Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(balancer): refresh uri and tls scheme in ai-proxy-advanced balancer phase #14007

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,205 @@
diff --git a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua
index 7d64d63..b0b7543 100644
--- a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua
+++ b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua
@@ -22,6 +22,7 @@ local ngx_lua_ffi_balancer_set_current_peer
local ngx_lua_ffi_balancer_set_more_tries
local ngx_lua_ffi_balancer_get_last_failure
local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http
+local ngx_lua_ffi_balancer_set_upstream_tls


if subsystem == 'http' then
@@ -41,6 +42,8 @@ if subsystem == 'http' then

int ngx_http_lua_ffi_balancer_recreate_request(ngx_http_request_t *r,
char **err);
+ int ngx_http_lua_ffi_balancer_set_upstream_tls(ngx_http_request_t *r,
+ int on, char **err);
]]

ngx_lua_ffi_balancer_set_current_peer =
@@ -55,6 +58,9 @@ if subsystem == 'http' then
ngx_lua_ffi_balancer_set_timeouts =
C.ngx_http_lua_ffi_balancer_set_timeouts

+ ngx_lua_ffi_balancer_set_upstream_tls =
+ C.ngx_http_lua_ffi_balancer_set_upstream_tls
+
elseif subsystem == 'stream' then
ffi.cdef[[
int ngx_stream_lua_ffi_balancer_set_current_peer(
@@ -228,6 +234,29 @@ if subsystem == 'http' then

return nil, "failed to recreate the upstream request"
end
+
+
+ function _M.set_upstream_tls(on)
+ local r = get_request()
+ if not r then
+ return error("no request found")
+ end
+
+ local rc
+
+ if on == 0 or on == false then
+ on = 0
+ else
+ on = 1
+ end
+
+ rc = ngx_lua_ffi_balancer_set_upstream_tls(r, on, errmsg);
+ if rc == FFI_OK then
+ return true
+ end
+
+ return nil, ffi_str(errmsg[0])
+ end
end


diff --git a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md
index ef2f124..3ec8cb9 100644
--- a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md
+++ b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md
@@ -13,11 +13,12 @@ Table of Contents
* [stream subsystem](#stream-subsystem)
* [Description](#description)
* [Methods](#methods)
+ * [get_last_failure](#get_last_failure)
+ * [recreate_request](#recreate_request)
* [set_current_peer](#set_current_peer)
* [set_more_tries](#set_more_tries)
- * [get_last_failure](#get_last_failure)
* [set_timeouts](#set_timeouts)
- * [recreate_request](#recreate_request)
+ * [set_upstream_tls](#set_upstream_tls)
* [Community](#community)
* [English Mailing List](#english-mailing-list)
* [Chinese Mailing List](#chinese-mailing-list)
@@ -270,6 +271,21 @@ This function was first added in the `0.1.20` version of this library.

[Back to TOC](#table-of-contents)

+set_upstream_tls
+------------
+**syntax:** `ok, err = balancer.set_upstream_tls(on)`
+
+**context:** *balancer_by_lua**
+
+Turn off the HTTPs or reenable the HTTPs for the upstream connection.
+
+- If `on` is `true`, then the https protocol will be used to connect to the upstream server.
+- If `on` is `false`, then the http protocol will be used to connect to the upstream server.
+
+This function was first added in the `0.1.29` version of this library.
+
+[Back to TOC](#table-of-contents)
+
Community
=========

diff --git a/bundle/lua-resty-core-0.1.28/t/balancer.t b/bundle/lua-resty-core-0.1.28/t/balancer.t
index 3e9fb2f..6201b47 100644
--- a/bundle/lua-resty-core-0.1.28/t/balancer.t
+++ b/bundle/lua-resty-core-0.1.28/t/balancer.t
@@ -882,3 +882,98 @@ connect() failed (111: Connection refused) while connecting to upstream, client:
--- no_error_log
[warn]
[crit]
+
+
+
+=== TEST 20: set_upstream_tls off
+--- skip_nginx: 5: < 1.7.5
+--- http_config
+ lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
+
+ upstream backend {
+ server 0.0.0.1;
+ balancer_by_lua_block {
+ local b = require "ngx.balancer"
+ b.set_current_peer("127.0.0.1", tonumber(ngx.var.server_port))
+ b.set_upstream_tls(false)
+ }
+ keepalive 1;
+ }
+
+ server {
+ listen $TEST_NGINX_RAND_PORT_1 ssl;
+ ssl_certificate ../../cert/test.crt;
+ ssl_certificate_key ../../cert/test.key;
+
+ server_tokens off;
+ location = /back {
+ return 200 "ok";
+ }
+ }
+--- config
+ location /t {
+ proxy_pass https://backend/back;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ }
+
+ location /back {
+ echo "Hello world!";
+ }
+--- request
+ GET /t
+--- no_error_log
+[alert]
+[error]
+--- response_body
+Hello world!
+
+--- no_check_leak
+
+
+
+=== TEST 21: set_upstream_tls on
+--- skip_nginx: 5: < 1.7.5
+--- http_config
+ lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
+
+ upstream backend {
+ server 0.0.0.1;
+ balancer_by_lua_block {
+ local b = require "ngx.balancer"
+ b.set_current_peer("127.0.0.1", $TEST_NGINX_RAND_PORT_1)
+ b.set_upstream_tls(false)
+ b.set_upstream_tls(true)
+ }
+
+ keepalive 1;
+ }
+
+ server {
+ listen $TEST_NGINX_RAND_PORT_1 ssl;
+ ssl_certificate ../../cert/test.crt;
+ ssl_certificate_key ../../cert/test.key;
+
+ server_tokens off;
+ location = /back {
+ return 200 "ok";
+ }
+ }
+--- config
+ location /t {
+ proxy_pass https://backend/back;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ }
+
+ location /back {
+ echo "Hello world!";
+ }
+--- request
+ GET /t
+--- no_error_log
+[alert]
+[error]
+--- response_body chomp
+ok
+--- no_check_leak
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
diff --git a/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c b/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c
index 4eb6931..5a2f959 100644
--- a/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c
+++ b/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c
@@ -1277,6 +1277,13 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)

ctx = ngx_http_get_module_ctx(r, ngx_http_proxy_module);

+ // make sure we refresh the proxy upstream uri in balancer retry scenarios
+ if (r->upstream_states && r->upstream_states->nelts > 0) {
+ if (ngx_http_proxy_eval(r, ctx, plcf) != NGX_OK) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @ADD-SP this would need some performance test to validate

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure the performance impact here, is there a way to detect if the upstream tls option has been changed, and then decide if we need to do the config parsing again here? e.g. could we use ctx to mark if the options has been changed from lua side, and if not changed, we just skip the refresh of variables here?

Copy link
Member

@Oyami-Srk Oyami-Srk Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this patch is used to alter the TLS option. It looks like "reevaluating URI every time we make requests".
IIUC, before this patch, evaluating URI will perform only once when the config is processed and use evaluated value after that. Thus, altering some variables in URI will not be able to work normally.
I'm not sure if I understand correctly, Please correct me if I'm wrong. @oowl

Copy link
Member

@Oyami-Srk Oyami-Srk Jan 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just confirmed "feat(patch): refresh upstream uri variable when proxy pass balancer recreate" will cause regressions in RPS, latency and DP memory usage in change-route scenario.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Oyami-Srk The option to alter TLS on/off is from another commit in this PR. The change here is to alter upstream_uri,
as kong uses a variable in proxy_pass, this patch make sure in a failover when we update the upstream_uri, the variable is re-evaluated so that nginx will build an updated request on it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just confirmed "feat(patch): refresh upstream uri variable when proxy pass balancer recreate" will cause regressions in RPS, latency and DP memory usage in change-route scenario.

@oowl I guess what we can do next to make sure this ngx_http_proxy_eval is only called the second time (aka in a failover) in a request.

+ return NGX_HTTP_INTERNAL_SERVER_ERROR;
+ }
+ }
+
if (method.len == 4
&& ngx_strncasecmp(method.data, (u_char *) "HEAD", 4) == 0)
{
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_balancer.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_balancer.c
index af4da73..f119948 100644
--- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_balancer.c
+++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_balancer.c
@@ -808,5 +808,46 @@ ngx_http_lua_ffi_balancer_recreate_request(ngx_http_request_t *r,
return u->create_request(r);
}

+int
+ngx_http_lua_ffi_balancer_set_upstream_tls(ngx_http_request_t *r, int on,
+ char **err)
+{
+ ngx_http_lua_ctx_t *ctx;
+ ngx_http_upstream_t *u;
+
+ if (r == NULL) {
+ *err = "no request found";
+ return NGX_ERROR;
+ }
+
+ u = r->upstream;
+
+ if (u == NULL) {
+ *err = "no upstream found";
+ return NGX_ERROR;
+ }
+
+ ctx = ngx_http_get_module_ctx(r, ngx_http_lua_module);
+ if (ctx == NULL) {
+ *err = "no ctx found";
+ return NGX_ERROR;
+ }
+
+ if ((ctx->context & NGX_HTTP_LUA_CONTEXT_BALANCER) == 0) {
+ *err = "API disabled in the current context";
+ return NGX_ERROR;
+ }
+
+ if (on == 0) {
+ u->ssl = 0;
+ u->schema.len = sizeof("http://") - 1;
+
+ } else {
+ u->ssl = 1;
+ u->schema.len = sizeof("https://") - 1;
+ }
+
+ return NGX_OK;
+}

/* vi:set ft=c ts=4 sw=4 et fdm=marker: */
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
message: backport balancer.set_upstream_tls feature from openresty upstream [openresty/lua-resty-core#460](https://github.com/openresty/lua-resty-core/pull/460)
type: feature
scope: Core
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
message: dynamic control upstream tls when kong.service.request.set_scheme was called
type: feature
scope: PDK
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
message: refresh upstream uri variable when proxy pass balancer recreate
type: feature
scope: Core
21 changes: 20 additions & 1 deletion kong/pdk/service/request.lua
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ local cjson = require "cjson.safe"
local buffer = require "string.buffer"
local checks = require "kong.pdk.private.checks"
local phase_checker = require "kong.pdk.private.phases"

local balancer = require "ngx.balancer"

local ngx = ngx
local ngx_var = ngx.var
Expand Down Expand Up @@ -112,6 +112,15 @@ local function new(self)
error("invalid scheme: " .. scheme, 2)
end

if ngx.get_phase() == "balancer" then
if scheme == "https" then
kong.service.request.enable_tls()
end
if scheme == "http" then
kong.service.request.disable_tls()
end
end

ngx_var.upstream_scheme = scheme
end

Expand Down Expand Up @@ -711,6 +720,16 @@ local function new(self)

return disable_proxy_ssl()
end
else
request.disable_tls = function()
check_phase(preread_and_balancer)
return balancer.set_upstream_tls(false)
end

request.enable_tls = function()
check_phase(preread_and_balancer)
return balancer.set_upstream_tls(true)
end
end

return request
Expand Down
24 changes: 24 additions & 0 deletions t/01-pdk/06-service-request/00-phase_checks.t
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,30 @@ qq{
body_filter = false,
log = false,
admin_api = "forced false",
},{
method = "disable_tls",
args = { },
init_worker = "forced false",
certificate = "pending",
rewrite = "forced false",
access = "forced false",
response = "forced false",
header_filter = "forced false",
body_filter = "forced false",
log = "forced false",
admin_api = "forced false",
},{
method = "enable_tls",
args = { },
init_worker = "forced false",
certificate = "pending",
rewrite = "forced false",
access = "forced false",
response = "forced false",
header_filter = "forced false",
body_filter = "forced false",
log = "forced false",
admin_api = "forced false",
},
}

Expand Down
Loading