[ISSUE #10302] Support SNI multi-domain certificate for Proxy TLS#10303
Open
qianye1001 wants to merge 5 commits into
Open
[ISSUE #10302] Support SNI multi-domain certificate for Proxy TLS#10303qianye1001 wants to merge 5 commits into
qianye1001 wants to merge 5 commits into
Conversation
Introduce Server Name Indication (SNI) support to allow RocketMQ Proxy to serve multiple TLS domains with independent certificates on the same port. Key changes: - New TlsDomainConfig POJO for per-domain cert/key configuration - New TlsSniManager for wildcard-aware SslContext management - Extended TlsCertificateManager for multi-domain file watching - ProxyAndTlsProtocolNegotiator uses SniHandler for SNI-aware TLS - NettyRemotingServer TlsModeHandler uses TlsContextProvider bridge - TlsContextProvider in remoting module for SNI context lookup - Backward compatible: single cert behavior unchanged when no tlsDomainConfigs is configured Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
qianye1001
force-pushed
the
worktree-sni-multi-domain
branch
from
81f77ea to
ccd1704
Compare
…ificate support - Fix SniHandler usage in NettyRemotingServer using AsyncMapping adapter - Fix GlobalEventExecutor import path in remoting module - Use standard Netty SslContext in TlsSniManager for remoting compatibility, while maintaining gRPC-shaded SslContext for gRPC server - Update TlsCertificateManager imports and test class references - Update ProxyAndTlsProtocolNegotiator to use correct SniHandler constructor - Fix test imports and exception type expectations Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
… module compatibility - Fix SniHandler to use single-arg AsyncMapping constructor (compatible with both Maven and Bazel builds) - Fix IntegrationTestBase.java to pass TlsSniManager to TlsCertificateManager constructor - Add TlsSniManager initialization in integration test setup Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…lContext - Set TlsContextProvider.getInstance().setSingleContext() after building SslContext so that TlsModeHandler can find the context - This fixes TlsTest failure "Trying to establish an SSL connection but SslContext is null" Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## develop #10303 +/- ##
=============================================
- Coverage 48.98% 48.87% -0.11%
- Complexity 13470 13494 +24
=============================================
Files 1375 1378 +3
Lines 100450 100730 +280
Branches 12973 13016 +43
=============================================
+ Hits 49202 49234 +32
- Misses 45256 45459 +203
- Partials 5992 6037 +45 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…e review Address 7 issues from code review: - Fix gRPC SNI protocol negotiation by adding GrpcSniHandshakeCompleteHandler to fire ProtocolNegotiationEvent after TLS handshake completes - Consolidate to single global TlsSniManager singleton instance - Use sorted wildcard patterns (longest-first) for deterministic matching - Remove bare domain matching fallback per RFC 6125 - Refactor SslContext builders to eliminate code duplication Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Which Issue(s) This PR Fixes
Brief Description
Introduce SNI (Server Name Indication) support to allow RocketMQ Proxy to serve multiple TLS domains with independent certificates on the same port.
Key changes:
proxy/.../config/TlsDomainConfig.javaproxy/.../config/ProxyConfig.javatlsDomainConfigsmap field + getters/settersproxy/.../service/cert/TlsSniManager.javaproxy/.../service/cert/TlsCertificateManager.javaproxy/.../grpc/ProxyAndTlsProtocolNegotiator.javaSniHandler+TlsSniManagerfor gRPC SNIproxy/.../grpc/GrpcServer.javaproxy/.../remoting/MultiProtocolRemotingServer.javaTlsContextProviderwith SNI lookupproxy/.../ProxyStartup.javaTlsSniManagerbeforeTlsCertificateManagerremoting/.../netty/TlsContextProvider.javaremoting/.../netty/NettyRemotingServer.javaTlsModeHandlerusesSniHandlerviaTlsContextProviderBackward compatibility: When
tlsDomainConfigsis not configured, behavior is identical to the existing single-cert model.How Did You Test This Change?
TlsSniManagerTestfor wildcard matching, exact match, null/empty fallback, multi-level subdomain rejection, and domain context reloadTlsCertificateManagerTestfor the new multi-domain constructorCI will run
mvn -B packageto verify compilation and all existing tests pass.