rlaflamme commented on issue #10709: URL: https://github.com/apache/apisix/issues/10709#issuecomment-1872208941
It's not a regex issue, from the documentation It should match. Please take a look at these links. [here](https://apisix.apache.org/docs/apisix/admin-api/#request-body-parameters-4) and [the guide](https://apisix.apache.org/docs/apisix/next/tutorials/client-to-apisix-mtls/#mtls-bypass-based-on-regular-expression-matching-against-uri) I did another test ``` HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Access-Control-Expose-Headers: * Access-Control-Max-Age: 3600 Connection: keep-alive Content-Type: application/json Date: Fri, 29 Dec 2023 16:19:16 GMT Server: APISIX/3.7.0 Transfer-Encoding: chunked X-API-VERSION: v3 { "key": "/apisix/ssls/1", "value": { "cert": "-----BEGIN CERTIFICATE-----\nMIICtTCCAZ0CFGb0J6S1+dt3ASTJWNKjAh3tVyhxMA0GCSqGSIb3DQEBCwUAMBEx\nDzANBgNVBAMMBlJPT1RDQTAgFw0yMzEyMjQxNzQ2NDRaGA8yMTIzMTEzMDE3NDY0\nNFowGzEZMBcGA1UEAwwQdGVzdC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAM6pemGuqL+8ubmAci3+Hl2rfDv/7/rbDVJng6WtBLc1\nfMVPF8tNSF+KMHYRzKJTYnviYybSYUwO6Gp5TF/VpcKUTnlO29i8vfW8ljOO9qiT\n45Luuq7M0J0JNPTP+8Xhsn/6HfEXpxW3Zv0/YIVDAHjPcuw8xcy9AjTsTtG/U9H+\nBm8V3KLPvKOQLsc1QQitiHRN8XaYsZjqZNoVUfYuLsshugGHANhMidsX0XhV0+7l\n8x1HIckIVfbZ9PilpB2iCrT9imigX63tjlBGxF0qOm8i1evZ9tXepfu1FjM5IjlW\nWDpIXqCNSLXsv+t4zYCvtshzvOCxQdAf0Kycx7BfEcMCAwEAATANBgkqhkiG9w0B\nAQsFAAOCAQEAKHN8D6Y/7+qa0a80YbCMod5VSp6P5k+iNw92lEVj2xiMio+JdFj6\nqhs1qjkxIgC4OQ5NOn5RSVjBteABYyyTAJBbA/HPMoGVNihIbBtBhkR9jSoSqo+6\n/Cpa2anQWaDQbbZ8yoEKz/NG+GT07LeE34HmjUBzyWhHOvWycQVyIh9QT5St7nqt\n0SKtEQQiUIUj+iEuP7rkaijH7JG+6QC+wc8Umt9ccQ/8nuxTlP9d2Axwea0oAaKN\nMiOdToPAwDndL50mBaTx+1EMmkfz91UBPhp8Ef6El90NBCU/c1GS+j/RChBSjyqE\n+HNseEPG1q8zV6EscinS9YwYc FNlF7Ljtw==\n-----END CERTIFICATE-----\n", "client": { "ca": "-----BEGIN CERTIFICATE-----\nMIICqzCCAZMCFDJIkMCKvOFoRDILcWQAinZXug7zMA0GCSqGSIb3DQEBCwUAMBEx\nDzANBgNVBAMMBlJPT1RDQTAgFw0yMzEyMjQxMzU3NDBaGA8yMTIzMTEzMDEzNTc0\nMFowETEPMA0GA1UEAwwGUk9PVENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAzrvx/YnsbPrZVhxeH56czIXqKjKIGe0uaEhxAbuHwsUW/+GyToIAG6Zn\nxZ68FNQeY4j8pwC2CJVB059nxLEUeeb4xFK3scm2H2cMRyfz2ihZcNeG4sYs9Fy2\nwxD+22Qs5Udb3HB17eHyzbgGjYVaHWg8lwKaSN+VtX6jYIXLQv0jxM0EZl4iIAjb\n/55OfDVtX2zAmGk8pbi6Leiex4Ejguue8HptwkFhQSbWT3lzCEQrWp3DTjuVHy6j\nvAnLnXe+J8xIbOQMuzUzVjfHwevKtre03xLDDy44wRJ8Aq0vJxzyI1v7GBnkSbbS\nB+ib+GFayTxkWUNN7eL2OfIQmht6BQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6\nc6FvnDW/Qnx0kcZdw0npGU6B/oDul0lSgq8pdfDY4xukdshgtxnnft8YayzLKgB9\nj7Yj9W315CpyR5um/IV7Mu7IQ9JLOEMF4u7KEj1/ftHZrY9r7T7o4lbQs62BUQxF\nCrKmdi1gPJ6kRIKtQTc9Z5OmCQdXqH8knHyDUmr99YLUc4fCjm/A2CAadv4AgsSW\n0ROEVyq0sKO4PM3oasNuJir85FtB90m21QxNNpPt8RF8Cg1KftsccI9NlKOvdDjN\n1uoPAf0wf4OZ/2AkcFQRwr3IXKeChy05meBfsVErippV8OiH9PTWLA8xhSIGGNd1\nDLQ+aony7tXbB0GdWzo8\n- ----END CERTIFICATE-----\n", "depth": 10, "skip_mtls_uri_regex": [ "/anything", "/anything/.*", "/anything/*", "/anything/all" ] }, "create_time": 1703523337, "id": "1", "key": "YnwwDKc5vNzo0OU4StTRQbwgCnTZ3dmYiBFm8aGnvTwxKvJJ1WgSomNREpjNtjohs1L21CS1IT5LT8yk+6RKOuvEdiIZxjvmvMX9f2KT6kcewauUxr4Ih3znDwN5vYcYeB2Fodt95hkowoOqztoQvVkJOgFnbLqlvlb9FLbIbkeGMM7UOAGsNT151BkS02U9Jk+/CKF6v1SCo1VOjihzcINDKKTevOeWHCIT9AeD9RohcjIULEd+rkjRflgJ7lxLmk24rqV+K3W1bEHp+2WpFkGauvYrDzS9bKQ73xcTWu6rg27rab6vsaBQ1Q9WPV1h1MU0fL8q6SDM6fZWnix6qbORwVIt7WlwRGazXoDJiaWWe2Aiegdo9ooa4L0UZqhhSEYXj2Racw6mI2EJ4zZuo7g9kUTkfH8bLP499r5v6aW2FbRcipDk2jQ9aW3q8MyVSRFVBHg/koSKbtrdcxZfURrj/xEKxGNLAZ5R6lu/4fJ6WwLUqSiYxPPOPfY4YxNxJGX7NsisDlaZMpKhly1NmYWdRIVqbOfTO8drKxyPBQrFdDjslW8E14dd9FntbZ30BON6yOEeuMZmSsCU1oh0Uep12bsDNkuQCa1+Phlh5GjmEdHXW01K+vXjq6CdeoM89NohwO7RL9LNtVAZZ8b36iaskWe/qC6F7GWTEMd9kUzXfeS7pLRpRCcgQykV38uqoe75kZNncfKO/kf0JvSa+1p+/h355zWRY6VltV+Yn+V58rngbs7ZzQPPSvu6xXXMVSO7YzgJqd+iSWTbLtoxeauR3mOTYlnQcIwqyt6TJAYGPQq2T5PW9mPEpnKFCZ42LghvPDcMebaz7E7JqVHqnq3QHuZQd/iIohrmQ6zJGk4is2/CbNH3R0BKoMfaT6i2d39fyfVd5nj3TiMHjxZXM8PxBlsSegFbt+DyOUS0gYNOrNm+fgBI0iY35jZ9wASOdda0nDUhccwPvfcpB26 H3+ekS7+b+l7udecEzktcaKmMYg0jMrOfbmY3CP4pPLM4lZ+h9IQI7p2T+hUd6k+UMFxEkW9IdcGK3yH/odg25AuElzvCBK3Z8HydneVVOhMHcTPYWJHKWXo728kt3k4SZOoptb/ySbu7fZImt/Cczkvkw3A69FCoTBUC9VNyh0xoesE8OPTwBBY+QWaNdfhgeJFl2IxZpR933YFAv3cNSNYds+Fn3qkwVDaatyhad5m8Kbu8OptToMnZkRy+E8mCCxS5pKbKDLYZRi4plzGPKtf34x8taY/phkkTLYnWJnVXm8Nt7kS1wnx8z7g4SD+LugZnDFoOJx0ur7XCNjENf79dAwhNVXAFuVdxp6xIPdeffn//NexrYTfjC5xXtpzFX0teAK43gf0UdVvABrrIaGR73wuIGbYAi9b5vFbLpYBfo+qvgwmhaNhSrf5jWdTat2nbKo83qkCUEiAzJOSVIcuZhF6Ke7Jrgp5ApGzQKIk15SrscDpX/bmQ632njjoYX7o664G0hPz4A9Kow5mgZInX7CkWtFODHQIFCVUaXqQHwyNuRFeWVVd67kz+xGIZiFz/9bWo1+cyLhS4c/CFmn/CKS71YLf4KTCzmkn4K1fgqjgOywe72bWBcLaj2BhnFqzjYpTSwB7B50hb885l/3aFv2mnGBvuC6rzXJ4MFA4/j/eSF+3XFW9eXm8yPAAC51ZBlMbumYWH4m14ZL8r+gNMAWg5w9ASwgdo5zqX5piK9Z6/fTd08wSMKN97nry/z/+QaHlOyzOsa21378/x6o0lZ8sCkCi9OkPm28V+fh4io70A9qixtyIsQpOZjPea1DUJgUijFymt5f7YvuEIV+1Fz9vak5t6CfM+d/O94tGTBCXfVp3ixlPdpfW+c0DHEo0HvCz3YpIKDYQQBbrl6CEQSHWKPCGKYqvh8kh46ynuKIv6IhEZaNw2boKUe0p4kMvPhmhnghjiA0M8TuR4vpk8kxef+RW6GGSr bwyrlSzIpXJsZ00p3zQ3c9f17K9IqZ6QlWriOswRjyADpDUTEdjc/xHf1yGljgQz0IGuho/PA+uEKpsXw2VD/4you6uQlTWAqQozC0fSGhlE2zrFRoiI9+L0hUkSFqKq6NRmvsnQlk/eofHCJcCl9C9pntERXvonxcIBjATEJbCyuNEsUqIBBn9gzeBl6VBZo5qwGxwLyW55Zj6ZJPfljS7SdxdrPIC6N8sauWUgFN3Vmti0HgIuJtMW0JYtjJ0uU+ypRrAJ88nxy8/DIFGRjyFHnbHMqpnKEtAYgKr8dzbA7K4b/5Y=", "snis": [ "test.example.com" ], "status": 1, "type": "server", "update_time": 1703866756 } } ``` Even calling this won't work ``` curl -v https://test.example.com/anything ``` ``` [root@okd4-cli mtls]# curl -v https://test.example.com/anything * processing: https://test.example.com/anything * Trying 10.10.1.50:443... * Connected to test.example.com (10.10.1.50) port 443 * ALPN: offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Request CERT (13): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN: server accepted h2 * Server certificate: * subject: CN=test.example.com * start date: Dec 24 17:46:44 2023 GMT * expire date: Nov 30 17:46:44 2123 GMT * issuer: CN=ROOTCA * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * using HTTP/2 * h2 [:method: GET] * h2 [:scheme: https] * h2 [:authority: test.example.com] * h2 [:path: /anything] * h2 [user-agent: curl/8.2.1] * h2 [accept: */*] * Using Stream ID: 1 > GET /anything HTTP/2 > Host: test.example.com > User-Agent: curl/8.2.1 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing < HTTP/2 400 < date: Fri, 29 Dec 2023 16:32:24 GMT < content-type: text/html; charset=utf-8 < content-length: 154 < server: APISIX/3.7.0 < <html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>openresty</center> </body> </html> * Connection #0 to host test.example.com left intact ``` Please, I think I know what I am doing. Unless you show me a clear example that works I can still observe the parameter **skip_mtls_uri_regex** is ignored. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
