Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token Bearer lost after redirect by APISIX #10475

Closed
mc-round2 opened this issue Nov 10, 2023 · 9 comments
Closed

Token Bearer lost after redirect by APISIX #10475

mc-round2 opened this issue Nov 10, 2023 · 9 comments
Labels
user responded

Comments

@mc-round2
Copy link

mc-round2 commented Nov 10, 2023
edited
Loading

Description

I configured the following route and upstream:

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
   name: test-route
spec:
   http:
   - name: rule
     match:
       hosts:
       - gateway.test.tt
       paths:
       - "/testapi/*"
    upstreams:
    - name: test-upstream
    plugins:
    - name: proxy-rewrite
      enable: true
      config:
        host: api.test.tt
        uri: "/api/"

apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
  name: test-upstream
spec:
  externalNodes:
  - type: Domain
    name: api.test.tt

The API Im trying to contact is behind an authentication mechanism (not set by APISIX) that requires me to provide a bearer token whenever I do a request.

My current issue is that when I do a GET request I get the following:

* Preparing request to https://gateway.test.tt/testapi/wtv/index.html#/
* Current time is XXXXXXXXXXXXXX
* Enable automatic URL encoding
* Using default HTTP version
* Enable timeout of 30000ms
* Disable SSL validation
* Enable cookie sending with jar of 18 cookies
* Too old connection (1053 seconds), disconnect it
* Connection 1 seems to be dead!
* Closing connection 1
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
* Too old connection (1054 seconds), disconnect it
* Connection 0 seems to be dead!
* Closing connection 0
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
* Hostname in DNS cache was stale, zapped
*   Trying XXXXXXXXXX:443...
* Connected to gateway.test.tt(XXXXXX) port 443 (#2)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: DC=tt; DC=test; OU=computers; CN=XXXXXXXXX
*  start date: XXXXXXX
*  expire date: XXXXX
*  issuer: DC=tt; DC=test; CN=XXXXXXXX
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x214402bd5800)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):

> GET /testapi/wtv/index.html HTTP/2
> Host: gateway.test.tt
> cookie: LBLEVEL2=XXXXXX
> user-agent: insomnia/2023.5.8
> authorization: Bearer XXXXXXXXXXXX
> accept: */*

* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):

< HTTP/2 302 
< cache-control: no-cache
< content-length: 0
< location: https://api.test.tt/api/
< server: APISIX/3.6.0
< date: XXXXXXXXX

* Connection #2 to host gateway.test.tt left intact
* Issue another request to this URL: 'https://api.test.tt/api/'
*   Trying XXXXXXX:443...
* Connected to api.test.tt(XXXXXXX) port 443 (#3)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: DC=tt; DC=test; OU=computers; CN=XXXXXXXXX
*  start date: XXXXXXXXXX
*  expire date: XXXXXXXXX
*  issuer: DC=tt; DC=test; CN=XXXXXXXXXXX
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):

> GET /api/ HTTP/1.1
> Host: api.test.tt
> Cookie: JSESSIONID=XXXXXXXXX; LBLEVEL1=XXXXXXXXX; LBLEVEL2=XXXXXXXXX
> User-Agent: insomnia/2023.5.8
> Accept: */*

* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse

< HTTP/1.1 401 
< www-authenticate: Bearer
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< expires: 0
< strict-transport-security: max-age=31536000 ; includeSubDomains
< x-frame-options: DENY
< transfer-encoding: chunked
< date: XXXXXXXX

* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Received 5 B chunk
* Connection 3 to host api.test.tt left intact

I configured through the Dashboard the SSL. It seems to me that the Bearer token is not being kept when APISIX passes the request to the API.

Another thing that I find weird is that no matter the route that I use (whether behind authentication or not) I always get first a 302 from APISIX that shows the real location of the API Im trying to contact. Is this a known feature of APISIX or did I miss configure something?

Environment

  • APISIX version 2.3.0
@shreemaan-abhishek
Copy link
Contributor

Could you please check if this exists in the latest version as well? Also, please try to use the admin api for setting up the SSLs.

@shreemaan-abhishek shreemaan-abhishek added the wait for update wait for the author's response in this issue/PR label Nov 13, 2023
@shreemaan-abhishek
Copy link
Contributor

Please reformat the configurations with proper indentation and add a title to the issue.

@mc-round2 mc-round2 changed the title help request: Token Bearer lost after redirect by APISIX Nov 13, 2023
@mc-round2
Copy link
Author

Could you please check if this exists in the latest version as well? Also, please try to use the admin api for setting up the SSLs.
I just checked the chart version 2.3.1 and still have the same issues.

@github-actions github-actions bot added user responded and removed wait for update wait for the author's response in this issue/PR labels Nov 13, 2023
@shreemaan-abhishek
Copy link
Contributor

v3.6 is latest and v3.2 is LTS. You can try any of these.

@shreemaan-abhishek
Copy link
Contributor

Do you see anything in error logs?

@mc-round2
Copy link
Author

mc-round2 commented Nov 14, 2023
edited
Loading

Hello,

The versions I have currently deployed are:
CHART VERSION 2.3.1 / APP VERSION 3.6.0

There is no specific error in the logs, but the issue is the 302 redirect that exposes the internal API and the removal of the Bearer token when the request is getting redirected.

@mc-round2 mc-round2 reopened this Nov 14, 2023
@pdsam
Copy link

pdsam commented Nov 15, 2023

I am also interested to know if the 302 is the expected behavior.

@mc-round2
Copy link
Author

mc-round2 commented Nov 15, 2023
edited
Loading

So, in the end I found the issue thanks to:
apache/apisix-ingress-controller#1905 (comment)

The only thing missing was the scheme:

apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
  name: test-upstream
spec:
  scheme: https
  externalNodes:
  - type: Domain
    name: api.test.tt

@mc-round2
Copy link
Author

Maybe it would be a good idea to make this issue more obvious in the documentation. I could only found one mention of this and no examples whatsoever.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
user responded
Projects
Apache APISIX backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pdsam @shreemaan-abhishek @mc-round2