Merge branch 'apache:master' into doc_10893

.requirements

@@ -17,4 +17,4 @@
 
 APISIX_PACKAGE_NAME=apisix
 
-APISIX_RUNTIME=1.1.1
+APISIX_RUNTIME=1.2.0

Makefile

@@ -312,6 +312,9 @@ install: runtime
 	$(ENV_INSTALL) -d $(ENV_INST_LUADIR)/apisix/plugins/limit-conn
 	$(ENV_INSTALL) apisix/plugins/limit-conn/*.lua $(ENV_INST_LUADIR)/apisix/plugins/limit-conn/
 
+	$(ENV_INSTALL) -d $(ENV_INST_LUADIR)/apisix/plugins/limit-req
+	$(ENV_INSTALL) apisix/plugins/limit-req/*.lua $(ENV_INST_LUADIR)/apisix/plugins/limit-req/
+
 	$(ENV_INSTALL) -d $(ENV_INST_LUADIR)/apisix/plugins/limit-count
 	$(ENV_INSTALL) apisix/plugins/limit-count/*.lua $(ENV_INST_LUADIR)/apisix/plugins/limit-count/
 

apisix-master-0.rockspec

@@ -79,7 +79,7 @@ dependencies = {
     "nanoid = 0.1-1",
     "lua-resty-mediador = 0.1.2-1",
     "lua-resty-ldap = 0.1.0-0",
-    "lua-resty-t1k = 1.1.0",
+    "lua-resty-t1k = 1.1.1",
     "brotli-ffi = 0.3-1",
     "lua-ffi-zlib = 0.6-0"
 }

apisix/cli/ngx_tpl.lua

@@ -628,12 +628,15 @@ http {
     {% end %}
 
     server {
+        {% if enable_http2 then %}
+        http2 on;
+        {% end %}
         {% for _, item in ipairs(node_listen) do %}
-        listen {* item.ip *}:{* item.port *} default_server {% if item.enable_http2 then %} http2 {% end %} {% if enable_reuseport then %} reuseport {% end %};
+        listen {* item.ip *}:{* item.port *} default_server {% if enable_reuseport then %} reuseport {% end %};
         {% end %}
         {% if ssl.enable then %}
         {% for _, item in ipairs(ssl.listen) do %}
-        listen {* item.ip *}:{* item.port *} ssl default_server {% if item.enable_http2 then %} http2 {% end %} {% if enable_reuseport then %} reuseport {% end %};
+        listen {* item.ip *}:{* item.port *} ssl default_server {% if enable_reuseport then %} reuseport {% end %};
         {% end %}
         {% end %}
         {% if proxy_protocol and proxy_protocol.listen_http_port then %}

apisix/cli/ops.lua

@@ -413,6 +413,7 @@ Please modify "admin_key" in conf/config.yaml .
         end
     end
 
+    local enable_http2_global = false
     local node_listen = {}
     -- listen in http, support multiple ports and specific IP, compatible with the original style
     if type(yaml_conf.apisix.node_listen) == "number" then
@@ -443,6 +444,9 @@ Please modify "admin_key" in conf/config.yaml .
                 if enable_http2 == nil then
                     enable_http2 = false
                 end
+                if enable_http2 == true then
+                    enable_http2_global = true
+                end
 
                 listen_table_insert(node_listen, "http", ip, port,
                         enable_http2, enable_ipv6)
@@ -473,12 +477,16 @@ Please modify "admin_key" in conf/config.yaml .
         if enable_http2 == nil then
             enable_http2 = false
         end
+        if enable_http2 == true then
+            enable_http2_global = true
+        end
 
         listen_table_insert(ssl_listen, "https", ip, port,
                 enable_http2, enable_ipv6)
     end
 
     yaml_conf.apisix.ssl.listen = ssl_listen
+    yaml_conf.apisix.enable_http2 = enable_http2_global
 
     if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then
         local cert_path = yaml_conf.apisix.ssl.ssl_trusted_certificate

apisix/core/config_etcd.lua

@@ -227,7 +227,7 @@ local function do_run_watch(premature)
             log.warn("watch canceled by etcd, res: ", inspect(res))
             if res.result.compact_revision then
                 watch_ctx.rev = tonumber(res.result.compact_revision)
-                log.warn("etcd compacted, compact_revision=", watch_ctx.rev)
+                log.error("etcd compacted, compact_revision=", watch_ctx.rev)
                 produce_res(nil, "compacted")
             end
             cancel_watch(http_cli)
@@ -629,7 +629,7 @@ local function sync_data(self)
     if not dir_res then
         if err == "compacted" then
             self.need_reload = true
-            log.warn("waitdir [", self.key, "] err: ", err,
+            log.error("waitdir [", self.key, "] err: ", err,
                      ", will read the configuration again via readdir")
             return false
         end

apisix/core/request.lua

@@ -282,6 +282,15 @@ function _M.get_body(max_size, ctx)
         end
     end
 
+    -- check content-length header for http2/http3
+    do
+        local var = ctx and ctx.var or ngx.var
+        local content_length = tonumber(var.http_content_length)
+        if (var.server_protocol == "HTTP/2.0" or var.server_protocol == "HTTP/3.0")
+            and not content_length then
+            return nil, "HTTP2/HTTP3 request without a Content-Length header"
+        end
+    end
     req_read_body()
 
     local req_body = req_get_body_data()

apisix/discovery/consul/init.lua

@@ -45,6 +45,7 @@ local next               = next
 local all_services = core.table.new(0, 5)
 local default_service
 local default_weight
+local sort_type
 local skip_service_map = core.table.new(0, 1)
 local dump_params
 
@@ -339,6 +340,25 @@ local function watch_result_is_valid(watch_type, index, catalog_index, health_in
 end
 
 
+local function combine_sort_nodes_cmp(left, right)
+    if left.host ~= right.host then
+        return left.host < right.host
+    end
+
+    return left.port < right.port
+end
+
+
+local function port_sort_nodes_cmp(left, right)
+    return left.port < right.port
+end
+
+
+local function host_sort_nodes_cmp(left, right)
+    return left.host < right.host
+end
+
+
 function _M.connect(premature, consul_server, retry_delay)
     if premature then
         return
@@ -489,6 +509,7 @@ function _M.connect(premature, consul_server, retry_delay)
             if is_not_empty(result.body) then
                 -- add services to table
                 local nodes = up_services[service_name]
+                local nodes_uniq = {}
                 for _, node in ipairs(result.body) do
                     if not node.Service then
                         goto CONTINUE
@@ -500,12 +521,29 @@ function _M.connect(premature, consul_server, retry_delay)
                         nodes = core.table.new(1, 0)
                         up_services[service_name] = nodes
                     end
-                    -- add node to nodes table
-                    core.table.insert(nodes, {
-                        host = svc_address,
-                        port = tonumber(svc_port),
-                        weight = default_weight,
-                    })
+                    -- not store duplicate service IDs.
+                    local service_id = svc_address .. ":" .. svc_port
+                    if not nodes_uniq[service_id] then
+                        -- add node to nodes table
+                        core.table.insert(nodes, {
+                            host = svc_address,
+                            port = tonumber(svc_port),
+                            weight = default_weight,
+                        })
+                        nodes_uniq[service_id] = true
+                    end
+                end
+                if nodes then
+                    if sort_type == "port_sort" then
+                        core.table.sort(nodes, port_sort_nodes_cmp)
+
+                    elseif sort_type == "host_sort" then
+                        core.table.sort(nodes, host_sort_nodes_cmp)
+
+                    elseif sort_type == "combine_sort" then
+                        core.table.sort(nodes, combine_sort_nodes_cmp)
+
+                    end
                 end
                 up_services[service_name] = nodes
             end
@@ -592,6 +630,7 @@ function _M.init_worker()
 
     log.notice("consul_conf: ", json_delay_encode(consul_conf, true))
     default_weight = consul_conf.weight
+    sort_type = consul_conf.sort_type
     -- set default service, used when the server node cannot be found
     if consul_conf.default_service then
         default_service = consul_conf.default_service

apisix/discovery/consul/schema.lua

@@ -44,6 +44,11 @@ return {
                 wait = 60,
             }
         },
+        sort_type = {
+            type = "string",
+            enum = {"origin", "host_sort", "port_sort", "combine_sort"},
+            default = "origin",
+        },
         skip_services = {
             type = "array",
             minItems = 1,

apisix/plugins/cors.lua

@@ -341,15 +341,32 @@ function _M.header_filter(conf, ctx)
     local req_origin =  ctx.original_request_origin
     -- If allow_origins_by_regex is not nil, should be matched to it only
     local allow_origins
-    if conf.allow_origins_by_regex == nil then
-        allow_origins = process_with_allow_origins(
-            TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins, ctx, req_origin
+    local allow_origins_local = false
+    if conf.allow_origins_by_metadata then
+        allow_origins = process_with_allow_origins_by_metadata(
+            TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_metadata, ctx, req_origin
         )
+        if not match_origins(req_origin, allow_origins) then
+            if conf.allow_origins and conf.allow_origins ~= "*" then
+                allow_origins_local = true
+            end
+        end
     else
-        allow_origins = process_with_allow_origins_by_regex(
-            TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_regex,
-            conf, ctx, req_origin
-        )
+        allow_origins_local = true
+    end
+    if conf.allow_origins_by_regex == nil then
+        if allow_origins_local then
+            allow_origins = process_with_allow_origins(
+                TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins, ctx, req_origin
+            )
+        end
+    else
+        if allow_origins_local then
+            allow_origins = process_with_allow_origins_by_regex(
+                TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_regex,
+                conf, ctx, req_origin
+            )
+        end
     end
     if not match_origins(req_origin, allow_origins) then
         allow_origins = process_with_allow_origins_by_metadata(

apisix/plugins/ext-plugin/init.lua

@@ -935,13 +935,14 @@ end
 
 local runner
 local function setup_runner(cmd)
-    runner = spawn_proc(cmd)
 
     ngx_timer_at(0, function(premature)
         if premature then
             return
         end
 
+        runner = spawn_proc(cmd)
+
         while not exiting() do
             while true do
                 -- drain output
@@ -968,7 +969,6 @@ local function setup_runner(cmd)
             end
 
             runner = nil
-
             local ok, err = events:post(events_list._source, events_list.runner_exit)
             if not ok then
                 core.log.error("post event failure with ", events_list._source, ", error: ", err)

apisix/plugins/openid-connect.lua

@@ -72,6 +72,15 @@ local schema = {
                     description = "the key used for the encrypt and HMAC calculation",
                     minLength = 16,
                 },
+                cookie = {
+                    type = "object",
+                    properties = {
+                        lifetime = {
+                            type = "integer",
+                            description = "it holds the cookie lifetime in seconds in the future",
+                        }
+                    }
+                }
             },
             required = {"secret"},
             additionalProperties = false,

ci/centos7-ci.sh

@@ -44,10 +44,7 @@ install_dependencies() {
     yum install -y yum-utils && yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
     yum install -y openresty-pcre-devel openresty-zlib-devel
 
-    export runtime_version=${APISIX_RUNTIME}
-    wget "https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/build-apisix-runtime.sh"
-    chmod +x build-apisix-runtime.sh
-    ./build-apisix-runtime.sh latest
+    install_apisix_runtime
     curl -o /usr/local/openresty/openssl3/ssl/openssl.cnf \
         https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/conf/openssl3/openssl.cnf
 

ci/common.sh

@@ -75,6 +75,13 @@ install_curl () {
     curl -V
 }
 
+install_apisix_runtime() {
+    export runtime_version=${APISIX_RUNTIME}
+    wget "https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/build-apisix-runtime.sh"
+    chmod +x build-apisix-runtime.sh
+    ./build-apisix-runtime.sh latest
+}
+
 install_grpcurl () {
     # For more versions, visit https://github.com/fullstorydev/grpcurl/releases
     GRPCURL_VERSION="1.8.5"

ci/linux-install-openresty.sh

@@ -51,10 +51,7 @@ if [ "$OPENRESTY_VERSION" == "source" ]; then
     fi
 fi
 
-export runtime_version=${APISIX_RUNTIME}
-wget "https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/build-apisix-runtime.sh"
-chmod +x build-apisix-runtime.sh
-./build-apisix-runtime.sh latest
+install_apisix_runtime
 
 if [ ! "$ENABLE_FIPS" == "true" ]; then
 curl -o /usr/local/openresty/openssl3/ssl/openssl.cnf \

ci/pod/docker-compose.first.yml

@@ -55,6 +55,48 @@ services:
     networks:
       consul_net:
 
+  ## Consul cluster
+  consul_node_1:
+    image: consul:1.7
+    restart: unless-stopped
+    ports:
+      - "9500:8500"
+      - "8300:8300"
+      - "8301:8301"
+      - "8302:8302"
+      - "9600:8600"
+    command: [ "consul", "agent", "-server", "-bootstrap-expect=1", "-bind", "0.0.0.0", "-client", "0.0.0.0", "-node", "node-1", "-log-level", "info", "-data-dir=/consul/data", "-enable-script-checks" ]
+    networks:
+      consul_cluster_net:
+        aliases:
+          - consul.cluster
+
+  consul_node_2:
+    image: consul:1.7
+    restart: unless-stopped
+    environment:
+      - CONSUL_BIND_INTERFACE=eth0
+    ports:
+      - "9501:8500"
+    command: [ "consul", "agent", "-server", "-bind", "0.0.0.0", "-client", "0.0.0.0", "-retry-join", "consul.cluster", "-node", "node-2", "-log-level", "info", "-data-dir=/consul/data", "-enable-script-checks" ]
+    networks:
+      consul_cluster_net:
+        aliases:
+          - consul.cluster
+
+  consul_node_3:
+    image: consul:1.7
+    restart: unless-stopped
+    environment:
+      - CONSUL_BIND_INTERFACE=eth0
+    ports:
+      - "9502:8500"
+    command: [ "consul", "agent", "-server", "-bind", "0.0.0.0", "-client", "0.0.0.0", "-retry-join", "consul.cluster", "-node", "node-3", "-log-level", "info", "-data-dir=/consul/data", "-enable-script-checks" ]
+    networks:
+      consul_cluster_net:
+        aliases:
+          - consul.cluster
+
   ## Nacos cluster
   nacos_auth:
     hostname: nacos1
@@ -246,5 +288,6 @@ services:
 
 
 networks:
+  consul_cluster_net:
   consul_net:
   nacos_net:

ci/redhat-ci.sh

@@ -38,10 +38,7 @@ install_dependencies() {
     yum install -y yum-utils && yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
     yum install -y openresty-pcre-devel openresty-zlib-devel
 
-    export runtime_version=${APISIX_RUNTIME}
-    wget "https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/build-apisix-runtime.sh"
-    chmod +x build-apisix-runtime.sh
-    ./build-apisix-runtime.sh latest
+    install_apisix_runtime
     curl -o /usr/local/openresty/openssl3/ssl/openssl.cnf \
         https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/conf/openssl3/openssl.cnf