apache
help request: error accessing route after configuring ip-restriction on consumer
Description
When asked to configure the ip-restriction in the consumer, after, can not normally access the error log is :
2023/07/25 07:12:35 [error] 50#50: *10970426 lua entry thread aborted: runtime error: /usr/local/openresty/lualib/resty/core/request.lua:116: bad argument #1 to 'lower' (string expected, got nil)
stack traceback:
coroutine 0:
[C]: in function 'lower'
/usr/local/openresty/lualib/resty/core/request.lua:116: in function '__index'
/usr/local/apisix/apisix/core/request.lua:103: in function 'header'
/usr/local/apisix/apisix/plugins/jwt-auth.lua:188: in function 'fetch_jwt_token'
/usr/local/apisix/apisix/plugins/jwt-auth.lua:355: in function 'phase_func'
/usr/local/apisix/apisix/plugin.lua:897: in function 'run_plugin'
/usr/local/apisix/apisix/init.lua:453: in function 'http_access_phase'
access_by_lua(nginx.conf:303):2: in main chunk, client: 192.168.88.66, server: _, request: "GET /apisixtest/login HTTP/1.1", host: "10.4.16.100:9080"
the route cfg:
{
"id": "470105498213941950",
"create_time": 1689734312,
"update_time": 1690269096,
"uri": "/apisixtest/*",
"name": "apisix_test",
"priority": 1,
"methods": [
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"GET",
"POST"
],
"plugins": {
"basic-auth": {
"disable": false
},
"proxy-rewrite": {
"regex_uri": [
"^/apisixtest(/|$)(.*)",
"/$2"
]
}
},
"upstream": {
"nodes": [
{
"host": "192.168.88.66",
"port": 9081,
"weight": 1
}
],
"retries": 2,
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"scheme": "http",
"pass_host": "pass",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
},
"retry_timeout": 2
},
"status": 1
}
the consumer cfg is :
{
"username": "basic_ip_res",
"plugins": {
"basic-auth": {
"disable": false,
"password": "123",
"username": "xubin"
},
"ip-restriction": {
"blacklist": [
"10.210.21.152"
],
"disable": false,
"message": "blacklist"
}
},
"create_time": 1690269000,
"update_time": 1690269000,
"consumerNameStr": "basic-auth,ip-restriction"
}
Environment
- APISIX version (run
apisix version):2.15 - Operating system (run
uname -a): - OpenResty / Nginx version (run
openresty -Vornginx -V): - etcd version, if relevant (run
curl http://127.0.0.1:9090/v1/server_info): - APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run
luarocks --version):
@bin-53 I see the error is coming from wrongly configured jwt-auth plugin but your configuration doesn't show the jwt-auth config. Can you share all the other routes config as well? Especially for /login where the request was redirected
@bin-53 I see the error is coming from wrongly configured jwt-auth plugin but your configuration doesn't show the jwt-auth config. Can you share all the other routes config as well? Especially for
/loginwhere the request was redirected
Hello, consumer, you can see this(Removing the ip-restriction gives you normal access)
{
"username": "ces",
"desc": "c二十111",
"plugins": {
"basic-auth": {
"disable": false,
"password": "yc",
"username": "yc"
},
"ip-restriction": {
"blacklist": [
"192.168.88.62"
],
"disable": false,
"message": "blacklist"
},
"jwt-auth": {
"algorithm": "HS512",
"base64_secret": true,
"disable": false,
"exp": 100,
"key": "yc",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAwKv3wDkp94sxfUKarg4MuiB2hy21XqDZD5zS1uLO4Bu8ojcKeP6K5pHQqplHUZqtn2J+X2BvbXjQ7On4+7Do1PrCTWcEVC5iLttwJgZI/IjGIyZB/11rJAQkJjhJ/GGBpNm3lYG3BWiosgeGUXeJYRUDSs/LP3wi9odAoutH6nS1E/9fnBE7HUm0tfk4XJvnDepgkYEWQCSp8LomjdBWKMfo5k6r7xYNvgRk+lQbOVC+87kB15hQVLpefS/G39M26qIbPAq2xj70UBlAQxSI3dgTvsknxF/gaNq4RU0ADHVS0vluzSFRJwA+A9FyKhAQME7M7++9MsFX7ofdoGYxVQIDAQABAoIBAQCVU3LT1zoQch/sDffmGFuC0fArOqDL82vnrsq14tklVjnvmysRtW4f3zlTTzK4K2KPGf4Jm6sgtDdwtrHTGDyL/MEkzkfLmptb55TW054zoym1SkxyR4vnQRJnUM7+vO+GvXqMdBlOJtxABpbyguvFg0ym6b+Dt4k9env9CM8XBP5N/5INsuTZg9Qa0A7s8/ngrkwuy9kwqiWtJP/gci+NCIXgblC4rreWN84Xlt0tJSfShk20PzHoyjqYCDXkAxdJe0GSYS7vqSBSC/YZEqHdCOktcYkZ3UZAftMASlmJmPyFqRFK1l7yBWHYW3LddnPLSflecpLySnNBropurr8hAoGBAOgs5ds+vWyX7D2MgPQ5Y5+BVrpUQbUrhFfCia80Cu8WXpD1ydlzu7XYaoRAXyXi/sALRJRRIEB5aX0JSY6YG5/MmUCl7KYXLUct8zl/RfyWt1tg/w37WD3MHw8ZfNx7H4XCoYRiYKaW9Ym88TcYLsHXV2O1cGQNDPulhVFi7fb5AoGBANRxVYtAwrNT502Wm0VOi3OUs1EY0qevKwWZp7v0Kwpjmf2cmc2fjGZgl4Cdi9bCUnmGOnSzFYsCwPWupv4clE7viD8KsLlzgqJjGTLgFoaDgP6SmxGy8T8khvG8x1W2KlHdxLiJNNSs63ORm8aEz+gM9qRCumknu9Jy52vuoxg9AoGAUcvnmytqbwTDHRgQInrJh1t446Jll99h+8001r3+ECeQX3/IgkzM2A8Lz9Yh72YenCgcHCjMtQpRSNTpzkv2h4D8iRMr4YQO1qHwq9QUIx4yMQZmNVXUy8jLNHWlUMQr4eMlJk/Gf0p17PXdAa0KZA5q4lz84LLcXRf+dSLmdXkCgYA9xx9rOU/lOjb/Nxa8FtUyrUFgCenoXWYTYNWIML77bG9xcsK/KvB3LQuhmS77KtM1B7WkDhfrrsdSKpHhP4pZUgq62m793vtUIaFITCYAw+kVHqj9gp3pEMQ1NAJ7iFfSKr10NGIqnoZxuxwjpKeZAXwP1F/FCIrz7foiRukiuQKBgQDaqNoMGjIVChS3Z2eNG9kB6CuLv0o9T5pgIP3Nb+/7ZlLwGPD/NUNyESeDcPuFodTs30bWHUPLjZCChwRPFw70kWhvPGbSDkgCkZL138xva9E9hcomVSMnNXPVypVac/ThG+tWulzkq6nWhXxw24P5OTBhPvquj0vD41vQRqVjqQ==\n-----END RSA PRIVATE KEY-----",
"public_key": "-----BEGIN CERTIFICATE-----\nMIIDsjCCApqgAwIBAgIIWtDrOMZUC/EwDQYJKoZIhvcNAQELBQAwejELMAkGA1UEBhMCQ04xFzAVBgNVBAoTDktleU1hbmFnZXIub3JnMTEwLwYDVQQLEyhLZXlNYW5hZ2VyIFRlc3QgUm9vdCAtIEZvciBUZXN0IFVzZSBPbmx5MR8wHQYDVQQDExZLZXlNYW5hZ2VyIFRlc3QgUlNBIENBMB4XDTIzMDMxNTA2MDk1MFoXDTI0MDMxNTA2MDk1MFowJzELMAkGA1UEBhMCQ04xGDAWBgNVBAMTD3lhbmdjb25nLmNvbS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCr98A5KfeLMX1Cmq4ODLogdocttV6g2Q+c0tbizuAbvKI3Cnj+iuaR0KqZR1GarZ9ifl9gb2140Ozp+Puw6NT6wk1nBFQuYi7bcCYGSPyIxiMmQf9dayQEJCY4SfxhgaTZt5WBtwVoqLIHhlF3iWEVA0rPyz98IvaHQKLrR+p0tRP/X5wROx1JtLX5OFyb5w3qYJGBFkAkqfC6Jo3QVijH6OZOq+8WDb4EZPpUGzlQvvO5AdeYUFS6Xn0vxt/TNuqiGzwKtsY+9FAZQEMUiN3YE77JJ8Rf4GjauEVNAAx1UtL5bs0hUScAPgPRcioQEDBOzO/vvTLBV+6H3aBmMVUCAwEAAaOBjjCBizAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQgvB9rzgDhXVTgf85S7gnULlacsTAfBgNVHSMEGDAWgBQ2NN5SrtAzKRWMvsqrWkYCozv0SjAaBgNVHREEEzARgg95YW5nY29uZy5jb20uY24wDQYJKoZIhvcNAQELBQADggEBADuFqOae2Gbfvjv1G1/DsaqwlsKe6Igi0JMDSwI5c26uxe/+dXuU3DisbKGgibERmeJ86GNPDOD+V4KSjAN1xO4D0bL1ykjsEl0w62N9LaJ8gdc14fGaZpTz1rA3PhmLsMiojflWgyuWiLsLNsgNNRwwR8chsqVFOyiqOxHTSBgZzridOchNrv3Md+K8pNxA7xqv5ZK+AnZ+MX7gPyuTZKXbFP5Z/7/YIJ64WzVprhZNqTTulgSi252+9L6L7IzLTpHxVrEPd27ooUaVbIsYFzQwtuvaFWepASaIjvFIOpx5yZ7v797Qae+e+mE44Nca1fjMPSu1VXxUv20iT4qyHT8=\n-----END CERTIFICATE-----",
"secret": "yc"
},
"key-auth": {
"disable": false,
"key": "yc"
},
"limit-req": {
"allow_degradation": true,
"burst": 5,
"disable": false,
"key": "http_x_forwarded_for",
"nodelay": true,
"rate": 5,
"rejected_code": 404,
"rejected_msg": "dianjisudu请求太快了"
}
},
"create_time": 1689745177,
"update_time": 1690272367,
"consumerNameStr": "basic-auth,ip-restriction,jwt-auth,key-auth,limit-req"
}
@bin-53 I see the error is coming from wrongly configured jwt-auth plugin but your configuration doesn't show the jwt-auth config. Can you share all the other routes config as well? Especially for
/loginwhere the request was redirected
I only have one route in effect and all the others are closed
@bin-53 I see the error is coming from wrongly configured jwt-auth plugin but your configuration doesn't show the jwt-auth config. Can you share all the other routes config as well? Especially for
/loginwhere the request was redirected
Can you provide reproduction steps? thx
thank your reply firstly~,you can see: 1.set the route cfg:
{
"id": "470105498213941950",
"create_time": 1689734312,
"update_time": 1690275844,
"uri": "/apisixtest/*",
"name": "apisix_test",
"priority": 1,
"methods": [
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"GET",
"POST"
],
"plugins": {
"basic-auth": {
"disable": false
},
"proxy-rewrite": {
"regex_uri": [
"^/apisixtest(/|$)(.*)",
"/$2"
]
}
},
"upstream": {
"nodes": [
{
"host": "192.168.88.66",
"port": 9081,
"weight": 1
}
],
"retries": 2,
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"scheme": "http",
"pass_host": "pass",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
},
"retry_timeout": 2
},
"status": 1
}
- set the consumer cfg:
{
"username": "ces",
"desc": "c二十111",
"plugins": {
"basic-auth": {
"disable": false,
"password": "yc",
"username": "yc"
},
"ip-restriction": {
"blacklist": [
"192.168.88.66",
"192.168.88.61"
],
"disable": false,
"message": "黑名单"
},
"jwt-auth": {
"algorithm": "HS512",
"base64_secret": true,
"disable": false,
"exp": 100,
"key": "yc",
"secret": "yc"
},
"key-auth": {
"disable": false,
"key": "yc"
}
},
"create_time": 1689745177,
"update_time": 1690275902,
"consumerNameStr": "basic-auth,ip-restriction,jwt-auth,key-auth"
}
3.request the url:
@bin-53 you have provided multiple configurations at different places. Please provide one final configuration and all the commands that you used to reproduce this issue.
@shreemaan-abhishek @moonming I am facing a similar issue. Please find my configuration below:
Consumers:
curl http://localhost:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"plugins": {
"basic-auth": {
"username": "Developer3",
"password": "User@123"
}
},
"username": "Developer3",
"group_id": "admin_users"
}'
curl http://localhost:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"plugins": {
"jwt-auth": {
"secret": "$ENV://JWT_SECRET",
"key": "Developer2",
"exp": 86400
}
},
"username": "Developer2",
"group_id": "admin_users"
}'
Route :
curl http://localhost:9180/apisix/admin/routes/497215749975180242 -H ' X - API - KEY: edd1c9f034335f136f87ad84b625c8f1 ' -X PUT -d '{
"plugins": {
"multi-auth": {
"auth_plugins": [
{
"basic-auth": {}
},{
"jwt-auth": {}
}
]
},
"proxy-rewrite": {
"regex_uri": ["^/api/(.*)", "/$1"]
},
"response-rewrite": {
"_meta": {
"disable": false
},
"filters": [{
"replace": "localhost:30075/api",
"regex": "localhost:9080",
"scope": "global"
}
]
},
"consumer-restriction": {
"whitelist": ["admin_users"],
"type": "consumer_group_id",
"rejected_msg": "Access Dinied",
"rejected_code": 403,
"_meta": {
"disable": false
}
}
},
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE", "PURGE"],
"name": "Test api",
"uri": "/api/*",
"upstream_id": "497215591497597906"
}
Error in APISIX:
2024/03/13 07:40:09 [error] 56#56: *27373156 lua entry thread aborted: runtime error: /usr/local/openresty/lualib/resty/core/request.lua:118: bad argument #1 to 'lower' (string expected, got nil)
stack traceback:
coroutine 0:
[C]: in function 'lower'
/usr/local/openresty/lualib/resty/core/request.lua:118: in function '__index'
/usr/local/apisix/apisix/core/request.lua:110: in function 'header'
/usr/local/apisix/apisix/plugins/jwt-auth.lua:182: in function 'fetch_jwt_token'
/usr/local/apisix/apisix/plugins/jwt-auth.lua:337: in function 'rewrite'
/usr/local/apisix/apisix/plugins/multi-auth.lua:71: in function 'phase_func'
/usr/local/apisix/apisix/plugin.lua:1154: in function 'run_plugin'
/usr/local/apisix/apisix/init.lua:688: in function 'http_access_phase'
access_by_lua(nginx.conf:282):2: in main chunk, client: 10.244.64.0, server: _, request: "GET /api/test HTTP/1.1", host: "localhost:80"
curl request:
curl localhost:80/api/test -H 'Authorization: <jwt-token>' -i
I am currently using apisix version 3.8.0
@Bishnup1995 please share the configuration for consumer_group with group_id = admin as well.
@shreemaan-abhishek please find the consumer_group configuration:
curl http://localhost:9180/apisix/admin/consumer_groups/admin_users -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"plugins": {}
}'
@Bishnup1995. Thanks, but it seems there is something wrong with the route configuration.
Also, I'd recommend sharing a minimal example that causes this bug. Right now you have already configured a lot of plugins, they might not be needed to repro this bug. Please revert with a simple/minimal example. Thanks.
Hey @shreemaan-abhishek thank you for your response. Please find a reproducible config below:
- Create a consumer group:
curl http://localhost:9180/apisix/admin/consumer_groups/test_users -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"plugins": {}
}'
- Create 1st consumer
curl http://localhost:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"username": "foo1",
"group_id": "test_users",
"plugins": {
"basic-auth": {
"username": "foo1",
"password": "bar1"
}
}
}'
- Create 2nd consumer
curl http://localhost:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"username": "foo2",
"group_id": "test_users",
"plugins": {
"jwt-auth": {
"secret": "dz-e6*6-fo*c4zh^mjihqcw2)#zea@z&_asdd06#-^2utxxc*b",
"key": "foo2",
"exp": 86400
}
}
}'
- Create Route
curl http://localhost:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"methods": ["GET"],
"uri": "/api/*",
"plugins": {
"multi-auth":{
"auth_plugins":[
{
"basic-auth":{ }
},
{
"jwt-auth": {}
}
]
},
"proxy-rewrite": {
"regex_uri": ["^/api/(.*)", "/$1"]
},
"consumer-restriction": {
"whitelist": ["test_users"],
"type": "consumer_group_id",
"rejected_msg": "Access Dinied",
"rejected_code": 403,
"_meta": {
"disable": false
}
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"localhost:9180": 1
}
}
}'
- Access the route
curl localhost:9080/api/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -H 'Authorization: eyJhbGciOiJIUzI1NiJ9.eyJrZXkiOiJmb28yIiwic3ViIjoidGVzdCIsImp0aSI6IjU1NWM4NGI3LTc1ODEtNDZiYS04NDJmLTJhZTU0MGQzM2MwZCIsImlzcyI6InRlc3QiLCJpYXQiOjE3MTAzMjE1MjUsImV4cCI6MTcxMDM4MTUyNX0.D6c9pGwnjdEo-Js1Nrrmr0bJ-ZL2NWKFQp2aea0zDUg'
Note: When I do the below call it works
curl localhost:9080/api/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -i -ufoo1:bar1