mc-round2 opened a new issue, #10475:
URL: https://github.com/apache/apisix/issues/10475
### Description
I configured the following route and upstream:
------------------
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: test-route
spec:
http:
- name: rule
match:
hosts:
- gateway.test.tt
paths:
- "/testapi/*"
upstreams:
- name: test-upstream
plugins:
- name: proxy-rewrite
enable: true
config:
host: api.test.tt
uri: "/api/"
--------------------------------
apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
name: test-upstream
spec:
externalNodes:
- type: Domain
name: api.test.tt
---------------------------------------
The API Im trying to contact is behind an authentication mechanism (not set
by APISIX) that requires me to provide a bearer token whenever I do a request.
My current issue is that when I do a GET request I get the following:
----------------------------------------------------------------------------------------------------------------------------------------------------
* Preparing request to https://gateway.test.tt/testapi/wtv/index.html#/
* Current time is XXXXXXXXXXXXXX
* Enable automatic URL encoding
* Using default HTTP version
* Enable timeout of 30000ms
* Disable SSL validation
* Enable cookie sending with jar of 18 cookies
* Too old connection (1053 seconds), disconnect it
* Connection 1 seems to be dead!
* Closing connection 1
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
* Too old connection (1054 seconds), disconnect it
* Connection 0 seems to be dead!
* Closing connection 0
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
* Hostname in DNS cache was stale, zapped
* Trying XXXXXXXXXX:443...
* Connected to gateway.test.tt(XXXXXX) port 443 (#2)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: DC=tt; DC=test; OU=computers; CN=XXXXXXXXX
* start date: XXXXXXX
* expire date: XXXXX
* issuer: DC=tt; DC=test; CN=XXXXXXXX
* SSL certificate verify result: unable to get local issuer certificate
(20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade:
len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x214402bd5800)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
*
-------------
> GET /testapi/wtv/index.html HTTP/2
> Host: gateway.test.tt
> cookie: LBLEVEL2=XXXXXX
> user-agent: insomnia/2023.5.8
> authorization: Bearer XXXXXXXXXXXX
> accept: */*
-------------
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
*
-----------------
< HTTP/2 302
< cache-control: no-cache
< content-length: 0
< location: https://api.test.tt/api/
< server: APISIX/3.6.0
< date: XXXXXXXXX
----------------
* Connection #2 to host gateway.test.tt left intact
* Issue another request to this URL: 'https://api.test.tt/api/'
* Trying XXXXXXX:443...
* Connected to api.test.tt(XXXXXXX) port 443 (#3)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: DC=tt; DC=test; OU=computers; CN=XXXXXXXXX
* start date: XXXXXXXXXX
* expire date: XXXXXXXXX
* issuer: DC=tt; DC=test; CN=XXXXXXXXXXX
* SSL certificate verify result: unable to get local issuer certificate
(20), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
*
----------------
> GET /api/ HTTP/1.1
> Host: api.test.tt
> Cookie: JSESSIONID=XXXXXXXXX; LBLEVEL1=XXXXXXXXX; LBLEVEL2=XXXXXXXXX
> User-Agent: insomnia/2023.5.8
> Accept: */*
----------------
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
*
---------------
< HTTP/1.1 401
< www-authenticate: Bearer
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< expires: 0
< strict-transport-security: max-age=31536000 ; includeSubDomains
< x-frame-options: DENY
< transfer-encoding: chunked
< date: XXXXXXXX
---------------------
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Received 5 B chunk
* Connection 3 to host api.test.tt left intact
-----------------------------------------------------------------------------------------------------------------------------------
I configured through the Dashboard the SSL. It seems to me that the Bearer
token is not being kept when APISIX passes the request to the API.
Another thing that I find weird is that no matter the route that I use
(whether behind authentication or not) I always get first a 302 from APISIX
that shows the real location of the API Im trying to contact. Is this a known
feature of APISIX or did I miss configure something?
### Environment
- APISIX version 2.3.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
