I’m having trouble integrating openid-connect plugin with apisix gateway. When I have it enabled I end up getting no response from the API. Any idea what am I doing wrong or how to troubleshoot it? in slack
- enabled openid-connect plugin
curl [http://127.0.0.1:9080/apisix/admin/routes/5](http://127.0.0.1:9080/apisix/admin/routes/5) -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/get",
"plugins": {
"openid-connect": {
"client_id": "my-client",
"client_secret": "XXXX-XXXX-XXX",
"discovery": "[https://my-auth-server/myapi/.well-known/openid-configuration](https://my-auth-server/myapi/.well-known/openid-configuration)",
"access_token_in_authorization_header": true,
"bearer_only": true
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'
- request to the /get endpoint results in
Empty reply from server
curl -i -X GET [http://127.0.0.1:9080/get](http://127.0.0.1:9080/get) -H "Host: httpbin.org" -H "Authorization: Bearer #####token####"
curl: (52) Empty reply from server
3. error.log has the following:
2022/03/18 21:23:09 [alert] 1#1: worker process 124 exited on signal 11
2022/03/18 21:23:09 [warn] 127#127: *723842 [lua] plugin.lua:172: load(): new plugins: {"uri-blocker":true,"fault-injection":true,"serverless-pre-function":true,"wolf-rbac":true,"datadog":true,"authz-keycloak":true,"skywalking-logger":true,"grpc-transcode":true,"splunk-hec-logging":true,"ext-plugin-pre-req":true,"ua-restriction":true,"ext-plugin-post-req":true,"response-rewrite":true,"key-auth":true,"grpc-web":true,"jwt-auth":true,"limit-count":true,"referer-restriction":true,"forward-auth":true,"udp-logger":true,"serverless-post-function":true,"basic-auth":true,"openwhisk":true,"cors":true,"limit-conn":true,"server-info":true,"azure-functions":true,"traffic-split":true,"request-validation":true,"google-cloud-logging":true,"rocketmq-logger":true,"sls-logger":true,"kafka-logger":true,"proxy-control":true,"proxy-rewrite":true,"syslog":true,"consumer-restriction":true,"echo":true,"http-logger":true,"prometheus":true,"redirect":true,"ip-restriction":true,"aws-lambda":true,"limit-req":true,"opa":true,"real-ip":true,"authz-casbin":true,"tcp-logger":true,"zipkin":true,"openid-connect":true,"gzip":true,"example-plugin":true,"request-id":true,"api-breaker":true,"hmac-auth":true,"ldap-auth":true,"proxy-mirror":true,"client-control":true,"proxy-cache":true}, context: init_worker_by_lua*
2022/03/18 21:23:09 [warn] 127#127: *723842 [lua] plugin.lua:222: load_stream(): new plugins: {"limit-conn":true,"ip-restriction":true,"mqtt-proxy":true}, context: init_worker_by_lua*
首先在我本地的 m1 上已安装的 APISIX 上看是否能重现bug。 流程如下:
- 进入 APISIX,使用 ./bin/apisix start 命令启动 APISIX。
- 直接报错 401,这个属于正常情况,因为没有做权限认证,就应该是这样的报错。
换一种重现方式:使用 docker 镜像(arm 版本) https://hub.docker.com/r/apache/apisix/tags#:~:text=3ab0b2f76959-,linux,-/arm64 首先复制命令
apache/apisix/2.12.1-alpine/images/sha256-3ab0b2f76959f057790b35adf2438fea5ae6cbc8c994aff159bf17d72654d857?context=explore
docker pull apache/apisix:2.12.1-alpine@sha256:3ab0b2f76959f057790b35adf2438fea5ae6cbc8c994aff159bf17d72654d857
docker pull nginx:stable-perl@sha256:3ab0b2f76959f057790b35adf2438fea5ae6cbc8c994aff159bf17d72654d857
docker pull nginx:stable-perl@sha256:3ab0b2f76959f057790b35adf2438fea5ae6cbc8c994aff159bf17d72654d857
docker run -itd --rm --name=dev-apisx -v /srv/[github.com/apache/apisix/conf/config.yaml:/usr/local/apisix/conf/config.yaml](http://github.com/apache/apisix/conf/config.yaml:/usr/local/apisix/conf/config.yaml) apache/apisix
修改:docker tag c8202912bb3a apache/apisix:dev
这个命令用于运行apisix,记住这边得先把 APISIX镜像的tag改了哈改成 apache/apisix:dev
docker run -itd --rm --name=dev-apisx -p 9080:9080 -v /Users/cheverjohn/home/api7/dev_cj/apisix/conf/config.yaml:/usr/local/apisix/conf/config.yaml apache/apisix:dev
上面的这条命令要好好理解,这是最终的状态。
![[dockerdestop.png]]
这边还有一个 etcd 的映射端口更改。
这一块需要思考到的地方有, etcd 由于我是本地使用 brew 命令安装的,所以它会默认由brew 守护开启,也就是无论你开关机它都会启动。这个 需要额外关闭。我是通过这条命令看到的
brew info etcd
看到可以这样关闭 etcd
brew services stop etcd
ETCD_UNSUPPORTED_ARCH="arm64" /opt/homebrew/opt/etcd/bin/etcd
ETCD_UNSUPPORTED_ARCH="arm64" /opt/homebrew/opt/etcd/bin/etcd --listen-client-urls=http://0.0.0.0:2379
ETCD_UNSUPPORTED_ARCH="arm64" /opt/homebrew/opt/etcd/bin/etcd --listen-client-urls http://0.0.0.0:2379 --advertise-client-urls http://0.0.0.0:2379 --listen-peer-urls http://0.0.0.0:2380 --initial-advertise-peer-urls http://0.0.0.0:2380
其中为了确认 etcd 的安装位置,他的端口状态,会一直使用到以下命令:
lsof -i:2379
得出运行 2379 端口的进程。
lsof -p PID
根据 PID 得到进程的具体位置,根据这个操作确认到 进程的具体位置。
这里边超哥贡献了一些命令:
history | grep etcd
curl http://192.168.28.179:2379/version
期望通过这个配置,判断是否正常启动好 etcd。
还有命令:
docker logs aae1b3434ce4
这里边的 后边的数字其实是 container ID
此处码一下,希望了解清楚以下两条命令的区别:
docker ps
docker ps -a
下面的代码也要了解清楚各种参数的意思:
docker run -itd --name=dev-apisx -v /Users/cheverjohn/home/api7/dev_cj/apisix/conf/config.yaml:/usr/local/apisix/conf/config.yaml apache/apisix:dev
查看日志命令
tail -f error.log
有时候我也看到会连续执行两条命令:
docker stop 9b17b3bbb061
docker rm 9b17b3bbb061
docker rmi c8202912bb3a
检查:
docker inspect apache/apisix:dev
这边配置好 etcd 和 APISIX 之后,开始 curl 请求
ifconfig | grep 192.168
找到了:curl http://192.168.101.161:2379/version