rlaflamme opened a new issue, #10709: URL: https://github.com/apache/apisix/issues/10709
### Current Behavior I tried this tutorial https://apisix.apache.org/docs/apisix/next/tutorials/client-to-apisix-mtls/#mtls-bypass-based-on-regular-expression-matching-against-uri Here is my ssl configuration Using curl I successfully connect using my client certificate [root@okd4-cli mtls]# https apisix-control-plane.apps.lab.okd.local/apisix/admin/routes/3 X-API-KEY:"${API_KEY}" ^C [root@okd4-cli mtls]# [root@okd4-cli mtls]# [root@okd4-cli mtls]# curl -v https://test.example.com/anything/all --cert ./client.cer --key ./client.key * processing: https://test.example.com/anything/all * Trying 10.10.1.50:443... * Connected to test.example.com (10.10.1.50) port 443 * ALPN: offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Request CERT (13): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS handshake, CERT verify (15): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN: server accepted h2 * Server certificate: * subject: CN=test.example.com * start date: Dec 24 17:46:44 2023 GMT * expire date: Nov 30 17:46:44 2123 GMT * issuer: CN=ROOTCA * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * using HTTP/2 * h2 [:method: GET] * h2 [:scheme: https] * h2 [:authority: test.example.com] * h2 [:path: /anything/all] * h2 [user-agent: curl/8.2.1] * h2 [accept: */*] * Using Stream ID: 1 > GET /anything/all HTTP/2 > Host: test.example.com > User-Agent: curl/8.2.1 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing < HTTP/2 200 < content-type: application/json < content-length: 411 < date: Mon, 25 Dec 2023 20:21:44 GMT < access-control-allow-origin: * < access-control-allow-credentials: true < server: APISIX/3.7.0 < { "args": {}, "data": "", "files": {}, "form": {}, "headers": { "Accept": "*/*", "Host": "test.example.com", "User-Agent": "curl/8.2.1", "X-Amzn-Trace-Id": "Root=1-6589e458-3fa744754a2b25cf17f296c0", "X-Forwarded-Host": "test.example.com" }, "json": null, "method": "GET", "origin": "10.128.2.1, 74.57.230.36", "url": "http://test.example.com/anything/all"; } * Connection #0 to host Without client certificates: [root@okd4-cli mtls]# curl -v https://test.example.com/anything/all * processing: https://test.example.com/anything/all * Trying 10.10.1.50:443... * Connected to test.example.com (10.10.1.50) port 443 * ALPN: offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Request CERT (13): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN: server accepted h2 * Server certificate: * subject: CN=test.example.com * start date: Dec 24 17:46:44 2023 GMT * expire date: Nov 30 17:46:44 2123 GMT * issuer: CN=ROOTCA * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * using HTTP/2 * h2 [:method: GET] * h2 [:scheme: https] * h2 [:authority: test.example.com] * h2 [:path: /anything/all] * h2 [user-agent: curl/8.2.1] * h2 [accept: */*] * Using Stream ID: 1 > GET /anything/all HTTP/2 > Host: test.example.com > User-Agent: curl/8.2.1 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing < HTTP/2 400 < date: Mon, 25 Dec 2023 20:22:23 GMT < content-type: text/html; charset=utf-8 < content-length: 154 < server: APISIX/3.7.0 < <html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>openresty</center> </body> </html> * Connection #0 to host test.example.com left intact [root@okd4-cli mtls]# ### Expected Behavior curl -v https://test.example.com/anything/all should have return 200 from ssl configuration ... "skip_mtls_uri_regex": [ "/anything.*" ] }, ... "snis": [ "test.example.com" ], ### Error Logs _No response_ ### Steps to Reproduce [root@okd4-cli mtls]# https apisix-control-plane.apps.lab.okd.local/apisix/admin/ssls/1 X-API-KEY:"${API_KEY}" HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Access-Control-Expose-Headers: * Access-Control-Max-Age: 3600 Connection: keep-alive Content-Type: application/json Date: Mon, 25 Dec 2023 20:13:32 GMT Server: APISIX/3.7.0 Transfer-Encoding: chunked X-API-VERSION: v3 { "createdIndex": 318, "key": "/apisix/ssls/1", "modifiedIndex": 336, "value": { "cert": "-----BEGIN CERTIFICATE-----\nMIICtTCCAZ0CFGb0J6S1+dt3ASTJWNKjAh3tVyhxMA0GCSqGSIb3DQEBCwUAMBEx\nDzANBgNVBAMMBlJPT1RDQTAgFw0yMzEyMjQxNzQ2NDRaGA8yMTIzMTEzMDE3NDY0\nNFowGzEZMBcGA1UEAwwQdGVzdC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAM6pemGuqL+8ubmAci3+Hl2rfDv/7/rbDVJng6WtBLc1\nfMVPF8tNSF+KMHYRzKJTYnviYybSYUwO6Gp5TF/VpcKUTnlO29i8vfW8ljOO9qiT\n45Luuq7M0J0JNPTP+8Xhsn/6HfEXpxW3Zv0/YIVDAHjPcuw8xcy9AjTsTtG/U9H+\nBm8V3KLPvKOQLsc1QQitiHRN8XaYsZjqZNoVUfYuLsshugGHANhMidsX0XhV0+7l\n8x1HIckIVfbZ9PilpB2iCrT9imigX63tjlBGxF0qOm8i1evZ9tXepfu1FjM5IjlW\nWDpIXqCNSLXsv+t4zYCvtshzvOCxQdAf0Kycx7BfEcMCAwEAATANBgkqhkiG9w0B\nAQsFAAOCAQEAKHN8D6Y/7+qa0a80YbCMod5VSp6P5k+iNw92lEVj2xiMio+JdFj6\nqhs1qjkxIgC4OQ5NOn5RSVjBteABYyyTAJBbA/HPMoGVNihIbBtBhkR9jSoSqo+6\n/Cpa2anQWaDQbbZ8yoEKz/NG+GT07LeE34HmjUBzyWhHOvWycQVyIh9QT5St7nqt\n0SKtEQQiUIUj+iEuP7rkaijH7JG+6QC+wc8Umt9ccQ/8nuxTlP9d2Axwea0oAaKN\nMiOdToPAwDndL50mBaTx+1EMmkfz91UBPhp8Ef6El90NBCU/c1GS+j/RChBSjyqE\n+HNseEPG1q8zV6EscinS9YwYc FNlF7Ljtw==\n-----END CERTIFICATE-----\n", "client": { "ca": "-----BEGIN CERTIFICATE-----\nMIICqzCCAZMCFDJIkMCKvOFoRDILcWQAinZXug7zMA0GCSqGSIb3DQEBCwUAMBEx\nDzANBgNVBAMMBlJPT1RDQTAgFw0yMzEyMjQxMzU3NDBaGA8yMTIzMTEzMDEzNTc0\nMFowETEPMA0GA1UEAwwGUk9PVENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAzrvx/YnsbPrZVhxeH56czIXqKjKIGe0uaEhxAbuHwsUW/+GyToIAG6Zn\nxZ68FNQeY4j8pwC2CJVB059nxLEUeeb4xFK3scm2H2cMRyfz2ihZcNeG4sYs9Fy2\nwxD+22Qs5Udb3HB17eHyzbgGjYVaHWg8lwKaSN+VtX6jYIXLQv0jxM0EZl4iIAjb\n/55OfDVtX2zAmGk8pbi6Leiex4Ejguue8HptwkFhQSbWT3lzCEQrWp3DTjuVHy6j\nvAnLnXe+J8xIbOQMuzUzVjfHwevKtre03xLDDy44wRJ8Aq0vJxzyI1v7GBnkSbbS\nB+ib+GFayTxkWUNN7eL2OfIQmht6BQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6\nc6FvnDW/Qnx0kcZdw0npGU6B/oDul0lSgq8pdfDY4xukdshgtxnnft8YayzLKgB9\nj7Yj9W315CpyR5um/IV7Mu7IQ9JLOEMF4u7KEj1/ftHZrY9r7T7o4lbQs62BUQxF\nCrKmdi1gPJ6kRIKtQTc9Z5OmCQdXqH8knHyDUmr99YLUc4fCjm/A2CAadv4AgsSW\n0ROEVyq0sKO4PM3oasNuJir85FtB90m21QxNNpPt8RF8Cg1KftsccI9NlKOvdDjN\n1uoPAf0wf4OZ/2AkcFQRwr3IXKeChy05meBfsVErippV8OiH9PTWLA8xhSIGGNd1\nDLQ+aony7tXbB0GdWzo8\n- ----END CERTIFICATE-----\n", "depth": 10, "skip_mtls_uri_regex": [ "/anything.*" ] }, "create_time": 1703523337, "id": "1", "snis": [ "test.example.com" ], "status": 1, "type": "server", "update_time": 1703533557 } } here's the route [root@okd4-cli mtls]# https apisix-control-plane.apps.lab.okd.local/apisix/admin/routes/3 X-API-KEY:"${API_KEY}" HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Access-Control-Expose-Headers: * Access-Control-Max-Age: 3600 Connection: keep-alive Content-Type: application/json Date: Mon, 25 Dec 2023 20:20:40 GMT Server: APISIX/3.7.0 Transfer-Encoding: chunked X-API-VERSION: v3 { "createdIndex": 339, "key": "/apisix/routes/3", "modifiedIndex": 339, "value": { "create_time": 1703533895, "id": "3", "name": "all", "priority": 0, "status": 1, "update_time": 1703533895, "upstream": { "hash_on": "vars", "nodes": { "httpbin.org:80": 1 }, "pass_host": "pass", "scheme": "http", "type": "roundrobin" }, "uri": "/*" } } ### Environment - APISIX 3.7.0 - Operating system OKD (Openshift 4.14) - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): - APISIX Dashboard version, if relevant: - Plugin runner version, for issues related to plugin runners: - LuaRocks version, for installation issues (run `luarocks --version`): -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
