namdiag opened a new issue, #9688: URL: https://github.com/apache/apisix/issues/9688
### Current Behavior A route has proxy_cache config. If the cache data isn't existed yet, call to the route URL with PURGE method will cause the apisix return 404 error on this route. There are 2 severe problems including the security of this issue: - PURGE method has been added to http-block-method, and not including in http-allow-methods, user call and api gateway return http status code 405 but the cache delete is still happening. A severe security issue with this problem - Running PURGE method against a route that hasn't been cache yet but has proxy_cache config make every call after that with different http method like GET, POST return 404 ### Expected Behavior - PURGE method can be block and when call from outside world it should not cause cache delete - PURGE method when call against route that has cache config but cache data doesn't exist yet should be ok, not cause error on normal method call ### Error Logs ``` apisix 42.112.56.241 - - [19/Jun/2023:02:35:49 +0000] staging.diag.vn "PURGE / HTTP/2.0" 405 0 0.000 "-" "curl/8.0.1" - - - "http://staging.mydomain.com"; apisix 42.112.56.241 - - [19/Jun/2023:02:35:51 +0000] staging.diag.vn "PURGE / HTTP/2.0" 405 225 0.000 "-" "curl/8.0.1" - - - "http://staging.mydomain.com"; apisix 2023/06/19 01:52:26 [warn] 50#50: *497235 [lua] plugin.lua:1102: run_plugin(): proxy-cache exits with http status code 404, client: 42.112.56.241, server: _, request: "GET /" ``` ### Steps to Reproduce 1. create API Route and Upstream through Apisix Ingress with host: `staging.mydomain.com`, this Ingress contain these annotations: > k8s.apisix.apache.org/http-allow-methods: GET,POST,PUT,PATCH,DELETE,OPTIONS,HEAD > k8s.apisix.apache.org/http-block-method: PURGE > k8s.apisix.apache.org/plugin-config-name: proxy-cache-config 2. Run -v here is the response ``` * Using Stream ID: 1 (easy handle 0x55a567d39e10) > PURGE / HTTP/2 > Host: staging.mydomain.com > user-agent: curl/8.0.1 > accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing < HTTP/2 405 < date: Mon, 19 Jun 2023 02:35:51 GMT < content-type: text/html; charset=utf-8 < content-length: 225 < server: APISIX/3.3.0 < <html> <head><title>404 Not Found</title></head> <body> <center><h1>404 Not Found</h1></center> <hr><center>openresty</center> <p><em>Powered by <a href="https://apisix.apache.org/";>APISIX</a>.</em></p></body> </html> * Connection #0 to host staging.mydomain.com left intact ``` ### Environment - APISIX version (run `apisix version`): 3.3.0 - Operating system (run `uname -a`): Linux apisix-8b95d7d5c-lv5bf 5.15.89+ #1 SMP Sat Mar 18 09:27:02 UTC 2023 x86_64 GNU/Linux - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): nginx version: openresty/1.21.4.1 - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): 3.5.2 - APISIX Dashboard version, if relevant: - Plugin runner version, for issues related to plugin runners: - LuaRocks version, for installation issues (run `luarocks --version`): -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
