diff --git a/CHANGELOG/unreleased/kong/11538.yaml b/CHANGELOG/unreleased/kong/11538.yaml new file mode 100644 index 000000000000..c7bbd050e54c --- /dev/null +++ b/CHANGELOG/unreleased/kong/11538.yaml @@ -0,0 +1,7 @@ +message: Fix an issue that protocol `tls_passthrough` can not work with expressions flavor +type: bugfix +scope: Core +prs: + - 11538 +jiras: + - "KAG-2561" diff --git a/kong/router/expressions.lua b/kong/router/expressions.lua index ff54792be1fe..6790939699f1 100644 --- a/kong/router/expressions.lua +++ b/kong/router/expressions.lua @@ -32,7 +32,9 @@ local function get_exp_and_priority(route) -- give the chance for http redirection (301/302/307/308/426) -- and allow tcp works with tls if protocols and #protocols == 1 and - (protocols[1] == "https" or protocols[1] == "tls") + (protocols[1] == "https" or + protocols[1] == "tls" or + protocols[1] == "tls_passthrough") then return exp, route.priority end diff --git a/spec/01-unit/08-router_spec.lua b/spec/01-unit/08-router_spec.lua index 8cda0b46e7c6..b8b39777f697 100644 --- a/spec/01-unit/08-router_spec.lua +++ b/spec/01-unit/08-router_spec.lua @@ -4860,7 +4860,74 @@ end do local flavor = "expressions" - describe("Router (flavor = " .. flavor .. ")", function() + describe("Router (flavor = " .. flavor .. ") [stream]", function() + reload_router(flavor, "stream") + + local use_case, router + + local service = { + name = "service-invalid", + protocol = "tcp", + } + + lazy_setup(function() + use_case = { + { + service = service, + route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", + protocols = { "tls" }, + expression = [[tls.sni == "www.example.com"]], + priority = 100, + }, + }, + { + service = service, + route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", + protocols = { "tls_passthrough" }, + expression = [[tls.sni == "www.example.org"]], + priority = 100, + }, + }, + } + + router = assert(new_router(use_case)) + end) + + it("exec() should match tls with tls.sni", function() + local _ngx = { + var = { + remote_port = 1000, + server_port = 1000, + ssl_preread_server_name = "www.example.com", + }, + } + router._set_ngx(_ngx) + local match_t = router:exec() + assert.truthy(match_t) + + assert.same(use_case[1].route, match_t.route) + end) + + it("exec() should match tls_passthrough with tls.sni", function() + local _ngx = { + var = { + remote_port = 1000, + server_port = 1000, + ssl_preread_server_name = "www.example.org", + }, + } + router._set_ngx(_ngx) + local match_t = router:exec() + assert.truthy(match_t) + + assert.same(use_case[2].route, match_t.route) + end) + + end) + + describe("Router (flavor = " .. flavor .. ") [http]", function() reload_router(flavor) local use_case, router diff --git a/spec/02-integration/05-proxy/02-router_spec.lua b/spec/02-integration/05-proxy/02-router_spec.lua index e6a3c30e0395..d8c1ad223291 100644 --- a/spec/02-integration/05-proxy/02-router_spec.lua +++ b/spec/02-integration/05-proxy/02-router_spec.lua @@ -1410,7 +1410,7 @@ for _, strategy in helpers.each_strategy() do end end) - it_trad_only("matches a Route based on its 'snis' attribute", function() + it("matches a Route based on its 'snis' attribute", function() -- config propagates to stream subsystems not instantly -- try up to 10 seconds with step of 2 seconds -- in vagrant it takes around 6 seconds