-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic proxy #564
Dynamic proxy #564
Conversation
I've built this on Go 1.6 beta 1 and made some changes to be more compatible. Namely, I removed the use of the /x/net/http2 package and let net/http enable h2 by default; updated the way h2 is disabled (if the user requires it); moved TLS_FALLBACK_SCSV to the front of the cipher suites list (all values not accepted by http2 must go after those allowed by it); removed the NextProto default of http/1.1; set the http.Server.TLSConfig value to the TLS config used by the listener (we left it nil before, but this prevents automatic enabling of h2). It is very likely there is more to do, but at least already Caddy uses HTTP/2 when built with Go 1.6.
Implements "on-demand TLS" as I call it, which means obtaining TLS certificates on-the-fly during TLS handshakes if a certificate for the requested hostname is not already available. Only the first request for a new hostname will experience higher latency; subsequent requests will get the new certificates right out of memory. Code still needs lots of cleanup but the feature is basically working.
Conflicts: middleware/proxy/upstream.go
So after watching your video, this definitely does seem to be shaping up! I'm really glad you've taken the plunge into getting support for dynamic backends at least started! Based on some experience and seeing what others provide, I have some input that may not exactly apply to this specific PR but can at least spawn discussion and thinking for future additions to this end goal.
So this says look in the globally defined etcd K/V for Finally, I haven't used Caddy extensively yet but it seems it doesn't yet support Name Based Proxying? This feature is a must for Caddy to compete long-term as a docker load-balancer and reverse proxy.
I'm subscribed to this thread so post replies and lets work together to figure out the best way to do this! |
....and now I am subscribed as well. Is there an IRC or messaging client that the three of us have in common? |
@faddat Join us on gitter for dev chat: https://gitter.im/mholt/caddy |
fastcgi: New function DialWithDialer to create FCGIClient with custom Dialer.
proxy: Support unix sockets
Biggest change is no longer using standard library's tls.Config.getCertificate function to get a certificate during TLS handshake. Implemented our own cache which can be changed dynamically at runtime, even during TLS handshakes. As such, restarts are no longer required after certificate renewals or OCSP updates. We also allow loading multiple certificates and keys per host, even by specifying a directory (tls got a new 'load' command for that). Renamed the letsencrypt package to https in a gradual effort to become more generic; and https is more fitting for what the package does now. There are still some known bugs, e.g. reloading where a new certificate is required but port 80 isn't currently listening, will cause the challenge to fail. There's still plenty of cleanup to do and tests to write. It is especially confusing right now how we enable "on-demand" TLS during setup and keep track of that. But this change should basically work so far.
After 10 certificates are issued, no new certificate requests are allowed for 10 minutes after a successful issuance.
After Caddy 0.9 is released (not next week, but the release after -- not sure when that is yet), Caddy will be in a much better position to have this merged. Not quite sure of the details yet but I'll work closely with @abiosoft at that point. |
@mholt What will be the performance impact of this PR? Benchmark? |
@thalesfsp No clue, honestly - @abiosoft might know better. I would imagine it would only have minimal, if any, impact, since as I understand it, the updating of proxies is done in the background. |
You can always perform your own, too. |
I expect it to have little to no impact |
It's amazing this PR can still be merged 😄 That will not be the case for long though. The 0.9 changes are in a branch and will soon be in master. I don't yet have the proxy middleware brought over to that branch but I will soon, and then these changes can possibly go on top. |
I use caddy as reverse proxy with docker-gen for my docker host and it works great. But etcd support sounds like a better solution. Can't wait to see this feature and the howto to use it ;) |
@mholt Whats the plan to when merge this PR? |
I think it depends on @abiosoft's schedule. |
Would this lay the groundwork for caddy being able to supply an ingress service to kubernetes? As far as I see it... an ingress service is basically a dynamic proxy using the k8s apiserver instead of general key-value stores. |
No ETAs, sorry. I plan to resume work on this after 0.9 :) There is a very good chance it will make it in before 1.0 and could even be earlier depending on Caddy's priorities. |
A+ Would really help with Rancher / Kubernetes environments. |
Yes, would use it with rancher... |
Okay, good news :) Work is about to resume on this. However, I wanna make this a pluggable feature so proxy will only be making use of it, rather than having it built into proxy. This will make it easy to bring the feature to any other directive or plugin that needs it. Still, no ETA 😄 but I will keep this thread updated. |
@abiosoft great idea! much better and extensible way to implement. Have you had anymore thoughts on implementation details? I'm wondering if it's not worth getting this working the original intended way (when you created this PR), and then move on to other ways later (since this PR is quite large both in conversation and commits). Additionally, I've had some other ideas about how this could work based on other projects that have come along (i.e. Fabio, Traefik, etc..) and attempted to provide LE functionality with dynamic backends. I would love to talk through some of this directly with you guys @abiosoft @faddat @stp-ip and others.. |
@InAnimaTe I'm rarely on irc :( What about Gopher's slack ? |
@abiosoft That works! I just joined. Go ahead and make a channel and invite me plz ;) |
Is this PR still going? Also, will this support native docker swarm? |
If this supported swarm mode, wow. Also, I think that it isn't too
tough to implement. Right now I haven't time, but it's possible that
myself or someone on my team will do it.
... Because Caddy is awesome.
…On Dec 7, 2016 9:25 PM, "HazCod" ***@***.***> wrote:
Is this PR still going? Also, will this support native docker swarm?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#564 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AGz6iXhD7LaOTu2KYRp7wEQR95ePV4uaks5rFsHggaJpZM4HRNBY>
.
|
Maybe it is time to write it once again? :) |
I've put some thought in this and isn't it cleaner to do this via |
I think I'm going to close this PR -- it's almost a year old, but I hope it will soon make it to Caddy -- if not into core, then maybe it would do well as a plugin? Thanks for all the work you've put into it, @abiosoft, I hope we can use it someday. :) |
Dynamic Proxy.
Supports Etcd, Consul and ZooKeeper using github.com/docker/libkv.
Demonstration Video: https://youtu.be/I0Kax0F1XWM
Examples
Etcd
Consul