[GitHub] [apisix] neosis41 opened a new issue, #9610: bug:

[via GitHub]

neosis41 opened a new issue, #9610:
URL: https://github.com/apache/apisix/issues/9610

   ### Current Behavior
   
   hello, i get back to you because im facing an issue to configure my apisix 
cluster. Actually i already set 3 node with apisix-dashboard-etcd on each. 
everything works fine in http but when i try in https i get weird behaviour. i 
already set my ssl certificate. the first time i connect on https, it work 
fines, my apisix server has a tcp connection open with the client, as long as 
the tcp connection is opened i can make the requests in https. but once the tcp 
connection reach the connection timeout and pass to time_wait, i try the same 
https request on the client browser and i receive a 500 internal error from 
openresty. i can see on the serveur another tcp connection opened but i get 
this 500 error code. in the nginx error.log i get a message "lua entry thread 
aborted: runtime error: /opt/apisix/apisix/init.lua:332: attempt to index local 
'matched_ssl' (a nil value)
   stack traceback:
   coroutine 0:
        /opt/apisix/apisix/init.lua: in function 'verify_https_client'
        /opt/apisix/apisix/init.lua:560: in function 'http_access_phase'
        access_by_lua(nginx.conf:329):2: in main chunk, client: 10.138.16.8, 
server: _, request: "GET /test7212212415527117122562121275915345814351514.html 
HTTP/2.0", host: 
"[slot_featuretestnico2.mrvol.com](http://slot_featuretestnico2.mrvol.com/)"" . 
if i retry some times later like 1h it works again until it fails again. Same 
thing if i restart apisix it works again until it fails again.
   
   for apisix install , i did the git clone then 'bash 
utils/install-dependencies.sh'  then install luarock 'curl 
https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh
 -sL | bash -' and '. /root/.cargo/env && LUAROCKS_SERVER=https://luarocks.cn/ 
make deps' and then 'make install'
   
   for the dahboard : docker run -d --name dashboard --network apisix-network 
-p 9000:9000 -v 
/opt/apisix/dashboard-conf.yaml:/usr/local/apisix-dashboard/conf/conf.yaml 
apache/apisix-dashboard
   
   for etcd : docker run -d --network apisix-network -p 2379:2379 -p 2380:2380 
-p 4001:4001 --name etcd 
[quay.io/coreos/etcd:v3.4.26](http://quay.io/coreos/etcd:v3.4.26) 
/usr/local/bin/etcd --name etcd{{ cluster_id  }} 
-advertise-client-urls=http://{{ private_ip }}:2379 -listen-client-urls 
http://0.0.0.0:2379/,http://0.0.0.0:4001/ -initial-advertise-peer-urls 
http://{{ private_ip }}:2380 -listen-peer-urls http://0.0.0.0:2380/ 
-initial-cluster-token etcd-cluster-1 -initial-cluster {{ cluster_range }} 
-initial-cluster-state new
   
   heres below my config.yaml :
   apisix:
     node_listen:                      # This style support multiple ports
       - 9080
     ssl:
       enable: true
       listen:                       # APISIX listening port in https.
         - port: 443
           enable_http2: true
       ssl_protocols: TLSv1.2 TLSv1.3
       ssl_ciphers: 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
       ssl_session_tickets: false              #  disable ssl_session_tickets 
by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
                                               #  ref: 
https://github.com/mozilla/server-side-tls/issues/135
       ssl_session_cache:    shared:SSL:1m
       key_encrypt_salt:             #  If not set, will save origin ssl key 
into etcd.
         - edd1c9f0985e76a2        
   deployment:
     role: traditional
     role_traditional:
       config_provider: etcd
     admin:
       allow_admin:
         - 0.0.0.0/0  # Please set it to the subnet address you obtained.
       admin_key:
         - name: admin
           key: edd1c9f034335f136f87ad84b625c8f1  # using fixed API token has 
security risk, please update it when you deploy to production environment
           role: admin
     etcd:
       host:
         - "http://127.0.0.1:2379";
       prefix: "/apisix"
       timeout: 30
   
   
   ### Expected Behavior
   
   i expect all my https request return me a code 200 and not 200 the first 
time and 500 internal error after.
   
   ### Error Logs
   
   first itry https request at 8:19 it works and the backend server give me a 
404 :
   10.212.135.241 - - [06/Jun/2023:08:19:57 +0200] 
[slot_featuretestnico2.mrvol.com](http://slot_featuretestnico2.mrvol.com/) "GET 
/test2888854.html HTTP/2.0" 404 1251 0.002 "-" "Mozilla/5.0 (X11; Ubuntu; Linux 
x86_64; rv:109.0) Gecko/20100101 Firefox/113.0" 10.10.0.30:80 404 0.002 
"http://slot_featuretestnico2.mrvol.com/";
   and then i retry at https request at 8:28 and then get my 500 error :
   10.212.135.241 - - [06/Jun/2023:08:28:17 +0200] 
[slot_featuretestnico2.mrvol.com](http://slot_featuretestnico2.mrvol.com/) "GET 
/test28588854.html HTTP/2.0" 500 174 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux 
x86_64; rv:109.0) Gecko/20100101 Firefox/113.0" - - - 
"http://slot_featuretestnico2.mrvol.com/";
   
   with the message below in error.log : 
   2023/06/06 08:28:17 [error] 3756#3756: *6713294 lua entry thread aborted: 
runtime error: /opt/apisix/apisix/init.lua:332: attempt to index local 
'matched_ssl' (a nil value)
   stack traceback:
   coroutine 0:
        /opt/apisix/apisix/init.lua: in function 'verify_https_client'
        /opt/apisix/apisix/init.lua:560: in function 'http_access_phase'
        access_by_lua(nginx.conf:329):2: in main chunk, client: 10.212.135.241, 
server: _, request: "GET /test28588854.html HTTP/2.0", host: 
"[slot_featuretestnico2.mrvol.com](http://slot_featuretestnico2.mrvol.com/)"
   
   ### Steps to Reproduce
   
   start etcd docker container
   start apisix which is directly install on host
   start dashboard docker container
   request https://slot_featuretestnico2.mrvol.com/test.html (its an A record 
in our local dns server) on a browser in my computer
   wait the connectiontimeout setttings if its configured on 60sec then wait 
60s and do the same https request and now it fails.
   I have still the same weird behaviour on chrome and mozilla firefox. i didnt 
test another one.
   
   ### Environment
   
   - APISIX version (run `apisix version`): 3.3.0
   - Operating system (run `uname -a`): ubuntu 20
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): 
openresty/1.21.4.1
   - etcd version, if relevant (run `curl 
http://127.0.0.1:9090/v1/server_info`): v3.4.26
   - APISIX Dashboard version, if relevant: latest
   - Plugin runner version, for issues related to plugin runners:
   - LuaRocks version, for installation issues (run `luarocks --version`): 
/usr/local/bin/luarocks 3.8.0
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org