io: tls: support SNI routing for outputs#1313
io: tls: support SNI routing for outputs#1313edsiper merged 1 commit intofluent:masterfrom andreykaipov:feature/sni
Conversation
|
Hi @edsiper - what do you think about this addition? 😄 The use case for us is to route logs to different sources in a locked-down environment with a limited port range. I can add a docs PR soon if that's what missing. |
|
thanks for the contribution. How can I test the changes/feature ? |
|
So to test this feature out, we first need to see SNI routing in action. The setup for this is a bit involved, but I've created an example using Docker, so I hope it's straightforward to reproduce. We'll stand up two TLS-enabled servers behind one load balancer. Create a network for our containers to share: └▶ docker network create sniCreate a script called apk add -U openssl
app="$1"; shift
port="$1"; shift
openssl req -x509 -nodes -newkey rsa:2048 -keyout "$app.pem" -out "$app.crt" -subj "/CN=$app"
openssl s_server -accept "$port" -key "$app.pem" -cert "$app.crt" -quietIn two separate terminals, start up two containers called app1 and app2, both running a TLS server on ports 1515 and 1516 respectively: └▶ docker run --rm --tty --network sni --name app1 -v $PWD:/tmp alpine sh /tmp/tls-server.sh app1 1515
└▶ docker run --rm --tty --network sni --name app2 -v $PWD:/tmp alpine sh /tmp/tls-server.sh app2 1516For the load balancer in front of these guys, I've used HAProxy, but it can be anything that supports SNI routing. Create the following Finally, start up HAProxy on the same network, using the above config: └▶ docker run --rm --network sni -v $PWD:/tmp -p 8443:8443 haproxy:1.9-alpine -- /tmp/haproxy.cfgNow we're ready to test it out! Note how even though └▶ openssl s_client -connect localhost:8443 </dev/null 2>/dev/null | openssl x509 -noout -subject
unable to load certificate
└▶ openssl s_client -connect localhost:8443 -servername app1 </dev/null 2>/dev/null | openssl x509 -noout -subject
subject= /CN=app1
└▶ openssl s_client -connect localhost:8443 -servername app2 </dev/null 2>/dev/null | openssl x509 -noout -subject
subject= /CN=app2To reel it back in, this PR adds the ability for Fluent Bit to specify the server name through the new With our above system still running, a sample Fluent Bit config to ship Running Fluent Bit with this config, we'll find the routing works as expected! 🎉 |
|
While reviewing the code, I noticed a subtle conflict with the recent change made Other than that point, this patch works good. I can confirm sni-routing is working |
|
the variable |
edsiper
added
the
waiting-for-user
Addresses #1312. When sending logs to TLS-enabled outputs, it may be ideal to route based on a virtual hostname of the origin server. This is possible with SNI. This commit adds a new setting `tls.vhost` for the secure forwarding mode. By default, the virtual hostname will be set to the origin hostname during the TLS handshake. Signed-off-by: Andrey Kaipov <andreykaipov@users.noreply.github.com>
|
Hi @edsiper and @fujimotos - thanks for taking another look at this PR and confirming it works. I updated the offending line. Please lemme know if there's anything else I can do to get this merged in. edit: The Windows AppVeyor build failed. :-( Looking at the history, it seems like I'm not the only one. |
|
FWIW I fixed the testing failure occurring on AppVeyor in #1590. I think this patch should be ready to be merged now. |
|
thanks! |
3 participants
Addresses #1312. Please let me know what you guys think! :-)