bug: intermittent HTTP 500 errors occur when accessing domain via HTTPS.

[hansedong]

Current Behavior

When I access the service through HTTPS, I intermittently encounter HTTP 500 errors. The browser is Chrome. It's very strange that the issue resolves itself when I force quit the browser.

Through the APISIX error log, you can clearly see the following errors:

2023/07/07 17:29:43 [error] 885282#885282: *11754987 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/init.lua:332: attempt to index local 'matched_ssl' (a nil value)
stack traceback:
coroutine 0:
?172.18.96.54
        access_by_lua(nginx.conf:356):2: in main chunk, client: 172.18.96.54, server: _, request: "GET / HTTP/2.0", host: "duizhang-admin.xxx.ab"

Here are some additional information about my environment:

1. When the problem occurs, I can access it normally through Safari browser.
2. The page for APISIX 500 is as follows:
   
3. My certificate is a private certificate, and my local MacOS trusts the certificate. I don't think the problem has much to do with the certificate.
4. I have encountered this issue not only on the same Mac device, but my colleagues have also experienced it multiple times.
5. From the browser's packet capture, it can be seen that Chrome accesses HTTPS websites using the HTTP/2 protocol.

Expected Behavior

No response

Error Logs

2023/07/07 17:39:22 [error] 885279#885279: *11795254 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/init.lua:332: attempt to index local 'matched_ssl' (a nil value)
stack traceback:
coroutine 0:
        /usr/local/apisix/apisix/init.lua: in function 'verify_https_client'
        /usr/local/apisix/apisix/init.lua:560: in function 'http_access_phase'
        access_by_lua(nginx.conf:356):2: in main chunk, client: 172.18.96.30, server: _, request: "GET /api/notice/websocket/?token=3ec58d194331d93f12915e3f0cc8d4c6_1858_1688611035_&EIO=3&transport=websocket HTTP/1.1", host: "xxx.ab"
?172.18.96.54
        /usr/local/apisix/apisix/init.lua: in function 'verify_https_client'
        /usr/local/apisix/apisix/init.lua:560: in function 'http_access_phase'
        access_by_lua(nginx.conf:356):2: in main chunk, client: 172.18.96.54, server: _, request: "GET / HTTP/2.0", host: "duizhang-admin.xxx.ab"
2023/07/07 17:29:32 [error] 885279#885279: *11692337 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/init.lua:332: attempt to index local 'matched_ssl' (a nil value)
stack traceback:
coroutine 0:
        /usr/local/apisix/apisix/init.lua: in function 'verify_https_client'
        /usr/local/apisix/apisix/init.lua:560: in function 'http_access_phase'
        access_by_lua(nginx.conf:356):2: in main chunk, client: 172.18.96.54, server: _, request: "GET /favicon.ico HTTP/2.0", host: "duizhang-admin.xxx.ab", referrer: "https://duizhang-admin.xxx.ab/"
2023/07/07 17:29:33 [error] 885279#885279: *11754296 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/init.lua:332: attempt to index local 'matched_ssl' (a nil value)
stack traceback:
coroutine 0:
        /usr/local/apisix/apisix/init.lua: in function 'verify_https_client'
        /usr/local/apisix/apisix/init.lua:560: in function 'http_access_phase'
        access_by_lua(nginx.conf:356):2: in main chunk, client: 172.18.96.30, server: _, request: "GET /api/notice/websocket/?token=3ec58d194331d93f12915e3f0cc8d4c6_1858_1688611035_&EIO=3&transport=websocket HTTP/1.1", host: "xxx.ab"
2023/07/07 17:29:43 [error] 885282#885282: *11754987 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/init.lua:332: attempt to index local 'matched_ssl' (a nil value)
stack traceback:
coroutine 0:
?172.18.96.54
        access_by_lua(nginx.conf:356):2: in main chunk, client: 172.18.96.54, server: _, request: "GET / HTTP/2.0", host: "duizhang-admin.xxx.ab"

Steps to Reproduce

The occurrence of this issue is sporadic, and it is unclear how to reproduce it.

Environment

• APISIX version (run apisix version): 3.4.0
• Operating system (run uname -a): Linux knode10-72-73-177 5.15.29-200.el7.x86_64 #1 SMP Thu Mar 31 14:09:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
• OpenResty / Nginx version (run openresty -V or nginx -V):

nginx version: openresty/1.21.4.1
built by gcc 9.3.1 20200408 (Red Hat 9.3.1-2) (GCC)
built with OpenSSL 1.1.1s  1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.21.4.1.8 -DNGX_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_HTTP_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.21 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.11 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../ngx_multi_upstream_module-1.1.1 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../apisix-nginx-module-1.12.0 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../apisix-nginx-module-1.12.0/src/stream --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../apisix-nginx-module-1.12.0/src/meta --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../wasm-nginx-module-0.6.4 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../lua-var-nginx-module-v0.5.3 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../grpc-client-nginx-module-v0.4.2 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module

• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info): 3.5.9
• APISIX Dashboard version, if relevant: 3.0.1
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

/usr/local/bin/luarocks 3.8.0
LuaRocks main command-line interface

[shreemaan-abhishek]

Is this an error related to mTLS between apisix and upstream?

[hansedong]

Is this an error related to mTLS between apisix and upstream?

No, the upstream service of APISIX use the HTTP protocol, not HTTPS.

[shreemaan-abhishek]

So this error occurs when you try to access apisix via a browser? Or when you try to access the website frontend? Have you setup mTLS between client and APISIX?

[alptugay]

Same here, Upgraded for 3.2.1 to .3.4.0 and now we get the same error messages. Connections are HTTPS. I looked at the relevant PR: #9322
It seems like a race condition because some requests fail and some don't to the same route

[wadefelix]

same issue

[simon-flury]

same issue for me too

[wadefelix]

Same here, Upgraded for 3.2.1 to .3.4.0 and now we get the same error messages. Connections are HTTPS. I looked at the relevant PR: #9322 It seems like a race condition because some requests fail and some don't to the same route

yeah, I downgrade apisix to 3.2.1, and it works fine.

[alptugay]

Deleting lines between 331-346 solves the issue for us in init.lua file. https://github.com/apache/apisix/blob/3.4.0/apisix/init.lua

[hansedong]

Deleting lines between 331-346 solves the issue for us in init.lua file. https://github.com/apache/apisix/blob/3.4.0/apisix/init.lua

I have reviewed the key code in your proposal, and I think it is a good idea. I am planning to try it out.

[hansedong]

Deleting lines between 331-346 solves the issue for us in init.lua file. https://github.com/apache/apisix/blob/3.4.0/apisix/init.lua

@alptugay It's working now, thank you. @kingluo It seems that this PR #9322 may has some issues.

[kingluo]

@hansedong could you confirm again the openresty version is really 1.21.4.1?
And please share your route & ssl config (please mask the cert and key content) via admin API.

[hansedong]

@hansedong could you confirm again the openresty version is really 1.21.4.1? And please share your route & ssl config (please mask the cert and key content) via admin API.

APISIX and OpenResty version information is as follows (including the retrieval command) @kingluo

[root@knode10-72-73-177 logs]# apisix version
/usr/local/openresty//luajit/bin/luajit /usr/local/apisix/apisix/cli/apisix.lua version
3.4.0

[root@knode10-72-73-177 logs]# openresty -V
nginx version: openresty/1.21.4.1
built by gcc 9.3.1 20200408 (Red Hat 9.3.1-2) (GCC)
built with OpenSSL 1.1.1s  1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.21.4.1.8 -DNGX_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_HTTP_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.21 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.11 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../ngx_multi_upstream_module-1.1.1 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../apisix-nginx-module-1.12.0 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../apisix-nginx-module-1.12.0/src/stream --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../apisix-nginx-module-1.12.0/src/meta --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../wasm-nginx-module-0.6.4 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../lua-var-nginx-module-v0.5.3 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../grpc-client-nginx-module-v0.4.2 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module

the route info

curl "http://10.72.8.63:9180/apisix/admin/routes/468131118424524075" -H "X-API-KEY: xxxxxxx"

{
    "value": {
        "uri": "/*",
        "labels": {
            "env-type": "dev",
            "ops": "ops"
        },
        "name": "ops-dev-aos-ab",
        "host": "aos.ab",
        "create_time": 1688557490,
        "id": "468131118424524075",
        "plugins": {
            "proxy-rewrite": {
                "host": "aosab.inner.do"
            },
            "redirect": {
                "http_to_https": true
            }
        },
        "upstream": {
            "type": "roundrobin",
            "nodes": [
                {
                    "host": "10.72.79.4",
                    "weight": 1,
                    "port": 80
                }
            ],
            "timeout": {
                "send": 6,
                "connect": 6,
                "read": 6
            },
            "pass_host": "pass",
            "scheme": "http",
            "keepalive_pool": {
                "requests": 1000,
                "size": 320,
                "idle_timeout": 60
            }
        },
        "enable_websocket": true,
        "status": 1,
        "update_time": 1688622920
    },
    "key": "/apisix/routes/468131118424524075",
    "createdIndex": 10069,
    "modifiedIndex": 21124
}

the ssl info

curl "http://10.72.8.63:9180/apisix/admin/ssls/415462858613065003" -H "X-API-KEY: xxxxxxx"

{
    "value": {
        "validity_end": 1720581780,
        "validity_start": 1689045780,
        "create_time": 1657164761,
        "id": "415462858613065003",
        "cert": "-----BEGIN CERTIFICATE-----\nXXXXXXX\n-----END CERTIFICATE-----",
        "snis": [
            "www.aos.ab",
            "m.aos.ab",
            "youji.m.aos.ab",
            "*.youyudf.aos.ab",
            "*.aos.ab",
            "aos.ab"
        ],
        "status": 1,
        "update_time": 1689046536
    },
    "key": "/apisix/ssls/415462858613065003",
    "createdIndex": 5631,
    "modifiedIndex": 104568
}

I need to provide a few additional pieces of information:

1. My certificate is a private TLS certificate issued internally by the company, and my operating system (MacOS) has already trusted this certificate.
2. When encountering a 500 error while accessing in Chrome browser, the lock icon in the browser's address bar is normal (meaning that there are no certificate errors reported by the browser).
3. One important point is that when I encounter a 500 error in Chrome, it works fine through Safari and Firefox. However, regardless of the browser, accessing via WSS (websocket over tls) always results in a 500 error.
4. Now, after removing the Lua code for mtls, the 500 error no longer occurs and WSS has also returned to normal.

[kingluo]

@hansedong I'll try to reproduce it, currently not yet.
Could you try to use curl and reproduce it? (use -v option to show the procedure)

[hansedong]

@hansedong I'll try to reproduce it, currently not yet. Could you try to use curl and reproduce it? (use -v option to show the procedure)

The execution of the curl command is fine (ignoring the certificate), I have already tried it.

From my own perspective, this issue only occurs in Chrome browser. Safari, Firefox, and the curl command line all work without any problem.

It seems that Chrome might not be carrying the correct certificate information to APISIX? what about you @alptugay @wadefelix

[alptugay]

@hansedong I'll try to reproduce it, currently not yet. Could you try to use curl and reproduce it? (use -v option to show the procedure)

The execution of the curl command is fine (ignoring the certificate), I have already tried it.

From my own perspective, this issue only occurs in Chrome browser. Safari, Firefox, and the curl command line all work without any problem.

It seems that Chrome might not be carrying the correct certificate information to APISIX? what about you @alptugay @wadefelix

@hansedong I can neither deny nor confirm :) We haven't collected the data about user agents. But I can at least say that Gitlab runners (User-agent: GitLab/15.0.5-ee) have encountered this issue

[wadefelix]

@hansedong I'll try to reproduce it, currently not yet. Could you try to use curl and reproduce it? (use -v option to show the procedure)

The execution of the curl command is fine (ignoring the certificate), I have already tried it.

From my own perspective, this issue only occurs in Chrome browser. Safari, Firefox, and the curl command line all work without any problem.

It seems that Chrome might not be carrying the correct certificate information to APISIX? what about you @alptugay @wadefelix

My Browser is Edge: 版本 114.0.1823.82 (正式版本) (64 位)

Chromium is the major player On PC. If All the chromium browsers go wrong with the apisix, 3.4.0 should be recalled.

after I restart apisix, Edge's first request always works fine, but the following request go wrong with 500 error.

[kingluo]

I cannot reproduce the issue with apisix 3.4.0. I had tried chrome, but it's ok (refresh several times.

[hansedong]

I cannot reproduce the issue with apisix 3.4.0. I had tried chrome, but it's ok (refresh several times.

Really appreciate your effort in reproducing this issue, thank you.
Also, I'm not sure about the situation with others, but based on my own environment, it's not always guaranteed to encounter the error. In fact, sometimes there are problems and other times there aren't (it's not like the error occurs consistently).

Please keep the current testing environment intact and do not destroy it. Please observe for a while longer.

[mrmm]

I have the same issue the error appears randomly, I am using Brave as a browser, and as soon as I hard refresh (catch clean, etc...) the error occurs.

But using private navigation it works fine each time.

Here is my Route config:

{
  "uris": [
    "/*"
  ],
  "name": "ing_aaa_ingress-v1-test_867d835",
  "desc": "Created by apisix-ingress-controller, DO NOT modify it manually",
  "priority": 100,
  "host": "test.domain.com",
  "vars": [
    [
      "uri",
      "~~",
      "/.*/.*"
    ]
  ],
  "plugins": {
    "proxy-rewrite": {
      "regex_uri": [
        "/(.+)/(.+)",
        "/v1/xxxx/$2/video/$1"
      ],
      "use_real_request_uri_unsafe": false
    }
  },
  "upstream_id": "ec66dd7d",
  "labels": {
    "managed-by": "apisix-ingress-controller"
  },
  "status": 1
}

Edit: I have no mTLS configuration for any of my routes/upstreams

[WrightKD]

This issue occurs for me ever time I call a gateway endpoint from postman without a CA :

Steps to reproduce :

1. Setup a SSL for mTLS , example :

{
  "sni": "example.com",
  "cert": "server_cert_example",
  "key": "server_key_example",
  "client": {
    "ca": "ca_cert_example"
  }
}

Note : Admin API - GET /apisix/admin/ssls retutns only one SSL (the newly added SSL above)

2. Setup a route , example which I used :

{
    "name": "sap-post",
    "desc": "Number converter for SAP Post",
    "uri": "/converter/*",
    "plugins": {
        "file-logger": {
            "path": "logs/file_converter_route.log",
            "log_format": {
                "host": "$host",
                "@timestamp": "$time_iso8601",
                "client_ip": "$remote_addr",
                "route_name": "$route_name",
                "reponse": "$resp_body",
                "request": "$request_body"
            },
            "include_resp_body": true
        },
        "proxy-rewrite": {
            "regex_uri": [
                "/converter/number",
                "/webservicesserver/NumberConversion.wso"
            ],
            "headers": {
                "set": {
                    "Accept-Encoding": "identity",
                    "Content-Type": "text/xml"
                },
                "add":{
                "X-Ssl-Client-Fingerprint": "$ssl_client_fingerprint",
                "X-Ssl-Client-Serial": "$ssl_client_serial",
                "X-Ssl-Client-S-DN": "$ssl_client_s_dn"
                }
            }
        },
        "response-rewrite": {
            "headers": {
                "set": {
                    "Content-Type": "application/json"
                }
            }
        },
        "body-transformer": {
            "request": {
                "template": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHNvYXA6RW52ZWxvcGUgeG1sbnM6c29hcD0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvc29hcC9lbnZlbG9wZS8iPgogIDxzb2FwOkJvZHk+CiAgICA8TnVtYmVyVG9Xb3JkcyB4bWxucz0iaHR0cDovL3d3dy5kYXRhYWNjZXNzLmNvbS93ZWJzZXJ2aWNlc3NlcnZlci8iPgogICAgICA8dWJpTnVtPnt7X2VzY2FwZV94bWwobnVtYmVyKX19PC91YmlOdW0+CiAgICA8L051bWJlclRvV29yZHM+CiAgPC9zb2FwOkJvZHk+Cjwvc29hcDpFbnZlbG9wZT4=",
                "input_format" : "json"
            },
            "response": {
                "template": "ewogICAgIk51bWJlclRvV29yZHMiOiB7Kl9lc2NhcGVfanNvbihFbnZlbG9wZS5Cb2R5Lk51bWJlclRvV29yZHNSZXNwb25zZS5OdW1iZXJUb1dvcmRzUmVzdWx0KSp9Cn0=",
                "input_format" : "xml"
            }
        }
    },
    "methods": [
        "POST"
    ],
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "www.dataaccess.com": 1
        },
        "scheme": "https",
        "pass_host": "node"
    }
}

If I call the gateway on the path /converter/number, without a client certificate and key , Postman returns the error - Error: socket hang up.
And the error logged in APISIX : SSL_do_handshake() failed (SSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate) while SSL handshaking

With a client cert and key (as per the image) , I get the 500 error :

<html>

<head>
	<title>500 Internal Server Error</title>
</head>

<body>
	<center>
		<h1>500 Internal Server Error</h1>
	</center>
	<hr>
	<center>openresty</center>
	<p><em>Powered by <a href="https://apisix.apache.org/">APISIX</a>.</em></p>
</body>

</html>

APISIX Error in the logs :

lua entry thread aborted: runtime error: /usr/local/apisix/apisix/init.lua:332: attempt to index local 'matched_ssl' (a nil value)
6
stack traceback:
5
coroutine 0:
4
	/usr/local/apisix/apisix/init.lua: in function 'verify_https_client'
3
	/usr/local/apisix/apisix/init.lua:560: in function 'http_access_phase'

And I will continue to get the error until I add a CA in postman :

After adding the CA, all the requests to the endpoint work again.

[adam-huganir]

We are also experiencing this issue with known good certs, we are rolling back to 3.3.0 as per the note above and it seems to be ok again. I will come back and update if a related issue returns, but we are definitely looking forward to a fix so we can keep running the apisix updates as they come out.

@alptugay It's working now, thank you. @kingluo It seems that this PR #9322 may has some issues.

[kingluo]

@hansedong @mrmm @wadefelix @adam-huganir
Yes, it seems like a bug.

https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block

This Lua handler does not run at all, however, when Nginx/OpenSSL successfully resumes the SSL session via SSL session IDs or TLS session tickets for the current SSL connection. In other words, this Lua handler only runs when Nginx has to initiate a full SSL handshake.

I'll try to fix it later.

[moonming]

@Sn0rt please take a look and try to fix it

[Sn0rt]

@Sn0rt please take a look and try to fix it

got. I will take a look

[mrmm]

Hello, is there any update on this issue please?

[Revolyssup]

THis issue is tracked here #9610

[juicycleff]

Same issue, just upgraded, happens in all Firefox, Chrome and Safari intermittently. Though my services was unbroken until I did a thorough test.

[Revolyssup]

Fix created for this and reasons explained here - #10066

[kingluo]

We can not reproduce the issue on the master branch anymore, because the commit #9903 after 3.4.1: adds ssl_client_hello_by_lua_block. This phase used by apisix always constructs ngx.ctx.matched_ssl:

apisix/apisix/init.lua

Lines 205 to 207 in f47c2d7

	local ok, err = router.router_ssl.match_and_set(api_ctx, true, sni)
	ngx_ctx.matched_ssl = api_ctx.matched_ssl