[PIP-60] [Proxy-Server] Support SNI routing to support various proxy-server in pulsar #6566
Conversation
rdhabalia
requested review from
merlimat,
sijie,
jiazhai,
jai1,
codelipenghui,
saandrews and
massakam
rdhabalia
changed the title
sijie
added
the
doc-required
There was a problem hiding this comment.
@rdhabalia this is a great change! Overall the change looks good to me. I left some suggestions. PTAL.
| authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH); | ||
| clientBuilder.authentication(AuthenticationTls.class.getName(), authParams); | ||
|
|
||
| PulsarClient pulsarClient = clientBuilder.build(); |
There was a problem hiding this comment.
Should we close the client or add @Cleanup annotation?
There was a problem hiding this comment.
yes.. will add it.
|
|
||
| try { | ||
| pulsarClient.newProducer().topic(topicName).create(); | ||
| fail("should have failed due to invalid url"); |
There was a problem hiding this comment.
| fail("should have failed due to invalid url"); | |
| fail("should have failed due to non-tls url"); |
| example = "pulsar+ssl://ats-proxy.example.com:4443 or " | ||
| + "pulsar://ats-proxy.example.com:4080" | ||
| ) | ||
| private String proxyServiceUrl; |
There was a problem hiding this comment.
based on my understanding, this service URL here can only be the binary protocol service URL correct? We can't use the HTTP-protocol service URL. If that's the case, can you document this setting in ClusterData and the related command-line tools? It might be good to add a validation to throw exceptions if it is not a binary protocol service url.
There was a problem hiding this comment.
yes, SNI works on layer-4 so, it requires binary URL for SNI routing. however, we added proxyUrl placeholder extensible by adding proxyType and right now we support SNI and in future we can have other type which can support HTTP as well. So, I think we don't want to restrict with binary url only. But I have a plan to add a separate document with examples of different proxy-solutions(ATS, Envoy) as multiple users are interested in this solution.
|
@sijie addressed the comments. |
|
/pulsarbot run-failure-checks |
|
@rdhabalia Can you rebase this pull request? |
|
@rdhabalia could you please rebase this branch. |
|
yes, I will rebase it soon. |
rdhabalia
force-pushed
the
proxy_sni
branch
2 times, most recently
from
f98139d
to
7f4602a
Compare
|
/pulsarbot run-failure-checks |
rdhabalia
force-pushed
the
proxy_sni
branch
2 times, most recently
from
0bb290d
to
2a6628a
Compare
|
/pulsarbot run-failure-checks |
… pulsar addressed comments fix tls handler
…server in pulsar (apache#6566) ### Motivation Implementation of [PIP-60](https://github.com/apache/pulsar/wiki/PIP-60:-Support-Proxy-server-with-SNI-routing) A proxy server is a go‑between or intermediary server that forwards requests from multiple clients to different servers across the Internet. The proxy server can act as a “traffic cop,” in both forward and reverse proxy scenarios, and adds various benefits in your system such as load balancing, performance, security, auto-scaling, etc.. There are already many proxy servers already available in the market which are fast, scalable and more importantly covers various essential security aspects that are needed by the large organization to securely share their confidential data over the network. Pulsar already provides proxy implementation PIP-1 which acts as a reverse proxy and creates a gateway in front of brokers. However, pulsar doesn’t provide support to use other proxies such as Apache traffic server (ATS), HAProxy, Nginx, Envoy those are more scalable and secured. Most of these proxy-servers support SNI ROUTING which can route traffic to a destination without having to terminate the SSL connection. Routing at layer 4 gives greater transparency because the outbound connection is determined by examining the destination address in the client TCP packets. [Netty supports sending SNI header on TLS handshake](netty/netty#3801 (comment)) and this PR uses that Netty feature to send SNI header while connecting to proxy. ### Modification https://github.com/apache/pulsar/wiki/PIP-60:-Support-Proxy-server-with-SNI-routing#changes **Note:** we have fully tested this changes with ATS proxy for both forward and reverse proxy scenarios. And I have also shared e2e example in PIP to use ATS proxy for client and broker integration.
Anonymitaet
removed
the
doc-required
Motivation
Implementation of PIP-60
A proxy server is a go‑between or intermediary server that forwards requests from multiple clients to different servers across the Internet. The proxy server can act as a “traffic cop,” in both forward and reverse proxy scenarios, and adds various benefits in your system such as load balancing, performance, security, auto-scaling, etc.. There are already many proxy servers already available in the market which are fast, scalable and more importantly covers various essential security aspects that are needed by the large organization to securely share their confidential data over the network. Pulsar already provides proxy implementation PIP-1 which acts as a reverse proxy and creates a gateway in front of brokers. However, pulsar doesn’t provide support to use other proxies such as Apache traffic server (ATS), HAProxy, Nginx, Envoy those are more scalable and secured. Most of these proxy-servers support SNI ROUTING which can route traffic to a destination without having to terminate the SSL connection. Routing at layer 4 gives greater transparency because the outbound connection is determined by examining the destination address in the client TCP packets.
Netty supports sending SNI header on TLS handshake and this PR uses that Netty feature to send SNI header while connecting to proxy.
Modification
https://github.com/apache/pulsar/wiki/PIP-60:-Support-Proxy-server-with-SNI-routing#changes
Note: we have fully tested this changes with ATS proxy for both forward and reverse proxy scenarios. And I have also shared e2e example in PIP to use ATS proxy for client and broker integration.