change: refactor logic for enabling L4/L7 proxy (#9607)

apisix/admin/init.lua

@@ -174,7 +174,8 @@ local function run()
 
     if seg_res == "stream_routes" then
         local local_conf = core.config.local_conf()
-        if not local_conf.apisix.stream_proxy then
+        if local_conf.apisix.proxy_mode ~= "stream" and
+           local_conf.apisix.proxy_mode ~= "http&stream" then
             core.log.warn("stream mode is disabled, can not add any stream ",
                           "routes")
             core.response.exit(400, {error_msg = "stream mode is disabled, " ..

apisix/cli/ngx_tpl.lua

@@ -124,7 +124,7 @@ http {
 
 {% end %}
 
-{% if stream_proxy then %}
+{% if enable_stream then %}
 stream {
     lua_package_path  "{*extra_lua_path*}$prefix/deps/share/lua/5.1/?.lua;$prefix/deps/share/lua/5.1/?/init.lua;]=]
                       .. [=[{*apisix_lua_home*}/?.lua;{*apisix_lua_home*}/?/init.lua;;{*lua_path*};";

apisix/cli/ops.lua

@@ -269,11 +269,24 @@ Please modify "admin_key" in conf/config.yaml .
                  "your openresty, please check it out.\n")
     end
 
+    --- http is enabled by default
     local enable_http = true
-    if not yaml_conf.apisix.enable_admin and yaml_conf.apisix.stream_proxy and
-        yaml_conf.apisix.stream_proxy.only ~= false
-    then
-        enable_http = false
+    --- stream is disabled by default
+    local enable_stream = false
+    if yaml_conf.apisix.proxy_mode then
+        --- check for "http"
+        if yaml_conf.apisix.proxy_mode == "http" then
+            enable_http = true
+            enable_stream = false
+        --- check for "stream"
+        elseif yaml_conf.apisix.proxy_mode == "stream" then
+            enable_stream = true
+            enable_http = false
+        --- check for "http&stream"
+        elseif yaml_conf.apisix.proxy_mode == "http&stream" then
+            enable_stream = true
+            enable_http = true
+        end
     end
 
     local enabled_discoveries = {}
@@ -488,7 +501,7 @@ Please modify "admin_key" in conf/config.yaml .
 
     local tcp_enable_ssl
     -- compatible with the original style which only has the addr
-    if yaml_conf.apisix.stream_proxy and yaml_conf.apisix.stream_proxy.tcp then
+    if enable_stream and yaml_conf.apisix.stream_proxy and yaml_conf.apisix.stream_proxy.tcp then
         local tcp = yaml_conf.apisix.stream_proxy.tcp
         for i, item in ipairs(tcp) do
             if type(item) ~= "table" then
@@ -545,6 +558,7 @@ Please modify "admin_key" in conf/config.yaml .
         use_apisix_base = env.use_apisix_base,
         error_log = {level = "warn"},
         enable_http = enable_http,
+        enable_stream = enable_stream,
         enabled_discoveries = enabled_discoveries,
         enabled_plugins = enabled_plugins,
         enabled_stream_plugins = enabled_stream_plugins,

apisix/cli/schema.lua

@@ -136,6 +136,10 @@ local config_schema = {
                         }
                     }
                 },
+                proxy_mode = {
+                    type = "string",
+                    enum = {"http", "stream", "http&stream"},
+                },
                 stream_proxy = {
                     type = "object",
                     properties = {

conf/config-default.yaml

@@ -73,6 +73,8 @@ apisix:
                                 # radixtree_uri_with_parameter: similar to radixtree_uri but match URI with parameters. See https://github.com/api7/lua-resty-radixtree/#parameters-in-path for more details.
     ssl: radixtree_sni          # radixtree_sni: match route by SNI
 
+  # http is the default proxy mode. proxy_mode can be one of `http`, `stream`, or `http&stream`
+  proxy_mode: http
   # stream_proxy:                 # TCP/UDP L4 proxy
   #   only: true                  # Enable L4 proxy only without L7 proxy.
   #   tcp:

docs/en/latest/plugins/mqtt-proxy.md

@@ -50,7 +50,6 @@ To enable the Plugin, you need to first enable the `stream_proxy` configuration
         http: 'radixtree_uri'
         ssl: 'radixtree_sni'
     stream_proxy:                 # TCP/UDP proxy
-      only: false                 # needed if HTTP and Stream Proxy should be enabled
       tcp:                        # TCP proxy port list
         - 9100
     dns_resolver:

docs/en/latest/stream-proxy.md

@@ -29,7 +29,12 @@ APISIX can serve as a stream proxy, in addition to being an application layer pr
 
 By default, stream proxy is disabled.
 
-To enable the option, add the `apisix.stream_proxy` option in `conf/config.yaml` and specify a list of addresses which APISIX should act as a stream proxy and listen for incoming requests.
+To enable this option, set `apisix.proxy_mode` to `stream` or `http&stream`, depending on whether you want stream proxy only or both http and stream. Then add the `apisix.stream_proxy` option in `conf/config.yaml` and specify the list of addresses where APISIX should act as a stream proxy and listen for incoming requests.
+:::note
+
+This "apisix.stream_proxy" option has only been added in versions after 3.2.1.
+
+:::
 
 ```yaml
 apisix:
@@ -42,19 +47,6 @@ apisix:
       - "127.0.0.1:9211"
 ```
 
-If `apisix.enable_admin` is true, both HTTP and stream proxy are enabled with the configuration above.
-
-If you have set the `enable_admin` to false, and need to enable both HTTP and stream proxy, set the `only` to false:
-
-```yaml
-apisix:
-  enable_admin: false
-  stream_proxy:
-    only: false
-    tcp:
-      - 9100
-```
-
 If `apisix.stream_proxy` is undefined in `conf/config.yaml`, you will encounter an error similar to the following and not be able to add a stream route:
 
 ```

docs/zh/latest/plugins/mqtt-proxy.md

@@ -50,7 +50,6 @@ description: 本文档介绍了 Apache APISIX mqtt-proxy 插件的信息，通
         http: 'radixtree_uri'
         ssl: 'radixtree_sni'
     stream_proxy:                 # TCP/UDP proxy
-      only: false                 # 如需 HTTP 与 Stream 代理同时生效，需要增加该键值
       tcp:                        # TCP proxy port list
         - 9100
     dns_resolver:

docs/zh/latest/stream-proxy.md

@@ -27,7 +27,7 @@ APISIX 可以对 TCP/UDP 协议进行代理并实现动态负载均衡。在 ngi
 
 ## 如何开启 Stream 代理
 
-在 `conf/config.yaml` 配置文件设置 `stream_proxy` 选项，指定一组需要进行动态代理的 IP 地址。默认情况不开启 stream 代理。
+要启用该选项，请将 `apisix.proxy_mode` 设置为 `stream` 或 `http&stream`，具体取决于您是只需要流代理还是需要 http 和流。然后在 conf/config.yaml 中添加 apisix.stream_proxy 选项并指定 APISIX 应充当流代理并侦听传入请求的地址列表。
 
 ```yaml
 apisix:
@@ -40,19 +40,6 @@ apisix:
       - "127.0.0.1:9211"
 ```
 
-如果 `apisix.enable_admin` 为 true，上面的配置会同时启用 HTTP 和 stream 代理。
-
-如果你设置 `enable_admin` 为 false，且需要同时启用 HTTP 和 stream 代理，设置 `only` 为 false：
-
-```yaml
-apisix:
-  enable_admin: false
-  stream_proxy: # TCP/UDP proxy
-    only: false
-    tcp: # TCP proxy address list
-      - 9100
-```
-
 ## 如何设置 route
 
 简例如下：

t/APISIX.pm

@@ -102,6 +102,7 @@ my $etcd_key = read_file("t/certs/etcd.key");
 $user_yaml_config = <<_EOC_;
 apisix:
   node_listen: 1984
+  proxy_mode: http&stream
   stream_proxy:
     tcp:
       - 9100

t/cli/test_access_log.sh

@@ -230,6 +230,7 @@ echo "passed: should find upstream scheme"
 # check stream logs
 echo '
 apisix:
+    proxy_mode: stream
     stream_proxy:                  # UDP proxy
      udp:
        - "127.0.0.1:9200"

t/cli/test_core_config.sh

@@ -45,6 +45,7 @@ echo "passed: set lua_max_running_timers successfully"
 
 echo "
 apisix:
+    proxy_mode: http&stream
     stream_proxy:
         tcp:
             - addr: 9100

t/cli/test_deployment_traditional.sh

@@ -45,6 +45,7 @@ fi
 # Both HTTP and Stream
 echo '
 apisix:
+    proxy_mode: http&stream
     enable_admin: true
     stream_proxy:
         tcp:
@@ -74,6 +75,7 @@ fi
 echo '
 apisix:
     enable_admin: false
+    proxy_mode: stream
     stream_proxy:
         tcp:
             - addr: 9100

t/cli/test_dns.sh

@@ -41,6 +41,7 @@ fi
 
 echo '
 apisix:
+  proxy_mode: http&stream
   stream_proxy:
     tcp:
       - 9100
@@ -62,6 +63,7 @@ echo "pass: dns_resolver_valid takes effect"
 
 echo '
 apisix:
+  proxy_mode: http&stream
   stream_proxy:
     tcp:
       - 9100
@@ -130,6 +132,7 @@ rm logs/error.log || true
 echo "
 apisix:
     enable_admin: true
+    proxy_mode: http&stream
     stream_proxy:
         tcp:
             - addr: 9100

t/cli/test_etcd_grpc_mtls.sh

@@ -105,6 +105,7 @@ echo "passed: certificate verify with CA success expectedly"
 # etcd mTLS in stream subsystem
 echo '
 apisix:
+  proxy_mode: http&stream
   stream_proxy:
     tcp:
       - addr: 9100

t/cli/test_etcd_mtls.sh

@@ -102,6 +102,7 @@ echo "passed: certificate verify with CA success expectedly"
 # etcd mTLS in stream subsystem
 echo '
 apisix:
+  proxy_mode: http&stream
   stream_proxy:
     tcp:
       - addr: 9100

t/cli/test_main.sh

@@ -670,10 +670,10 @@ echo "passed: bad lua_module_hook should be rejected"
 
 echo '
 apisix:
+    proxy_mode: http&stream
     extra_lua_path: "\$prefix/example/?.lua"
     lua_module_hook: "my_hook"
     stream_proxy:
-        only: false
         tcp:
             - addr: 9100
 ' > conf/config.yaml
@@ -810,6 +810,7 @@ git checkout conf/config.yaml
 
 echo '
 apisix:
+  proxy_mode: http&stream
   stream_proxy:
     tcp:
       - addr: 9100

t/cli/test_prometheus_run_in_privileged.sh

@@ -55,6 +55,7 @@ rm logs/error.log || true
 
 echo "
 apisix:
+    proxy_mode: http&stream
     extra_lua_path: "\$prefix/t/lib/?.lua"
     enable_admin: true
     stream_proxy:
@@ -87,6 +88,7 @@ rm logs/error.log || true
 
 echo "
 apisix:
+    proxy_mode: http&stream
     extra_lua_path: "\$prefix/t/lib/?.lua"
     enable_admin: false
     stream_proxy:

t/cli/test_prometheus_stream.sh

@@ -23,6 +23,7 @@ exit_if_not_customed_nginx
 
 echo "
 apisix:
+    proxy_mode: http&stream
     enable_admin: true
     stream_proxy:
         tcp:
@@ -65,6 +66,7 @@ echo "passed: prometheus works when both http & stream are enabled"
 
 echo "
 apisix:
+    proxy_mode: stream
     enable_admin: false
     stream_proxy:
         tcp:

t/cli/test_snippet.sh

@@ -25,8 +25,8 @@ echo '
 apisix:
     node_listen: 9080
     enable_admin: true
+    proxy_mode: http&stream
     stream_proxy:
-        only: false
         tcp:
             - 9100
 nginx_config:

t/cli/test_stream_config.sh

@@ -22,6 +22,7 @@
 echo "
 apisix:
     enable_admin: false
+    proxy_mode: stream
     stream_proxy:
         tcp:
             - addr: 9100
@@ -40,8 +41,8 @@ echo "passed: enable stream proxy only by default"
 echo "
 apisix:
     enable_admin: false
+    proxy_mode: http&stream
     stream_proxy:
-        only: false
         tcp:
             - addr: 9100
 " > conf/config.yaml
@@ -57,6 +58,7 @@ fi
 echo "
 apisix:
     enable_admin: true
+    proxy_mode: http&stream
     stream_proxy:
         tcp:
             - addr: 9100
@@ -76,6 +78,7 @@ echo "
 apisix:
     ssl:
         ssl_trusted_certificate: t/certs/mtls_ca.crt
+    proxy_mode: http&stream
     stream_proxy:
         tcp:
             - addr: 9100
@@ -92,6 +95,7 @@ echo "passed: set trust certificate"
 
 echo "
 apisix:
+    proxy_mode: http&stream
     stream_proxy:
         tcp:
             - addr: 9100
@@ -108,6 +112,7 @@ fi
 
 echo "
 apisix:
+    proxy_mode: http&stream
     stream_proxy:
         tcp:
             - addr: 9100

t/cli/test_tls_over_tcp.sh

@@ -22,8 +22,8 @@
 # check tls over tcp proxy
 echo "
 apisix:
+    proxy_mode: http&stream
     stream_proxy:
-        only: false
         tcp:
             - addr: 9100
               tls: true

t/cli/test_validate_config.sh

@@ -82,6 +82,7 @@ deployment:
 apisix:
     node_listen: 9080
     enable_admin: true
+    proxy_mode: http&stream
     stream_proxy:
         tcp:
             - "localhost:9100"

t/stream-node/sni.t

@@ -276,6 +276,7 @@ proxy request to 127.0.0.2:1995
 --- yaml_config
 apisix:
   node_listen: 1984
+  proxy_mode: http&stream
   stream_proxy:
     tcp:
       - 9100