APISIX gateway.ingress.enabled=true results in 400 bad request

[symplyf]

Hi,

I started using APISIX, and everything works fairly smooth out of the box. I managed to get cert-manager to work as well.
However, after enabling gateway.ingress I started running into 400 Bad Request - Request Header Or Cookie Too Large errors.

values.yaml:

gateway:
  ingress:
    enabled: true
    className: "apisix"
    annotations: {
      cert-manager.io/cluster-issuer: letsencrypt
    }
    hosts:
      - host: api.domain.ltd
        paths: [/*]
    tls:
      - secretName: api-domain-ltd-tls
        hosts:
          - api.domain.ltd

After some debugging I realize that what's going on is that the upstream of the /* route created by apisix-ingress-controller is using pass_host: pass which results in a loop, and the 400 Bad Request occurs after n tries.

At least, that's the theory, since changing it to pass_host: node solves the problem, and this is replicable through the apisix pod. Solving the problem in the sense that it will return {"error_msg":"404 Route Not Found"}.

As a side note, this doesn't occur when you define additional path ie /path to a different upstream. That will resolve fine.

Anyway, what is the recommended way to deal with this situation? Am I supposed to use a different path, patch the upstream, just let it 400 if there's no specific path specified? Or am I missing something entirely?

I would generally ignore it, and let it 400 but it seems relatively prone to (D)DoS attacks to due the fact you can use it to amplify traffic (request * nretries).

[tao12345666333]

Thank you for your feedback. We need to reproduce it.

[tao12345666333]

we have a PR to fix this. apache/apisix-ingress-controller#1889

After fixing the CI issue, it will be merged.

I will close this issue. Let's use apache/apisix-ingress-controller#1889 for the track, thanks!