kj415j45 opened a new issue, #10673: URL: https://github.com/apache/apisix/issues/10673
### Description Recently I've been using [GitHub Codespace](https://docs.github.com/en/codespaces) as the temporary development environment, but when I tried to configure APISIX to serve the test environment for my partner, APISIX does not work properly. --- Minimal reproduction steps: ## Codespace side 1. Create from an empty Codespace. - Like my [kj415j45/codespace](https://codespaces.new/kj415j45/codespace) 2. Run `npm install -g http-server`. - This install npm package [http-server](https://www.npmjs.com/package/http-server) 3. Run `http-server`. - This runs a default setup web server that statically provides files for the current dir on port `8080` 4. Codespace automatically configures port forwarding for port `8080` with `HTTP` and `private`. 5. Update the port forwarding visibility to `public`. - This ensures that the forwarded service won't require a GitHub login auth. ## APISIX side I'm using my PC to reproduce the issue, but the same issue exists in our online deployment. 1. Made a default APISIX setup with Docker. (I used the [/example/docker-compose.yml](https://github.com/apache/apisix-docker)) 2. Configure 2 upstreams. - Codespace ```json { "nodes": [ { "host": "fluffy-funicular-7vjw5wj744wfwqvv-8080.app.github.dev", "port": 443, "weight": 1 } ], "timeout": { "connect": 6, "send": 6, "read": 6 }, "type": "roundrobin", "scheme": "https", "pass_host": "node", "name": "Codespace", "keepalive_pool": { "idle_timeout": 60, "requests": 1000, "size": 320 } } ``` - Local ```json { "nodes": [ { "host": "10.1.1.233", "port": 8080, "weight": 1 } ], "timeout": { "connect": 6, "send": 6, "read": 6 }, "type": "roundrobin", "scheme": "https", "pass_host": "node", "name": "Local Test", "keepalive_pool": { "idle_timeout": 60, "requests": 1000, "size": 320 } } ``` 3. Configure 2 corresponding routes. - Codespace ```json { "uri": "/codespace/*", "name": "Codespace README", "plugins": { "proxy-rewrite": { "regex_uri": [ "/codespace/(.*)", "/$1.md" ] } }, "upstream_id": "492136174815544006", "status": 1 } ``` - Local ```json { "uri": "/local/*", "name": "Local README", "plugins": { "proxy-rewrite": { "regex_uri": [ "/local/(.*)", "/$1.md" ] } }, "upstream_id": "492139627616928454", "status": 1 } ``` ### Test side The test runs on my PC too. 1. `npm install -g http-server` 2. `echo "Hello" >> README.md` 3. Create n cert via `openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem` 4. Serve with HTTPS by `http-server -S -C cert.pem` Test results: <details> <summary>Request Codespace directly</summary> ```sh curl -vvv https://fluffy-funicular-7vjw5wj744wfwqvv-8080.app.github.dev/README.md ``` ``` * Uses proxy env variable NO_PROXY == 'localhost,127.0.0.1,::1' * Trying 20.197.80.108:443... * Connected to fluffy-funicular-7vjw5wj744wfwqvv-8080.app.github.dev (20.197.80.108) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; CN=app.github.dev * start date: Sep 22 00:00:00 2023 GMT * expire date: Sep 22 23:59:59 2024 GMT * subjectAltName: host "fluffy-funicular-7vjw5wj744wfwqvv-8080.app.github.dev" matched cert's "*.app.github.dev" * issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA * SSL certificate verify ok. * Using HTTP2, server supports multiplexing * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7fabe880d400) > GET /README.md HTTP/2 > Host: fluffy-funicular-7vjw5wj744wfwqvv-8080.app.github.dev > user-agent: curl/7.79.1 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! < HTTP/2 200 < date: Mon, 18 Dec 2023 02:58:06 GMT < content-type: text/markdown; charset=UTF-8 < content-length: 38 < accept-ranges: bytes < cache-control: no-cache,no-store < cache-control: max-age=3600 < etag: W/"1441833-38-2023-12-18T02:05:07.001Z" < expires: Thu, 01 Jan 1970 00:00:00 GMT < last-modified: Mon, 18 Dec 2023 02:05:07 GMT < pragma: no-cache < set-cookie: .Tunnels.Relay.WebForwarding.Cookies=[!!!REDACTED!!!];path=/; secure; samesite=none < x-content-type-options: nosniff < x-content-type-options: nosniff < ratelimit-limit: HttpRequestRatePerPort:3000/m < ratelimit-limit: HttpRequestRatePerPort:3000/m < ratelimit-remaining: HttpRequestRatePerPort:2999 < ratelimit-remaining: HttpRequestRatePerPort:2999 < ratelimit-reset: HttpRequestRatePerPort:49s < ratelimit-reset: HttpRequestRatePerPort:17s < x-report-abuse: https://msrc.microsoft.com/report/abuse < x-report-abuse: https://msrc.microsoft.com/report/abuse < x-ms-ratelimit-limit: 1500 < x-ms-ratelimit-remaining: 1498 < x-ms-ratelimit-used: 2 < x-ms-ratelimit-reset: 0 < vssaas-request-id: 70707778-9113-4e99-b535-b5e280996313 < strict-transport-security: max-age=31536000; includeSubDomains < x-served-by: tunnels-prod-rel-asse-v3-cluster < x-robots-tag: noindex, nofollow < referrer-policy: same-origin < # codespace Start an empty codespace. * Connection #0 to host fluffy-funicular-7vjw5wj744wfwqvv-8080.app.github.dev left intact ``` </details> <details> <summary>Request Codespace via APISIX</summary> ```sh curl -vvv http://localhost:9080/codespace/README ``` ``` * Uses proxy env variable NO_PROXY == 'localhost,127.0.0.1,::1' * Trying 127.0.0.1:9080... * Connected to localhost (127.0.0.1) port 9080 (#0) > GET /codespace/README HTTP/1.1 > Host: localhost:9080 > User-Agent: curl/7.79.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 308 Permanent Redirect < Content-Type: text/html; charset=utf-8 < Content-Length: 164 < Connection: keep-alive < Date: Mon, 18 Dec 2023 02:52:32 GMT < Location: https://localhost/README.md < Strict-Transport-Security: max-age=31536000; includeSubDomains < X-Served-By: tunnels-prod-rel-use-v3-cluster < Server: APISIX/3.7.0 < <html> <head><title>308 Permanent Redirect</title></head> <body> <center><h1>308 Permanent Redirect</h1></center> <hr><center>nginx</center> </body> </html> * Connection #0 to host localhost left intact ``` </details> <details> <summary>Request Local directly</summary> ```sh curl -k -vvv https://localhost:8080/README.md ``` ``` * Uses proxy env variable NO_PROXY == 'localhost,127.0.0.1,::1' * Trying 127.0.0.1:8080... * Connected to localhost (127.0.0.1) port 8080 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd * start date: Dec 18 02:45:52 2023 GMT * expire date: Dec 15 02:45:52 2033 GMT * issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd * SSL certificate verify result: self signed certificate (18), continuing anyway. > GET /README.md HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.79.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < accept-ranges: bytes < cache-control: max-age=3600 < last-modified: Mon, 18 Dec 2023 02:45:22 GMT < etag: W/"12912798281-6-2023-12-18T02:45:22.945Z" < content-length: 6 < content-type: text/markdown; charset=UTF-8 < Date: Mon, 18 Dec 2023 03:18:56 GMT < Connection: keep-alive < Keep-Alive: timeout=5 < Hello * Connection #0 to host localhost left intact ``` </details> <details> <summary>Request Local via APISIX</summary> ```sh curl -vvv http://localhost:9080/local/README ``` ``` * Uses proxy env variable NO_PROXY == 'localhost,127.0.0.1,::1' * Trying 127.0.0.1:9080... * Connected to localhost (127.0.0.1) port 9080 (#0) > GET /local/README HTTP/1.1 > Host: localhost:9080 > User-Agent: curl/7.79.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Content-Type: text/markdown; charset=UTF-8 < Content-Length: 6 < Connection: keep-alive < accept-ranges: bytes < cache-control: max-age=3600 < last-modified: Mon, 18 Dec 2023 02:45:22 GMT < etag: W/"12912798281-6-2023-12-18T02:45:22.945Z" < Date: Mon, 18 Dec 2023 03:12:55 GMT < Server: APISIX/3.7.0 < Hello * Connection #0 to host localhost left intact ``` </details> Result table | | Direct | Via APISIX | | :-: | :-: | :-: | | Codespace | ✅ | ❌(308) | | Local | ✅ | ✅ | The 308 response is also redirecting the client to an invalid location (`Location: https://localhost/README.md`) Additionally, I tried to set the upstream's `pass_host` from `node` to `pass`. <details> <summary>Use `"pass_host": "pass"`</summary> ```sh curl -vvv http://localhost:9080/codespace/README ``` ``` * Uses proxy env variable NO_PROXY == 'localhost,127.0.0.1,::1' * Trying 127.0.0.1:9080... * Connected to localhost (127.0.0.1) port 9080 (#0) > GET /codespace/README HTTP/1.1 > Host: localhost:9080 > User-Agent: curl/7.79.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 404 Not Found < Content-Type: text/html; charset=utf-8 < Content-Length: 146 < Connection: keep-alive < Date: Mon, 18 Dec 2023 03:03:58 GMT < X-Served-By: tunnels-prod-rel-asse-v3-cluster < Strict-Transport-Security: max-age=31536000; includeSubDomains < Server: APISIX/3.7.0 < <html> <head><title>404 Not Found</title></head> <body> <center><h1>404 Not Found</h1></center> <hr><center>nginx</center> </body> </html> * Connection #0 to host localhost left intact ``` </details> I've contacted GitHub Support and they can not confirm if this is a Codespace-specific issue. Is my configuration wrong? Or this is a GitHub side issue? ### Environment - APISIX version (run `apisix version`): `3.7.0` - Operating system (run `uname -a`): `Darwin iMacdeiMac.local 21.6.0 Darwin Kernel Version 21.6.0: Sun Nov 6 23:31:16 PST 2022; root:xnu-8020.240.14~1/RELEASE_X86_64 x86_64` - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): ``` nginx version: openresty/1.21.4.2 built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 1.1.1s 1 Nov 2022 TLS SNI support enabled configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_RUNTIME_VER=1.0.1 -DNGX_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_HTTP_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.34 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add- module=../ngx_stream_lua-0.0.13 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../ngx_multi_upstream_module-1.1.1 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../apisix-nginx-module-1.15.0 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../apisix-nginx-module-1.15.0/src/stream --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../apisix-nginx-module-1.15.0/src/meta --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../wasm-nginx-module-0.6.5 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../lua-var-nginx-module-v0.5.3 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../grpc- client-nginx-module-v0.4.4 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module ``` - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): `3.4.0` - APISIX Dashboard version, if relevant: `3.0.1` - Plugin runner version, for issues related to plugin runners: - LuaRocks version, for installation issues (run `luarocks --version`): -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
