Kong is adding URL encoding before sending upstream #2512
Comments
|
Hi, Thanks for the report. That might indeed very well be the case, we'll investigate. @bungle Did you see this? |
thibaultcha
added
the
task/needs-investigation
|
The relevant tests: The possible bug: I guess that you may need to url decode the uri before supplying it to Docs say: So either it is a bug in OpenResty, or it is expected behavior and requires you to decode before setting it. I suspect it is the latter. |
|
@tecnobrat If you have time, mind you changing the line: that has code: ngx.req.set_uri(new_uri)with ngx.req.set_uri(ngx.unescape_uri(new_uri))And report back if it had any effect. |
|
@bungle I'll try giving it a shot, I'll need to do some docker-fu and report back :) |
|
Hey @bungle yep, that worked. |
bungle
added
task/bug
and removed
task/needs-investigation
|
@bungle Your fix also worked for me, thanks. |
|
I have created a regression test at #2519, but this test exposes that the currently proposed fix is incomplete. I believe that with this fix, Kong is making the upstream request with unescaped URIs ( |
|
@thibaultcha isn't the point here that the upstream request should be unescaped? @tecnobrat isn't that what you're looking for? |
|
No, the point is that Kong needs to be as transparent as possible, and an escaped request from downstream should be forwarded upstream as an escaped request as well. This is the expectation we set when we qualify Kong as a "transparent proxy". |
|
@thibaultcha is correct. The request was pre-escaped. It should be escaped when it hits the resulting upstream. Currently its escaping it TWICE. But it most certainly should not be unescaped completely. However the request was made to kong, it should be made to the upstream. |
|
Thanks for confirming that @tecnobrat.
That is indeed the expectation one might have, and certainly the one we'd like to promise, but we are limited by the current APIs that Nginx/OpenResty are offering us. We are investigating fixes, but so far we don't have a definitive one. |
|
is there any news on this? it's preventing us from upgrading from 0.9.x. |
* The router now returns a 4th value: the URI to use for the upstream call. * The `proxy_pass` directive now inlines a new `$upstream_uri` variable which contains a raw string with both the Nginx `$request_uri` and `$args` variables. * Update the router value return test * New test to ensure we proxy the request's querystring * New regression test to ensure we do not double percent-encode request URIs. Fix #2512
|
I just updated #2519 with a fix that ensures we transparently proxy request URIs (without further escaping/un-escaping). Could you give it a try on your side and let us know? Thanks! |
* The router now returns a 4th value: the URI to use for the upstream call. * The `proxy_pass` directive now inlines a new `$upstream_uri` variable which contains a raw string with both the Nginx `$request_uri` and `$args` variables. * Update the router value return test * New test to ensure we proxy the request's querystring * New regression test to ensure we do not double percent-encode request URIs. Fix #2512
* The router now returns a 4th value: the URI to use for the upstream call. * The `proxy_pass` directive now inlines a new `$upstream_uri` variable which contains a raw string with both the Nginx `$request_uri` and `$args` variables. * Update the router value return test * New test to ensure we proxy the request's querystring * New regression test to ensure we do not double percent-encode request URIs. Fix #2512
Summary
In Kong 0.10.2 it is adding additional URL encoding before sending a request upstream.
Steps To Reproduce
/auth%7C123(/auth|123, url-encoded)./auth%257C123Additional Details & Logs
This was not the case in Kong 0.9.9, it didn't further encode these URLs.
The text was updated successfully, but these errors were encountered: