-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PIP-60] Add TLS SNI support for cpp and python clients #8957
Conversation
@BewareMyPower Can you review this pull request? |
For the format issues, you should format your code by clang-format 5.0. Besides, Pulsar C++ client uses camel case but not snake case, though there's no related check like format. |
Also, I think a unit test is required for verification, like #6566 did. By the way, the PR description should not just copy from the PIP 60
Netty is for Java client. |
/pulsarbot run-failure-checks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jiazhai @BewareMyPower Can you review this PR? |
@deonvdv thanks for your great work. Would you like to add docs accordingly? Then I can help review, thanks |
@BewareMyPower @merlimat @sijie |
* Add TLS SNI support for cpp and python clients (cherry picked from commit f018892)
I am confused here. How does this change support SNI routing in client side.
I am really confused what exactly we are trying to do here and how is it related to SNI proxy? I also checked CPP + SNI doc PR which is also kind of misleading the usage: https://github.com/apache/pulsar/pull/9937/files can someone please help me to understand how does it actually perform SNI routing? |
I see multiple approvals, can someone please explain what exactly this PR is doing? this PR has just added an error log and moving lines. ? |
No. The core change of this PR is that |
While I agree the implementation of this PR is different with the original PIP-60, the actual broker service URL is retrieved from the lookup response. The 2nd argument passed to |
@BewareMyPower |
Motivation
Implementation of PIP-60
A proxy server is a go‑between or intermediary server that forwards requests from multiple clients to different servers across the Internet. The proxy server can act as a “traffic cop,” in both forward and reverse proxy scenarios, and adds various benefits in your system such as load balancing, performance, security, auto-scaling, etc.. There are already many proxy servers already available in the market which are fast, scalable and more importantly covers various essential security aspects that are needed by the large organization to securely share their confidential data over the network. Pulsar already provides proxy implementation PIP-1 which acts as a reverse proxy and creates a gateway in front of brokers. However, pulsar doesn’t provide support to use other proxies such as Apache traffic server (ATS), HAProxy, Nginx, Envoy those are more scalable and secured. Most of these proxy-servers support SNI ROUTING which can route traffic to a destination without having to terminate the SSL connection. Routing at layer 4 gives greater transparency because the outbound connection is determined by examining the destination address in the client TCP packets.
Netty supports sending SNI header on TLS handshake and this PR uses that Netty feature to send SNI header while connecting to proxy.
Modification
https://github.com/apache/pulsar/wiki/PIP-60:-Support-Proxy-server-with-SNI-routing:-Support-Proxy-server-with-SNI-routing#changes