More proxy/routing flexibility #IntoTheLua

jeremyjpj0916 · February 21, 2019, 4:33am

As mentioned here:

I would like to see the Kong experts try their hand at giving community/enterprise users more flexibility around how to proxy/route to destinations. Right now when it comes to gateway proxying we are tied to nginx directives(proxy_pass /upstreams) exclusively and can’t get customized with it without writing something from the ground up as either a plugin or an overwrite to core Kong logic.

I propose a Kong homegrown and improved fork of GitHub - ledgetech/lua-resty-http: Lua HTTP client cosocket driver for OpenResty / ngx_lua. as a different lua driven lib for proxying to give us that lower level control and potential perf benefits. I feel certain it would also help in situations like this we face:

github.com/Kong/kong

Keepalive to Kubernetes Edge Routes causing Incorrect Routing

opened 10:08PM - 18 Sep 18 UTC

closed 11:35PM - 16 Jul 20 UTC

rsbrisci

### Summary Our Kong has several separate services that route to a RedHat kuber…netes re-skin called Openshift Origin (OSO). The way OSO works, is that edge routes are defined for the separate services hosted on it - that all resolve to the same IP (OSO Router). The way the router determines which pod to send traffic to, is via the HTTP HOST Header. So: ``` curl https://myapp.oso.company.com - routes to myapp pod curl https://theirapp.oso.company.com - routes to theirapp pod ``` But ``` nslookup myapp.oso.company.com = 10.0.0.1 nslookup theirapp.oso.company.com = 10.0.0.1 ``` so if I wanted to use the IP to make the call, I’d do this: ``` curl https://10.0.0.1/ -H "Host: myapp.oso.company.com" curl https://10.0.0.1/ -H "Host: theirapp.oso.company.com" ``` The problem is this: **When the proxy for myapp.oso has >5tps, Kong will sometimes send traffic for the theirapp proxy to the myapp.oso upstream**. When we disable ngx upstream keepalives, the issue is resolved. My theory, is that because Keepalives are maintained as a IP:PORT pair, and we are sending to the same IP:PORT for both myapp and theirapp - Kong is re-using the socket for myapp which was for theirapp's traffic. There is nothing in the logs, even at the most detailed - when this occurs. ### Steps To Reproduce 1. Create two services on Kubernetes with SSL edge routes and create proxies for them on Kong 2. Send >5tps traffic to one of them 3. Test calls against the other, from the same kong cluster ### Additional Details & Logs - Kong version: 0.14.1 - Kong debug-level startup logs (`$ kong start --vv`) - DEBUG LOGS DO NOT SHOW ANYTHING - Kong error logs (`<KONG_PREFIX>/logs/error.log`) - ERROR LOGS DO NOT SHOW ANYTHING - Kong configuration (the output of a GET request to Kong's Admin ```json { "plugins": { "enabled_in_cluster": [ "acl", "request-size-limiting", "oauth2", "kong-path-based-routing", "cors", "kong-oidc-auth", "rate-limiting", "kong-upstream-jwt", "kong-oidc-multi-idp", "kong-spec-expose", "jwt", "request-termination", "kong-cluster-drain", "statsd", "correlation-id", "kong-splunk-log" ], "available_on_server": { "kong-path-based-routing": true, "kong-spec-expose": true, "kong-cluster-drain": true, "correlation-id": true, "kong-splunk-log": true, "jwt": true, "cors": true, "rate-limiting": true, "kong-oidc-auth": true, "kong-upstream-jwt": true, "request-size-limiting": true, "request-termination": true, "kong-oidc-multi-idp": true, "kong-service-virtualization": true, "request-transformer": true, "acl": true, "statsd": true, "oauth2": true } }, "tagline": "Welcome to kong", "configuration": { "plugins": [ "request-transformer", "kong-service-virtualization", "kong-cluster-drain", "kong-upstream-jwt", "kong-splunk-log", "kong-spec-expose", "kong-oidc-auth", "kong-path-based-routing", "kong-oidc-multi-idp", "correlation-id", "oauth2", "statsd", "jwt", "rate-limiting", "acl", "request-size-limiting", "request-termination", "cors" ], "admin_ssl_enabled": false, "lua_ssl_verify_depth": 3, "trusted_ips": { }, "lua_ssl_trusted_certificate": "\/usr\/local\/kong\/ssl\/kongcert.pem", "loaded_plugins": { "kong-path-based-routing": true, "kong-spec-expose": true, "kong-cluster-drain": true, "correlation-id": true, "kong-splunk-log": true, "jwt": true, "cors": true, "kong-oidc-multi-idp": true, "kong-oidc-auth": true, "kong-upstream-jwt": true, "acl": true, "oauth2": true, "statsd": true, "kong-service-virtualization": true, "request-transformer": true, "request-size-limiting": true, "rate-limiting": true, "request-termination": true }, "cassandra_username": "xxx", "admin_ssl_cert_csr_default": "\/usr\/local\/kong\/ssl\/admin-kong-default.csr", "ssl_cert_key": "\/usr\/local\/kong\/ssl\/kongprivatekey.key", "dns_resolver": { }, "pg_user": "kong", "mem_cache_size": "1024m", "cassandra_data_centers": [ "dc1:2", "dc2:3" ], "nginx_admin_directives": { }, "cassandra_password": "******", "custom_plugins": { }, "pg_host": "127.0.0.1", "nginx_acc_logs": "\/usr\/local\/kong\/logs\/access.log", "proxy_listen": [ "0.0.0.0:8000", "0.0.0.0:8443 ssl http2" ], "client_ssl_cert_default": "\/usr\/local\/kong\/ssl\/kong-default.crt", "ssl_cert_key_default": "\/usr\/local\/kong\/ssl\/kong-default.key", "dns_no_sync": false, "db_update_propagation": 5, "nginx_err_logs": "\/usr\/local\/kong\/logs\/error.log", "cassandra_port": 9042, "dns_order": [ "LAST", "SRV", "A", "CNAME" ], "dns_error_ttl": 1, "headers": [ "latency_tokens" ], "dns_stale_ttl": 4, "nginx_optimizations": true, "database": "cassandra", "pg_database": "kong", "nginx_worker_processes": "auto", "lua_package_cpath": "", "admin_acc_logs": "\/usr\/local\/kong\/logs\/admin_access.log", "lua_package_path": ".\/?.lua;.\/?\/init.lua;", "nginx_pid": "\/usr\/local\/kong\/pids\/nginx.pid", "upstream_keepalive": 120, "cassandra_contact_points": [ "xxx", "xxx", "xxx", "xxx", "xxx", "xxx" ], "admin_access_log": "off", "client_ssl_cert_csr_default": "\/usr\/local\/kong\/ssl\/kong-default.csr", "proxy_listeners": [ { "ssl": false, "ip": "0.0.0.0", "proxy_protocol": false, "port": 8000, "http2": false, "listener": "0.0.0.0:8000" }, { "ssl": true, "ip": "0.0.0.0", "proxy_protocol": false, "port": 8443, "http2": true, "listener": "0.0.0.0:8443 ssl http2" } ], "proxy_ssl_enabled": true, "proxy_access_log": "off", "ssl_cert_csr_default": "\/usr\/local\/kong\/ssl\/kong-default.csr", "enabled_headers": { "latency_tokens": true, "X-Upstream-Status": false, "X-Proxy-Latency": true, "server_tokens": false, "Server": false, "Via": false, "X-Upstream-Latency": true }, "cassandra_ssl": true, "cassandra_local_datacenter": "ELR", "db_resurrect_ttl": 30, "db_update_frequency": 5, "cassandra_consistency": "LOCAL_QUORUM", "client_max_body_size": "1000m", "admin_error_log": "\/dev\/stderr", "pg_ssl_verify": false, "dns_not_found_ttl": 30, "pg_ssl": false, "cassandra_repl_factor": 1, "cassandra_lb_policy": "RequestDCAwareRoundRobin", "cassandra_repl_strategy": "SimpleStrategy", "nginx_kong_conf": "\/usr\/local\/kong\/nginx-kong.conf", "error_default_type": "text\/plain", "nginx_http_directives": { }, "real_ip_header": "X-Real-IP", "kong_env": "\/usr\/local\/kong\/.kong_env", "cassandra_schema_consensus_timeout": 10000, "dns_hostsfile": "\/etc\/hosts", "admin_listeners": [ { "ssl": false, "ip": "0.0.0.0", "proxy_protocol": false, "port": 8001, "http2": false, "listener": "0.0.0.0:8001" } ], "ssl_ciphers": "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", "ssl_cert": "\/usr\/local\/kong\/ssl\/kongcert.crt", "prefix": "\/usr\/local\/kong", "admin_ssl_cert_key_default": "\/usr\/local\/kong\/ssl\/admin-kong-default.key", "cassandra_ssl_verify": true, "db_cache_ttl": 0, "ssl_cipher_suite": "modern", "real_ip_recursive": "off", "proxy_error_log": "\/dev\/stderr", "client_ssl_cert_key_default": "\/usr\/local\/kong\/ssl\/kong-default.key", "nginx_daemon": "off", "anonymous_reports": false, "cassandra_timeout": 5000, "nginx_proxy_directives": { }, "pg_port": 5432, "log_level": "notice", "client_body_buffer_size": "20m", "client_ssl": false, "lua_socket_pool_size": 30, "admin_ssl_cert_default": "\/usr\/local\/kong\/ssl\/admin-kong-default.crt", "cassandra_keyspace": "kong_stage", "ssl_cert_default": "\/usr\/local\/kong\/ssl\/kong-default.crt", "nginx_conf": "\/usr\/local\/kong\/nginx.conf", "admin_listen": [ "0.0.0.0:8001" ] }, "version": "0.14.1", "node_id": "3a7824e4-2971-4daa-9351-c05293b26f04", "lua_version": "LuaJIT 2.1.0-beta3", "prng_seeds": { "pid: 30": 121842322351, "pid: 37": 205914716415, "pid: 36": 619910823160, "pid: 35": 158818822910, "pid: 33": 106581771972, "pid: 34": 119182521233, "pid: 31": 230127232253, "pid: 32": 194211052318 }, "timers": { "pending": 4, "running": 0 }, "hostname": "kong-186-txzsv" } ``` - Operating system: Alpine Linux kong-186-txzsv 3.10.0-693.el7.x86_64

Where I need access to low level options around active connection pooling
"
the pool option on the underlying TCP socket connect call

"
to create keepalive connections on a per hostname basis(which in our case will solve ephemeral port exhaustion issues and other problems we see because right now we can use no keepalive) or some other customized logic that would be trivial to bake in if Kong already had the framework for leveraging a flavor of the opensource lua http libs out there production ready.

I have not studied it too much but I am also curious if there will be other found perf benefits to doing so as well(better throughput results, lower latency etc).

As discussed such would be a big change if Kong just sprung it on people over some major version release but I would propose we have a new config option that lets us pick experimental proxying that would allow people to test newer patterns but to be able to quickly toggle back to the old faithful patterns if they prove problematic for folks. KONG_PROXY_TYPE = proxy_pass, kong_proxy or something for an in house feel. Then if results are positive and everything goes smoothly in later iterations you default from say proxy_pass to kong_proxy . Ofc the first trick is figuring out how to integrate the other libs and how to configure its settings to behave closely inline with what proxy_pass offers in its current configuration.

But ultimately I see it as a big plus because then nothing stands in the way of tweaking the low level connection behaviors between Kong and APIs. My other concerns would be a few potential issues around how websocket connections would work if that other lib was leveraged(or would we lose that feature of nginx if we used something besides proxy_pass, or can that http lib support a websocket call too, I am not exactly sure). One of those kinda features I would love to help test/benchmark compare to help determine if its worth pursuing but if I were to try to implement I would probably do wrong .

I do plan on writing a crappy plugin just to give it a go and short circuit the transaction before proxy_pass in the access phase and see how that works at just a basic level in a month or two as I get some free time for it.

Topic		Replies	Views
Using ngx.socket to forward request to upstream instead of using default nginx proxy module Questions	4	2438	January 2, 2019
Kong HTTP Proxy Question Questions	1	396	October 8, 2018
Kong HTTP Log Plugin Errors Questions	15	6136	June 4, 2018
Sending request with tcp connection Questions	3	678	May 13, 2019
Communication related to custom TPC plugin development Questions	0	368	February 24, 2022

More proxy/routing flexibility #IntoTheLua

Related Topics