You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
help request: When I was testing with forward-auth.lua, I found that enabling keepalive would cause the authentication server to fail when parsing the HTTP protocol
#11231
Open
546454170 opened this issue
May 7, 2024
· 0 comments
When I disabled keepalive, no issues were encountered. But after enabling keepalive, there were instances where HTTP 400 Bad Request errors were returned after several requests, with some requests in between remaining unaffected.
My authentication server is using Spring Boot, with the version being 2.6.13. tomcat-embed-core:9.0.68;
During internal parsing, Tomcat will throw an exception with the message: 'invalid character found in method name [xxxx]. HTTP method names must be tokens'. (The source code: org.apache.coyote.http11.Http11InputBuffer#419)
I am using the Docker Compose method for deployment, with the following configuration:
apisix:
node_listen: 9080 # APISIX listening port
enable_ipv6: false
enable_control: true
control:
ip: "0.0.0.0"
port: 9092
deployment:
admin:
allow_admin: # https://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
admin_key:
- name: "admin"
key: xxxxxx
role: admin # admin: manage all configuration data
- name: "viewer"
key: xxxxxx
role: viewer
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://etcd:2379" # multiple etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 30 # 30 seconds
nginx_config:
error_log_level: "info"
plugin_attr:
prometheus:
export_addr:
ip: "0.0.0.0"
port: 9091
apisix_conf/debug.yaml
basic:
enable: true
http_filter:
enable: false # enable or disable this feature
enable_header_name: X-APISIX-Dynamic-Debug # the header name of dynamic enable
hook_conf:
enable: false # enable or disable this feature
name: hook_phase # the name of module and function list
log_level: warn # log level
is_print_input_args: true # print the input arguments
is_print_return_value: true # print the return value
hook_phase: # module and function list, name: hook_phase
apisix: # required module name
- http_access_phase # function name
- http_header_filter_phase
- http_body_filter_phase
- http_log_phase
dashboard_conf/conf.yaml
conf:
listen:
host: 0.0.0.0 # `manager api` listening ip or host name
port: 9000 # `manager api` listening port
allow_list: # If we don't set any IP list, then any IP access is allowed by default.
- 0.0.0.0/0
etcd:
endpoints: # supports defining multiple etcd host addresses for an etcd cluster
- "http://etcd:2379"
# yamllint disable rule:comments-indentation
# etcd basic auth info
# username: "root" # ignore etcd username if not enable etcd auth
# password: "123456" # ignore etcd password if not enable etcd auth
mtls:
key_file: "" # Path of your self-signed client side key
cert_file: "" # Path of your self-signed client side cert
ca_file: "" # Path of your self-signed ca cert, the CA is used to sign callers' certificates
# prefix: /apisix # apisix config's prefix in etcd, /apisix by default
log:
error_log:
level: warn # supports levels, lower to higher: debug, info, warn, error, panic, fatal
file_path:
logs/error.log # supports relative path, absolute path, standard output
# such as: logs/error.log, /tmp/logs/error.log, /dev/stdout, /dev/stderr
access_log:
file_path:
logs/access.log # supports relative path, absolute path, standard output
# such as: logs/access.log, /tmp/logs/access.log, /dev/stdout, /dev/stderr
# log example: 2020-12-09T16:38:09.039+0800 INFO filter/logging.go:46 /apisix/admin/routes/r1 {"status": 401, "host": "127.0.0.1:9000", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "127.0.0.1", "method": "PUT", "errs": []}
security:
# access_control_allow_origin: "http://httpbin.org"
# access_control_allow_credentials: true # support using custom cors configration
# access_control_allow_headers: "Authorization"
# access_control-allow_methods: "*"
# x_frame_options: "deny"
content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src *" # You can set frame-src to provide content for your grafana panel.
authentication:
secret:
secret # secret for jwt token generation.
# NOTE: Highly recommended to modify this value to protect `manager api`.
# if it's default value, when `manager api` start, it will generate a random string to replace it.
expire_time: 3600 # jwt token expire time, in second
users: # yamllint enable rule:comments-indentation
- username: admin # username and password for login `manager api`
password: admin
- username: user
password: user
plugins: # plugin list (sorted in alphabetical order)
- api-breaker
- authz-keycloak
- basic-auth
- forward-auth
- batch-requests
- consumer-restriction
- cors
# - dubbo-proxy
- echo
# - error-log-logger
# - example-plugin
- fault-injection
- grpc-transcode
- hmac-auth
- http-logger
- ip-restriction
- jwt-auth
- kafka-logger
- key-auth
- limit-conn
- limit-count
- limit-req
# - log-rotate
# - node-status
- openid-connect
- prometheus
- proxy-cache
- proxy-mirror
- proxy-rewrite
- redirect
- referer-restriction
- request-id
- request-validation
- response-rewrite
- serverless-post-function
- serverless-pre-function
# - skywalking
- sls-logger
- syslog
- tcp-logger
- udp-logger
- uri-blocker
- wolf-rbac
- zipkin
- server-info
- traffic-split
OpenResty / Nginx version (run openresty -V or nginx -V): nginx version: openresty/1.25.3.1
etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
APISIX Dashboard version, if relevant: 3.5.11
Plugin runner version, for issues related to plugin runners:
LuaRocks version, for installation issues (run luarocks --version):
The text was updated successfully, but these errors were encountered:
546454170
changed the title
help request:
help request: When I was testing with forward-auth.lua, I found that enabling keepalive would cause the authentication server to fail when parsing the HTTP protocol
May 7, 2024
Description
When I disabled keepalive, no issues were encountered. But after enabling keepalive, there were instances where HTTP 400 Bad Request errors were returned after several requests, with some requests in between remaining unaffected.
My authentication server is using Spring Boot, with the version being 2.6.13. tomcat-embed-core:9.0.68;
During internal parsing, Tomcat will throw an exception with the message: 'invalid character found in method name [xxxx]. HTTP method names must be tokens'. (The source code: org.apache.coyote.http11.Http11InputBuffer#419)
I am using the Docker Compose method for deployment, with the following configuration:
docker-compose.yml
apisix_conf/config.yaml
apisix_conf/debug.yaml
dashboard_conf/conf.yaml
Apisix router
Apisix upstream
request:
Environment
apisix version
): 3.9.0uname -a
): Linux 2006dce01339 5.15.49-linuxkit-pr change: added doc of how to load plugin. #1 SMP Thu May 25 07:17:40 UTC 2023 x86_64 GNU/Linuxopenresty -V
ornginx -V
): nginx version: openresty/1.25.3.1curl http://127.0.0.1:9090/v1/server_info
):luarocks --version
):The text was updated successfully, but these errors were encountered: