 +1,212 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local plugin_name = "api-breaker" +local ngx = ngx +local math = math +local ipairs = ipairs +local error = error +local core = require("apisix.core") + +local DEFAULT_EXPTIME = 600 + +local shared_buffer = ngx.shared['plugin-'.. plugin_name] +if not shared_buffer then +error("get ngx.shared dict error.") +end + + +local schema = { +type = "object", +properties = { +unhealthy_response_code = { +type = "integer", +minimum = 200, +maximum = 599, +}, +unhealthy = { +type = "object", +properties = { +http_statuses = { +type = "array", +minItems = 1, +items = { +type = "integer", +minimum = 500, +maximum = 599, +}, +uniqueItems = true, +default = {500} +}, +failures = { +type = "integer", +minimum = 1, +default = 1, +} +} +}, +healthy = { +type = "object", +properties = { +http_statuses = { +type = "array", +minItems = 1, +items = { +type = "integer", +minimum = 200, +maximum = 499, +}, +uniqueItems = true, +default = {200, 206} +}, +successes = { +type = "integer", +minimum = 1, +default = 1, +} +} +} +}, +required = {"unhealthy_response_code", "unhealthy", "healthy"}, +} + + +local function is_unhealthy(unhealthy_status, upstream_statu) +for _, unhealthy in ipairs(unhealthy_status) do +if unhealthy == upstream_statu then +return true +end +end + +return false +end + + +local function is_healthy(healthy_status, upstream_statu) +for _, healthy in ipairs(healthy_status) do +if healthy == upstream_statu then +return true +end +end + +return false +end + + +local function healthy_cache_key(ctx) +return "healthy-" .. core.request.get_host(ctx) .. ctx.var.uri +end + + +local function unhealthy_cache_key(ctx) +return "unhealthy-" .. core.request.get_host(ctx) .. ctx.var.uri +end + + +local function unhealthy_lastime_cache_key(ctx) +return "unhealthy-lastime" .. core.request.get_host(ctx) .. ctx.var.uri +end + + +local _M = { +version = 0.1, +name = plugin_name, +priority = 1005, +schema = schema, +} + + +function _M.check_schema(conf) +local ok, err = core.schema.check(schema, conf) +if not ok then +return false, err +end + +return true +end + + +function _M.access(conf, ctx) +local unhealthy_val, err = shared_buffer:get(unhealthy_cache_key(ctx)) +if err then +core.log.error("ngx.shared get error", err) +end + +local unhealthy_lastime, err = shared_buffer:get(unhealthy_lastime_cache_key(ctx)) +if err then +core.log.error("ngx.shared get error", err) +end + +if unhealthy_val and unhealthy_lastime then +local ride = math.ceil(unhealthy_val / conf.unhealthy.failures) +if ride < 1 then +ride = 1 +end + +if unhealthy_lastime + 2^ride >= ngx.time() then Review comment: Hard code? And not has the max limit? ## File path: apisix/plugins/api-breaker.lua ## @@ -0,0 +1,212 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright
[GitHub] [apisix] liuhengloveyou commented on pull request #2339: feature: breaker request by api
liuhengloveyou commented on pull request #2339: URL: https://github.com/apache/apisix/pull/2339#issuecomment-704221556 > @liuhengloveyou is this PR still a draft? updated。 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] tristan-tsl opened a new issue #2360: request help: i'm interesting in plugin orchestration, can you provide a video for use it? thank you
tristan-tsl opened a new issue #2360: URL: https://github.com/apache/apisix/issues/2360 ### Issue description can you provide a video for use it? ### Environment * apisix version (cmd: `apisix version`): no * OS: no This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] sixinyiyu closed issue #2359: work process 都会执行脚本中的ngx_timer_every 调度吗
sixinyiyu closed issue #2359: URL: https://github.com/apache/apisix/issues/2359 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] sixinyiyu commented on issue #2359: work process 都会执行脚本中的ngx_timer_every 调度吗
sixinyiyu commented on issue #2359: URL: https://github.com/apache/apisix/issues/2359#issuecomment-704186339 变量可见性 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] sixinyiyu removed a comment on issue #2359: work process 都会执行脚本中的ngx_timer_every 调度吗
sixinyiyu removed a comment on issue #2359: URL: https://github.com/apache/apisix/issues/2359#issuecomment-704159309 知道原因了,操作的是自己工作线程里的变量,如果将applications 申明成 lua_shared_dict 所有线程可见呢;然后保证一个线程去更新 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] sixinyiyu edited a comment on issue #2359: work process 都会执行脚本中的ngx_timer_every 调度吗
sixinyiyu edited a comment on issue #2359: URL: https://github.com/apache/apisix/issues/2359#issuecomment-704159309 知道原因了,操作的是自己工作线程里的变量,如果将applications 申明成 lua_shared_dict 所有线程可见呢;然后保证一个线程去更新 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis edited a comment on issue #2280: Route traffic through company proxy / firewall
membphis edited a comment on issue #2280: URL: https://github.com/apache/apisix/issues/2280#issuecomment-704010247 > You can achieve the same effect with [proxy-rewrite](https://github.com/apache/apisix/blob/master/doc/zh-cn/plugins/proxy-rewrite.md) can you show us an example of this case? if it can work, it should be helpful for @liuhengloveyou This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis merged pull request #2352: feat: add referer-restriction plugin
membphis merged pull request #2352: URL: https://github.com/apache/apisix/pull/2352 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated: feat: implemented `referer-restriction` plugin (#2352)
This is an automated email from the ASF dual-hosted git repository. membphis pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git The following commit(s) were added to refs/heads/master by this push: new 5b97223 feat: implemented `referer-restriction` plugin (#2352) 5b97223 is described below commit 5b97223592c9584e5280c397968e9d9c4739e3d4 Author: 罗泽轩 AuthorDate: Tue Oct 6 18:20:17 2020 +0800 feat: implemented `referer-restriction` plugin (#2352) --- README.md| 1 + README_CN.md | 1 + apisix/plugins/referer-restriction.lua | 124 conf/config-default.yaml | 1 + doc/README.md| 1 + doc/_sidebar.md | 1 + doc/plugins/referer-restriction.md | 116 +++ doc/zh-cn/README.md | 1 + doc/zh-cn/plugins/referer-restriction.md | 111 ++ t/admin/plugins.t| 2 +- t/debug/debug-mode.t | 1 + t/plugin/referer-restriction.t | 189 +++ 12 files changed, 548 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c856505..1f4d5e9 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,7 @@ A/B testing, canary release, blue-green deployment, limit rate, defense against - **Security** - Authentications: [key-auth](doc/plugins/key-auth.md), [JWT](doc/plugins/jwt-auth.md), [basic-auth](doc/plugins/basic-auth.md), [wolf-rbac](doc/plugins/wolf-rbac.md) - [IP Whitelist/Blacklist](doc/plugins/ip-restriction.md) +- [Referer Whitelist/Blacklist](doc/plugins/referer-restriction.md) - [IdP](doc/plugins/openid-connect.md): Support external authentication services, such as Auth0, okta, etc., users can use this to connect to OAuth 2.0 and other authentication methods. - [Limit-req](doc/plugins/limit-req.md) - [Limit-count](doc/plugins/limit-count.md) diff --git a/README_CN.md b/README_CN.md index 829633f..28b8136 100644 --- a/README_CN.md +++ b/README_CN.md @@ -85,6 +85,7 @@ A/B 测试、金丝雀发布(灰度发布)、蓝绿部署、限流限速、抵 - **安全防护** - 多种身份认证方式: [key-auth](doc/zh-cn/plugins/key-auth.md), [JWT](doc/zh-cn/plugins/jwt-auth.md), [basic-auth](doc/zh-cn/plugins/basic-auth.md), [wolf-rbac](doc/zh-cn/plugins/wolf-rbac.md)。 - [IP 黑白名单](doc/zh-cn/plugins/ip-restriction.md) +- [Referer 白名单](doc/zh-cn/plugins/referer-restriction.md) - [IdP 支持](doc/plugins/openid-connect.md): 支持外部的身份认证服务,比如 Auth0,Okta,Authing 等,用户可以借此来对接 Oauth2.0 等认证方式。 - [限制速率](doc/zh-cn/plugins/limit-req.md) - [限制请求数](doc/zh-cn/plugins/limit-count.md) diff --git a/apisix/plugins/referer-restriction.lua b/apisix/plugins/referer-restriction.lua new file mode 100644 index 000..e67b455 --- /dev/null +++ b/apisix/plugins/referer-restriction.lua @@ -0,0 +1,124 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local ipairs= ipairs +local core = require("apisix.core") +local http = require "resty.http" +local lrucache = core.lrucache.new({ +ttl = 300, count = 512 +}) + + +local schema = { +type = "object", +properties = { +bypass_missing = { +type = "boolean", +default = false, +}, +whitelist = { +type = "array", +items = core.schema.host_def, +minItems = 1 +}, +}, +required = {"whitelist"}, +additionalProperties = false, +} + + +local plugin_name = "referer-restriction" + + +local _M = { +version = 0.1, +priority = 2990, +name = plugin_name, +schema = schema, +} + + +function _M.check_schema(conf) +return core.schema.check(schema, conf) +end + + +local function match_host(matcher, host) + if matcher.map[host] then +return true +end +for _, h in ipairs(matcher.suffixes) do +if core.string.has_suffix(host, h) then +return true +end +end +return false +end + + +local function create_host_matcher(hosts) +local hosts_suffix = {} +local hosts_map = {} + +for _, h in ipairs(hosts) do +if
[GitHub] [apisix] membphis commented on pull request #2352: feat: add referer-restriction plugin
membphis commented on pull request #2352: URL: https://github.com/apache/apisix/pull/2352#issuecomment-704174836 @spacewander merged, many thx This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis closed issue #2267: feature: The "limit-req" plugin adds the "consumer_name" method to limit the request speed.
membphis closed issue #2267: URL: https://github.com/apache/apisix/issues/2267 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] membphis merged pull request #2270: feature: support `consumer_name` as key of `limit-req` plugin.
membphis merged pull request #2270: URL: https://github.com/apache/apisix/pull/2270 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[apisix] branch master updated: feature: support `consumer_name` as key for `limit-req` plugin. (#2270)
This is an automated email from the ASF dual-hosted git repository. membphis pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git The following commit(s) were added to refs/heads/master by this push: new c3de84e feature: support `consumer_name` as key for `limit-req` plugin. (#2270) c3de84e is described below commit c3de84e28519e74f3b07d25d06a6cab0cad4bdc4 Author: Firstsawyou <52862365+firstsaw...@users.noreply.github.com> AuthorDate: Tue Oct 6 18:18:22 2020 +0800 feature: support `consumer_name` as key for `limit-req` plugin. (#2270) fix #2267 --- apisix/plugins/limit-req.lua | 14 +- doc/plugins/limit-req.md | 112 +-- doc/zh-cn/plugins/limit-req.md | 110 +-- t/admin/plugins.t | 2 +- t/plugin/limit-req.t | 313 - 5 files changed, 524 insertions(+), 27 deletions(-) diff --git a/apisix/plugins/limit-req.lua b/apisix/plugins/limit-req.lua index 1caadce..7602e9b 100644 --- a/apisix/plugins/limit-req.lua +++ b/apisix/plugins/limit-req.lua @@ -27,7 +27,7 @@ local schema = { burst = {type = "number", minimum = 0}, key = {type = "string", enum = {"remote_addr", "server_addr", "http_x_real_ip", -"http_x_forwarded_for"}, +"http_x_forwarded_for", "consumer_name"}, }, rejected_code = {type = "integer", minimum = 200, default = 503}, }, @@ -67,7 +67,17 @@ function _M.access(conf, ctx) return 500 end -local key = (ctx.var[conf.key] or "") .. ctx.conf_type .. ctx.conf_version +local key +if conf.key == "consumer_name" then +if not ctx.consumer_id then +core.log.error("consumer not found.") +return 500, { message = "Consumer not found."} +end +key = ctx.consumer_id .. ctx.conf_type .. ctx.conf_version + +else +key = (ctx.var[conf.key] or "") .. ctx.conf_type .. ctx.conf_version +end core.log.info("limit key: ", key) local delay, err = lim:incoming(key, true) diff --git a/doc/plugins/limit-req.md b/doc/plugins/limit-req.md index ca090d9..c3d983e 100644 --- a/doc/plugins/limit-req.md +++ b/doc/plugins/limit-req.md @@ -20,14 +20,14 @@ - [中文](../zh-cn/plugins/limit-req.md) # Summary + - [Introduction](#introduction) + - [Attributes](#attributes) + - [Example](#example) +- [How to enable on the `route` or `serivce`](#how-to-enable-on-the-route-or-serivce) +- [How to enable on the `consumer`](#how-to-enable-on-the-consumer) + - [Disable Plugin](#disable-plugin) -- [**Name**](#name) -- [**Attributes**](#attributes) -- [**How To Enable**](#how-to-enable) -- [**Test Plugin**](#test-plugin) -- [**Disable Plugin**](#disable-plugin) - -## Name +## Introduction limit request rate using the "leaky bucket" method. @@ -37,14 +37,16 @@ limit request rate using the "leaky bucket" method. | - | --- | --- | --- | | - | | rate | integer | required| | [0,...] | the specified request rate (number per second) threshold. Requests exceeding this rate (and below `burst`) will get delayed to conform to the rate. | | burst | integer | required| | [0,...] | the number of excessive requests per second allowed to be delayed. Requests exceeding this hard limit will get rejected immediately. | -| key | string | required| | ["remote_addr", "server_addr", "http_x_real_ip", "http_x_forwarded_for"] | the user specified key to limit the rate, now accept those as key: "remote_addr"(client's IP), "server_addr"(server's IP), "X-Forwarded-For/X-Real-IP" in request header. | -| rejected_code | string | optional| 503 | [200,...] | The HTTP status code returned when the request exceeds the threshold is rejected. The default is 503. | +| key | string | required| | ["remote_addr", "server_addr", "http_x_real_ip", "http_x_forwarded_for", "consumer_name"] | the user specified key to limit the rate, now accept those as key: "remote_addr"(client's IP), "server_addr"(server's IP), "X-Forwarded-For/X-Real-IP" in request header, "consumer_name"(consumer's username). | +| rejected_code | integer | optional| 503 | [200,...]
[GitHub] [apisix] spacewander commented on issue #2280: Route traffic through company proxy / firewall
spacewander commented on issue #2280: URL: https://github.com/apache/apisix/issues/2280#issuecomment-704172006 @MrLightSpeed0 How we can use the forward proxy depends on the type of forward proxy your company using. What kind of proxy you are using? Plain http or https or socks? Since apisix doesn't support forward proxy currently, it would be simper if you can set up a global proxy in your development environment. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] sixinyiyu closed issue #2358: use discovery failed to pick server: discovery is uninitialized while connecting to upstream, client
sixinyiyu closed issue #2358: URL: https://github.com/apache/apisix/issues/2358 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] sixinyiyu commented on issue #2358: use discovery failed to pick server: discovery is uninitialized while connecting to upstream, client
sixinyiyu commented on issue #2358: URL: https://github.com/apache/apisix/issues/2358#issuecomment-704161781 可能是工作线程没有杀死,导致的 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #1226: feature: Support follow redirect
spacewander commented on issue #1226: URL: https://github.com/apache/apisix/issues/1226#issuecomment-704156541 IMHO, I don't like this idea because it doesn't obey the HTTP "convention". Clients like curl can follow redirect because they are clients, but let the proxy follow the redirect looks bad to me. Is there a strong reason to add this feature? Considering client request a domain A with A's cookie, and A redirects the Client to domain B. When client requests to domain B, it will take the B's cookie with it. If we consume the redirect, there is no way for us to know the domain B's cookie and create a request with the cookie attached. There will be some trouble with cache and TLS too, maybe something else which haven't come to my mind yet. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] sixinyiyu opened a new issue #2359: work process 都会执行脚本中的ngx_timer_every 调度吗
sixinyiyu opened a new issue #2359: URL: https://github.com/apache/apisix/issues/2359 ### Issue description discovery 里的nacos.lua会在启动时拉取一下服务列表,我这里打印了下日志 ![QQ图片20201006174034](https://user-images.githubusercontent.com/3435446/95185355-30b0a200-07fb-11eb-9a4f-f9cbca0e129d.png) 同时也显示 4个nginx工作线程,那这样的话,每次去更新服务列表跟服务实例的时候,会n个工作线程同时执行这个任务? 如何规避,让其中一个线程去执行就可以了? ### Environment * apisix version (cmd: `apisix version`): 1.5 * OS: centos This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] sixinyiyu opened a new issue #2358: use discovery failed to pick server: discovery is uninitialized while connecting to upstream, client
sixinyiyu opened a new issue #2358: URL: https://github.com/apache/apisix/issues/2358 ### Issue description discovey Nacos 配置路由后,能通过服务名 找到具体实例 走通,但是会存在有一定间隔时间 502 找不到服务,java服务在nacos一直存在没有下线,尝试修改了定时拉取nacos服务信息的间隔时间(30-->20s) 并没有作用 ### Environment * apisix version (cmd: `apisix version`): 1.5 * OS: CentOS 7 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] spacewander commented on pull request #2352: feat: add referer-restriction plugin
spacewander commented on pull request #2352: URL: https://github.com/apache/apisix/pull/2352#issuecomment-704057548 @membphis Done This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org