ly123-liu opened a new issue, #9689:
URL: https://github.com/apache/apisix/issues/9689
### Current Behavior
currently we use nginx proxy multi domain outside,seems our environments
cannot reach outside and must with proxy to do that, nginx stream configuration
is
stream {
# server name whitelist
map $ssl_preread_server_name $remote_hostname {
www.baidu.com www.baidu.com
qyapi.weixin.qq.com qyapi.weixin.qq.com;
}
# Generic https forward proxy
server {
listen 443;
ssl_preread on;
proxy_connect_timeout 10s;
proxy_timeout 600s;
proxy_ssl_server_name on;
#proxy_pass $remote_hostname:443;
proxy_pass $ssl_preread_server_name:443;
}
}
when use apisxi to do stream proxy with https, seems not work,can someone
helps? thanks
apisix add stream routes:
1) add stream_routes
curl -i http://localhost:9180/apisix/admin/stream_routes/stream_baidu \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' -X PUT -d '
{
"sni": "www.baidu.com",
"upstream": {
"scheme": "tls",
"nodes": {
"www.baidu.com:443": 1
},
"pass_host": "pass",
"type": "roundrobin"
}
}'
{"key":"/apisix/stream_routes/stream_baidu","value":{"id":"stream_baidu","create_time":1687142913,"upstream":{"pass_host":"pass","scheme":"tls","hash_on":"vars","nodes":{"www.baidu.com:443":1},"type":"roundrobin"},"sni":"www.baidu.com","update_time":1687142948}}
2) curl https://www.baidu.com --connect-to
"www.baidu.com:443:localhost:9100" -vv
stream_proxy: # TCP/UDP proxy
only: false # use stream proxy only, don't enable HTTP
stuff
tcp: # TCP proxy port list
- addr: 9100
tls: true
- addr: "127.0.0.1:9101"
【error, need to add ssl config ? while nginx tcp stream no need to config
ssl, why?】
apisix@fa61f51d76da:/usr/local/apisix$ curl https://www.baidu.com
--connect-to "www.baidu.com:443:localhost:9100" -vv
* Connecting to hostname: localhost
* Connecting to port: 9100
* Trying 127.0.0.1:9100...
* Connected to localhost (127.0.0.1) port 9100 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal
error
3) not use tls in stream proxy still not work
apisix@fa61f51d76da:/usr/local/apisix$ curl https://www.baidu.com
--connect-to "www.baidu.com:443:localhost:9101" -vv
* Connecting to hostname: localhost
* Connecting to port: 9101
* Trying 127.0.0.1:9101...
* Connected to localhost (127.0.0.1) port 9101 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.baidu.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
www.baidu.com:443
seems use apisix stream with sni must generate ssl config ? how can i do
that in apisix with one listem stream port but identify which domain shoud be
pass outside ?
### Expected Behavior
how can i do that in apisix with one listem stream port and identify which
domain client need to get and pass outside ?
stream {
# server name whitelist
map $ssl_preread_server_name $remote_hostname {
www.baidu.com www.baidu.com
qyapi.weixin.qq.com qyapi.weixin.qq.com;
}
# Generic https forward proxy
server {
listen 443;
ssl_preread on;
proxy_connect_timeout 10s;
proxy_timeout 600s;
proxy_ssl_server_name on;
#proxy_pass $remote_hostname:443;
proxy_pass $ssl_preread_server_name:443;
}
}
### Error Logs
* Connecting to hostname: localhost
* Connecting to port: 9100
* Trying 127.0.0.1:9100...
* Connected to localhost (127.0.0.1) port 9100 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal
error
### Steps to Reproduce
1) add apisix stream_routes
curl -i http://localhost:9180/apisix/admin/stream_routes/stream_baidu \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' -X PUT -d '
{
"sni": "www.baidu.com",
"upstream": {
"scheme": "tls",
"nodes": {
"www.baidu.com:443": 1
},
"pass_host": "pass",
"type": "roundrobin"
}
}'
{"key":"/apisix/stream_routes/stream_baidu","value":{"id":"stream_baidu","create_time":1687142913,"upstream":{"pass_host":"pass","scheme":"tls","hash_on":"vars","nodes":{"www.baidu.com:443":1},"type":"roundrobin"},"sni":"www.baidu.com","update_time":1687142948}}
2) curl https://www.baidu.com --connect-to
"www.baidu.com:443:localhost:9100" -vv
stream_proxy: # TCP/UDP proxy
only: false # use stream proxy only, don't enable HTTP
stuff
tcp: # TCP proxy port list
- addr: 9100
tls: true
- addr: "127.0.0.1:9101"
【error, need to add ssl config ? while nginx tcp stream no need to config
ssl, why?】
apisix@fa61f51d76da:/usr/local/apisix$ curl https://www.baidu.com
--connect-to "www.baidu.com:443:localhost:9100" -vv
* Connecting to hostname: localhost
* Connecting to port: 9100
* Trying 127.0.0.1:9100...
* Connected to localhost (127.0.0.1) port 9100 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal
error
### Environment
apisix version:apisix-3.2.1-debian
etcd: 3.5.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
