kingluo commented on code in PR #10066:
URL: https://github.com/apache/apisix/pull/10066#discussion_r1299959083
##########
apisix/init.lua:
##########
@@ -358,33 +358,20 @@ local function verify_https_client(ctx)
return true
end
- local matched_ssl = ngx.ctx.matched_ssl
- if matched_ssl.value.client
- and matched_ssl.value.client.skip_mtls_uri_regex
- and apisix_ssl.support_client_verification()
- and (not uri_matches_skip_mtls_route_patterns(matched_ssl,
ngx.var.uri)) then
- local res = ctx.var.ssl_client_verify
- if res ~= "SUCCESS" then
- if res == "NONE" then
- core.log.error("client certificate was not present")
- else
- core.log.error("client certificate verification is not passed:
", res)
- end
-
- return false
- end
- end
-
local host = ctx.var.host
- local matched = router.router_ssl.match_and_set(ctx, true, host)
- if not matched then
- return true
+ if not ctx.matched_ssl then
+ local matched = router.router_ssl.match_and_set(ctx, true, host)
+ if not matched then
+ return true
+ end
end
local matched_ssl = ctx.matched_ssl
if matched_ssl.value.client and apisix_ssl.support_client_verification()
then
local verified = apisix_base_flags.client_cert_verified_in_handshake
- if not verified then
+ local uri_in_whitelist = matched_ssl.value.client.skip_mtls_uri_regex
Review Comment:
Move skip-mtls logic here, because we need to check all requests within the
same SSL connection.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
