ext-plugin-post-resp plugin caused the request not to reach the upstream service

[EdaZhang]

Description

I develop a plugin to sign for response from upstream services.
This sign plugin has been working properly for a long time. But today i observed that i enable ext-plugin-post-resp plugin the request can't reach the upstream service. The response from APISIX is as follows

<html>

<head>
    <title>502 Bad Gateway</title>
</head>

<body>
    <center>
        <h1>502 Bad Gateway</h1>
    </center>
    <hr>
    <center>openresty</center>
    <p><em>Powered by <a href="https://apisix.apache.org/">APISIX</a>.</em></p>
</body>

</html>

There is no log in my upstream service.
Apisx access log is as follows

2024/11/13 14:22:42 [error] 72#72: *375816 [lua] ext-plugin-post-resp.lua:153: phase_func(): failed to request: 20: unable to get local issuer certificate, client: 172.20.4.118, server: _, request: "POST /merch/v4/group/branch/bind HTTP/1.1", host: "openapi-dev.xxx.com"
2024/11/13 14:22:42 [error] 72#72: *375816 [lua] ext-plugin-post-resp.lua:49: close(): close http object failed: closed, client: 172.20.4.118, server: _, request: "POST /merch/v4/group/branch/bind HTTP/1.1", host: "openapi-dev.xxx.com"
2024/11/13 14:22:42 [warn] 72#72: *375816 [lua] plugin.lua:1159: common_phase(): ext-plugin-post-resp exits with http status code 502, client: 172.20.4.118, server: _, request: "POST /merch/v4/group/branch/bind HTTP/1.1", host: "openapi-dev.xxx.com"

The response is normal when i curl in my APISIX pod. So i think the network is normal. Like that

curl -X POST "https://op-dev.xxx.com/merch/v4/group/branch/bind" \
 -H "Content-Type: application/json" \
     -d'{"a":"a"}'

Many routes are using this plugin, but only a few are experiencing this.
The route is as follow

{
  "uri": "/merch/v4/group/*",
  "name": "merch-group",
  "desc": "merch-system",
  "methods": [
    "POST",
    "GET"
  ],
  "plugins": {
    "ext-plugin-post-resp": {
      "_meta": {
        "disable": false
      },
      "conf": [
        {
          "name": "my-sign",
          "value": "{\"sign_url\":\"http://crypto-svc.base:8080/sign\",\"access_url\":\"http://app-query.merch:8080/query/key\",\"expire\":30000}"
        }
      ]
    }
  },
  "upstream": {
    "nodes": [
      {
        "host": "op-dev.xxx.com",
        "port": 443,
        "weight": 1
      }
    ],
    "timeout": {
      "connect": 6,
      "send": 6,
      "read": 6
    },
    "type": "roundrobin",
    "scheme": "https",
    "pass_host": "node",
    "keepalive_pool": {
      "idle_timeout": 60,
      "requests": 1000,
      "size": 320
    }
  },
  "labels": {
    "API_VERSION": "1.0"
  },
  "status": 1
}

When i disable ext-plugin-post-resp the route return to normal.

  "plugins": {
    "ext-plugin-post-resp": {
      "_meta": {
        "disable": true
      },
      "conf": [
        {
          "name": "jl-sign",
          "value": "{\"sign_url\":\"http://crypto-hsm-svc.utils:8080/api/v1/sign\",\"verify_url\":\"http://crypto-hsm-svc.utils:8080/api/v1/verify\",\"access_url\":\"http://access-app-query-svc.merch:8080/safe/queryCipherInfo\",\"expire\":3000000}"
        }
      ]
    }
  }

Access log:

172.20.4.118 - - [13/Nov/2024:14:22:42 +0800] openapi-dev.xxx.com "POST /merch/v4/group/branch/bind HTTP/1.1" 502 229 0.064 "-" "Apifox/1.0.0 (https://apifox.com)" - - - "https://op-dev.xxx.com"
172.20.4.117 - - [13/Nov/2024:14:25:35 +0800] openapi-dev.xxx.com "POST /base/esign/core/generate/sign/url HTTP/1.1" 200 126 0.074 "-" "Java/17.0.7" 10.68.129.62:8080 200 0.070 "http://openapi-dev.xxx.com/generate/sign/url"
172.20.4.118 - - [13/Nov/2024:14:26:01 +0800] openapi-dev.xxx.com "POST /merch/v4/group/branch/bind HTTP/1.1" 400 71 0.100 "-" "Apifox/1.0.0 (https://apifox.com)" 120.25.241.7:443 400 0.070 "https://op-dev.xxx.com"

Response:

{
    "retCode": "95",
    "retMsg": "registerType:入网类型不能为空;"
}

Generally speaking , ext-plugin-post-resp will be called after response. I wonder why the upstream can't accept request.

Environment

• APISIX: 3.8.0
• apisix-runner-starter: 0.4.0