Merge remote-tracking branch 'upstream/master' into chore-hardcoded-d…

…efault-config

README.md

@@ -42,6 +42,7 @@ The technical architecture of Apache APISIX:
 
 ## Community
 
+- [Kindly Write a Review](https://www.g2.com/products/apache-apisix/reviews) for APISIX in G2.
 - Mailing List: Mail to dev-subscribe@apisix.apache.org, follow the reply to subscribe to the mailing list.
 - Slack Workspace - [invitation link](https://apisix.apache.org/slack) (Please open an [issue](https://apisix.apache.org/docs/general/submit-issue) if this link is expired), and then join the #apisix channel (Channels -> Browse channels -> search for "apisix").
 - ![Twitter Follow](https://img.shields.io/twitter/follow/ApacheAPISIX?style=social) - follow and interact with us using hashtag `#ApacheAPISIX`
@@ -70,7 +71,8 @@ A/B testing, canary release, blue-green deployment, limit rate, defense against
   - Proxy Websocket
   - Proxy Protocol
   - HTTP(S) Forward Proxy
-  - [SSL](docs/en/latest/certificate.md): Dynamically load an SSL certificate.
+  - [SSL](docs/en/latest/certificate.md): Dynamically load an SSL certificate
+  - [HTTP/3 with QUIC](docs/en/latest/http3.md)
 
 - **Full Dynamic**
 
@@ -133,7 +135,7 @@ A/B testing, canary release, blue-green deployment, limit rate, defense against
   - [Global Rule](docs/en/latest/terminology/global-rule.md): Allows to run any plugin for all request, eg: limit rate, IP filter etc.
   - High performance: The single-core QPS reaches 18k with an average delay of fewer than 0.2 milliseconds.
   - [Fault Injection](docs/en/latest/plugins/fault-injection.md)
-  - [REST Admin API](docs/en/latest/admin-api.md): Using the REST Admin API to control Apache APISIX, which only allows 127.0.0.1 access by default, you can modify the `allow_admin` field in `conf/config.yaml` to specify a list of IPs that are allowed to call the Admin API. Also, note that the Admin API uses key auth to verify the identity of the caller. **The `admin_key` field in `conf/config.yaml` needs to be modified before deployment to ensure security**.
+  - [REST Admin API](docs/en/latest/admin-api.md): Using the REST Admin API to control Apache APISIX, which only allows 127.0.0.1 access by default, you can modify the `allow_admin` field in `conf/config.yaml` to specify a list of IPs that are allowed to call the Admin API. Also, note that the Admin API uses key auth to verify the identity of the caller.
   - External Loggers: Export access logs to external log management tools. ([HTTP Logger](docs/en/latest/plugins/http-logger.md), [TCP Logger](docs/en/latest/plugins/tcp-logger.md), [Kafka Logger](docs/en/latest/plugins/kafka-logger.md), [UDP Logger](docs/en/latest/plugins/udp-logger.md), [RocketMQ Logger](docs/en/latest/plugins/rocketmq-logger.md), [SkyWalking Logger](docs/en/latest/plugins/skywalking-logger.md), [Alibaba Cloud Logging(SLS)](docs/en/latest/plugins/sls-logger.md), [Google Cloud Logging](docs/en/latest/plugins/google-cloud-logging.md), [Splunk HEC Logging](docs/en/latest/plugins/splunk-hec-logging.md), [File Logger](docs/en/latest/plugins/file-logger.md), [SolarWinds Loggly Logging](docs/en/latest/plugins/loggly.md), [TencentCloud CLS](docs/en/latest/plugins/tencent-cloud-cls.md)).
   - [ClickHouse](docs/en/latest/plugins/clickhouse-logger.md): push logs to ClickHouse.
   - [Elasticsearch](docs/en/latest/plugins/elasticsearch-logger.md): push logs to Elasticsearch.
@@ -191,12 +193,6 @@ Using AWS's eight-core server, APISIX's QPS reaches 140,000 with a latency of on
 
 [APISIX also works perfectly in AWS graviton3 C7g.](https://apisix.apache.org/blog/2022/06/07/installation-performance-test-of-apigateway-apisix-on-aws-graviton3)
 
-## Contributor Over Time
-
-> [visit here](https://www.apiseven.com/contributor-graph) to generate Contributor Over Time.
-
-[![Contributor over time](https://contributor-graph-api.apiseven.com/contributors-svg?repo=apache/apisix)](https://www.apiseven.com/en/contributor-graph?repo=apache/apisix)
-
 ## User Stories
 
 - [European eFactory Platform: API Security Gateway – Using APISIX in the eFactory Platform](https://www.efactory-project.eu/post/api-security-gateway-using-apisix-in-the-efactory-platform)
@@ -231,15 +227,6 @@ A wide variety of companies and organizations use APISIX API Gateway for researc
 - XPENG
 - Zoom
 
-## Landscape
-
-<p align="left">
-<img src="./logos/cncf-landscape-white-bg.jpg" width="175">&nbsp;&nbsp;<img src="./logos/cncf-white-bg.jpg" width="200" />
-<br /><br />
-APISIX enriches the <a href="https://landscape.cncf.io/card-mode?category=api-gateway&grouping=category">
-CNCF API Gateway Landscape.</a>
-</p>
-
 ## Logos
 
 - [Apache APISIX logo(PNG)](https://github.com/apache/apisix/tree/master/logos/apache-apisix.png)

apisix-master-0.rockspec

@@ -51,7 +51,6 @@ dependencies = {
     "lua-protobuf = 0.5.0-1",
     "lua-resty-openidc = 1.7.6-3",
     "luafilesystem = 1.7.0-2",
-    "api7-lua-tinyyaml = 0.4.4",
     "nginx-lua-prometheus-api7 = 0.20240201-1",
     "jsonschema = 0.9.8",
     "lua-resty-ipmatcher = 0.6.1",

apisix/cli/file.lua

@@ -15,7 +15,7 @@
 -- limitations under the License.
 --
 
-local yaml = require("tinyyaml")
+local yaml = require("lyaml")
 local profile = require("apisix.core.profile")
 local util = require("apisix.cli.util")
 local cli_config = require("apisix.cli.config")
@@ -24,7 +24,6 @@ local dkjson = require("dkjson")
 local pairs = pairs
 local type = type
 local tonumber = tonumber
-local getmetatable = getmetatable
 local getenv = os.getenv
 local str_gmatch = string.gmatch
 local str_find = string.find
@@ -158,14 +157,6 @@ local function replace_by_reserved_env_vars(conf)
 end
 
 
-local function tinyyaml_type(t)
-    local mt = getmetatable(t)
-    if mt then
-        return mt.__type
-    end
-end
-
-
 local function path_is_multi_type(path, type_val)
     if str_sub(path, 1, 14) == "nginx_config->" and
             (type_val == "number" or type_val == "string") then
@@ -189,7 +180,7 @@ local function merge_conf(base, new_tab, ppath)
 
     for key, val in pairs(new_tab) do
         if type(val) == "table" then
-            if tinyyaml_type(val) == "null" then
+            if val == yaml.null then
                 base[key] = nil
 
             elseif tab_is_array(val) then
@@ -257,7 +248,7 @@ function _M.read_yaml_conf(apisix_home)
     end
 
     if not is_empty_file then
-        local user_conf = yaml.parse(user_conf_yaml)
+        local user_conf = yaml.load(user_conf_yaml)
         if not user_conf then
             return nil, "invalid config.yaml file"
         end
@@ -297,7 +288,7 @@ function _M.read_yaml_conf(apisix_home)
         local apisix_conf_path = profile:yaml_path("apisix")
         local apisix_conf_yaml, _ = util.read_file(apisix_conf_path)
         if apisix_conf_yaml then
-            local apisix_conf = yaml.parse(apisix_conf_yaml)
+            local apisix_conf = yaml.load(apisix_conf_yaml)
             if apisix_conf then
                 local ok, err = resolve_conf_var(apisix_conf)
                 if not ok then

apisix/core/config_yaml.lua

@@ -21,7 +21,7 @@
 
 local config_local = require("apisix.core.config_local")
 local config_util  = require("apisix.core.config_util")
-local yaml         = require("tinyyaml")
+local yaml         = require("lyaml")
 local log          = require("apisix.core.log")
 local json         = require("apisix.core.json")
 local new_tab      = require("table.new")
@@ -100,7 +100,7 @@ local function read_apisix_yaml(premature, pre_mtime)
     local yaml_config = f:read("*a")
     f:close()
 
-    local apisix_yaml_new = yaml.parse(yaml_config)
+    local apisix_yaml_new = yaml.load(yaml_config)
     if not apisix_yaml_new then
         log.error("failed to parse the content of file " .. apisix_yaml_path)
         return

apisix/core/request.lua

@@ -144,6 +144,11 @@ local function modify_header(ctx, header_name, header_value, override)
         req_add_header(header_name, header_value)
     end
 
+    if ctx and ctx.var then
+        -- when the header is updated, clear cache of ctx.var
+        ctx.var["http_" .. str_lower(header_name)] = nil
+    end
+
     if is_apisix_or and not changed then
         -- if the headers are not changed before,
         -- we can only update part of the cache instead of invalidating the whole

apisix/debug.lua

@@ -15,7 +15,7 @@
 -- limitations under the License.
 --
 local require      = require
-local yaml         = require("tinyyaml")
+local yaml         = require("lyaml")
 local log          = require("apisix.core.log")
 local profile      = require("apisix.core.profile")
 local lfs          = require("lfs")
@@ -130,7 +130,7 @@ local function read_debug_yaml()
     local yaml_config = f:read("*a")
     f:close()
 
-    local debug_yaml_new = yaml.parse(yaml_config)
+    local debug_yaml_new = yaml.load(yaml_config)
     if not debug_yaml_new then
         log.error("failed to parse the content of file " .. debug_yaml_path)
         return

apisix/ssl.lua

@@ -18,7 +18,9 @@ local core           = require("apisix.core")
 local secret         = require("apisix.secret")
 local ngx_ssl        = require("ngx.ssl")
 local ngx_ssl_client = require("ngx.ssl.clienthello")
+local ffi            = require("ffi")
 
+local C = ffi.C
 local ngx_encode_base64 = ngx.encode_base64
 local ngx_decode_base64 = ngx.decode_base64
 local aes = require("resty.aes")
@@ -28,6 +30,10 @@ local assert = assert
 local type = type
 local ipairs = ipairs
 
+ffi.cdef[[
+unsigned long ERR_peek_error(void);
+void ERR_clear_error(void);
+]]
 
 local cert_cache = core.lrucache.new {
     ttl = 3600, count = 1024,
@@ -155,6 +161,12 @@ local function aes_decrypt_pkey(origin, field)
         if decrypted then
             return decrypted
         end
+
+        if C.ERR_peek_error() then
+            -- clean up the error queue of OpenSSL to prevent
+            -- normal requests from being interfered with.
+            C.ERR_clear_error()
+        end
     end
 
     return nil, "decrypt ssl key failed"

conf/config-default.yaml

@@ -53,7 +53,7 @@ apisix:
         memory_size: 50m        # Size of the memory to store the cache index.
         disk_size: 1G           # Size of the disk to store the cache data.
         disk_path: /tmp/disk_cache_one  # Path to the cache file for disk cache.
-        cache_levels: 1:2               # Cache hierarchy levels of disk cache.
+        cache_levels: "1:2"               # Cache hierarchy levels of disk cache.
       # - name: disk_cache_two
       #  memory_size: 50m
       #  disk_size: 1G
@@ -73,7 +73,7 @@ apisix:
     ssl: radixtree_sni          # radixtree_sni: match route by SNI
 
   # http is the default proxy mode. proxy_mode can be one of `http`, `stream`, or `http&stream`
-  proxy_mode: http
+  proxy_mode: "http"
   # stream_proxy:                 # TCP/UDP L4 proxy
   #   tcp:
   #     - addr: 9100              # Set the TCP proxy listening ports.

docs/en/latest/config.json

@@ -380,6 +380,10 @@
         {
           "type": "doc",
           "id": "ssl-protocol"
+        },
+        {
+          "type": "doc",
+          "id": "http3"
         }
       ]
     },

docs/en/latest/deployment-modes.md

@@ -267,6 +267,26 @@ plugins:
 #END
 ```
 
+### How to configure Plugin Configs
+
+```yml
+plugin_configs:
+    -
+        id: 1
+        plugins:
+            response-rewrite:
+                body: "hello\n"
+routes:
+    - id: 1
+      uri: /hello
+      plugin_config_id: 1
+      upstream:
+        nodes:
+          "127.0.0.1:1980": 1
+        type: roundrobin
+#END
+```
+
 ### How to enable SSL
 
 ```yml