HTTPS Sender

jaeger-core/src/main/java/io/jaegertracing/Configuration.java

@@ -152,6 +152,12 @@ public class Configuration {
    */
   public static final String JAEGER_TRACEID_128BIT = JAEGER_PREFIX + "TRACEID_128BIT";
 
+  /**
+   *  TLS certificates (in comma-separated BASE64 SHA256 Hash) for certificates pinning,
+   *  used in case of HTTPS communication to the endpoint.
+   */
+  public static final String JAEGER_TLS_CERTIFICATE_PINNING = JAEGER_PREFIX + "TLS_CERTIFICATE_PINNING";
+
   /**
    * The supported trace context propagation formats.
    */
@@ -614,6 +620,11 @@ public static class SenderConfiguration {
      */
     private String authPassword;
 
+    /**
+     * The comma-separated certificate list for the endpoint which is self-signed, for example
+     */
+    private String[] serverCertificateHashes;
+
     public SenderConfiguration() {
     }
 
@@ -647,6 +658,13 @@ public SenderConfiguration withAuthPassword(String password) {
       return this;
     }
 
+    public SenderConfiguration withCertificatePinning(String certs) {
+      if (certs != null) {
+        this.serverCertificateHashes = certs.split(",");
+      }
+      return this;
+    }
+
     /**
      * Returns a sender if one was given when creating the configuration, or attempts to create a sender based on the
      * configuration's state.
@@ -671,13 +689,15 @@ public static SenderConfiguration fromEnv() {
       String authToken = getProperty(JAEGER_AUTH_TOKEN);
       String authUsername = getProperty(JAEGER_USER);
       String authPassword = getProperty(JAEGER_PASSWORD);
+      String certHashes = getProperty(JAEGER_TLS_CERTIFICATE_PINNING);
 
       return new SenderConfiguration()
               .withAgentHost(agentHost)
               .withAgentPort(agentPort)
               .withEndpoint(collectorEndpoint)
               .withAuthToken(authToken)
               .withAuthUsername(authUsername)
+              .withCertificatePinning(certHashes)
               .withAuthPassword(authPassword);
     }
   }

jaeger-core/src/main/java/io/jaegertracing/internal/reporters/RemoteReporter.java

@@ -175,6 +175,7 @@ public void run() {
           try {
             command.execute();
           } catch (SenderException e) {
+            log.warn("RemoteReporter failed to send:", e);
             metrics.reporterFailure.inc(e.getDroppedSpanCount());
           }
         } catch (Exception e) {

jaeger-core/src/test/java/io/jaegertracing/ConfigurationTest.java

@@ -70,6 +70,7 @@ public void clearProperties() throws NoSuchFieldException, IllegalAccessExceptio
     System.clearProperty(Configuration.JAEGER_TAGS);
     System.clearProperty(Configuration.JAEGER_ENDPOINT);
     System.clearProperty(Configuration.JAEGER_AUTH_TOKEN);
+    System.clearProperty(Configuration.JAEGER_TLS_CERTIFICATE_PINNING);
     System.clearProperty(Configuration.JAEGER_USER);
     System.clearProperty(Configuration.JAEGER_PASSWORD);
     System.clearProperty(Configuration.JAEGER_PROPAGATION);

jaeger-core/src/test/java/io/jaegertracing/internal/reporters/RemoteReporterTest.java

@@ -31,6 +31,7 @@
 import io.jaegertracing.internal.samplers.ConstSampler;
 import io.jaegertracing.internal.senders.InMemorySender;
 import io.jaegertracing.spi.Reporter;
+import io.jaegertracing.spi.Sender;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.CountDownLatch;
@@ -328,4 +329,56 @@ public int append(JaegerSpan span) {
   private JaegerSpan newSpan() {
     return tracer.buildSpan("x").start();
   }
+
+  private static class FailingSender implements Sender {
+    private static boolean invoked = false;
+
+    @Override
+    public int append(JaegerSpan span) throws SenderException {
+      invoked = true;
+      throw new SenderException("FailingSender is to fail", 1);
+    }
+
+    @Override
+    public int flush() throws SenderException {
+      throw new SenderException("FailingSender is to fail", 1);
+    }
+
+    @Override
+    public int close() throws SenderException {
+      throw new SenderException("FailingSender is to fail", 1);
+    }
+
+    public boolean invoked() {
+      return invoked;
+    }
+  }
+
+  @Test
+  public void testReporterWithSenderException() {
+    FailingSender failingSender = new FailingSender();
+    Reporter failingReporter = new RemoteReporter.Builder()
+        .withSender(failingSender)
+        .withFlushInterval(flushInterval)
+        .withMaxQueueSize(maxQueueSize)
+        .withMetrics(metrics)
+        .build();
+    JaegerTracer failingTracer = new JaegerTracer.Builder("test-failing-reporter")
+        .withReporter(failingReporter)
+        .withSampler(new ConstSampler(true))
+        .withMetrics(metrics)
+        .build();
+    JaegerSpan span = failingTracer.buildSpan("raza").start();
+    failingReporter.report(span);
+    // do sleep until automatic flush happens on 'reporter'
+    // added 20ms on top of 'flushInterval' to avoid corner cases
+    await()
+        .with()
+        .pollInterval(1, TimeUnit.MILLISECONDS)
+        .atMost(flushInterval + 20, TimeUnit.MILLISECONDS)
+        .until(() -> failingSender.invoked());
+
+    assertEquals(true, failingSender.invoked());
+    assertEquals(1, metricsFactory.getCounter("jaeger_tracer_reporter_spans", "result=err"));
+  }
 }

jaeger-crossdock/docker-compose.yml

@@ -8,13 +8,14 @@ services:
             - go
             - java-udp
             - java-http
+            - java-https
             - python
             - nodejs
         environment:
-            - WAIT_FOR=test_driver,go,java-udp,java-http,python,nodejs
-            - WAIT_FOR_TIMEOUT=60s
+            - WAIT_FOR=test_driver,go,java-udp,java-http,java-https,python,nodejs,jaeger-collector-https-proxy
+            - WAIT_FOR_TIMEOUT=90s
 
-            - CALL_TIMEOUT=60s
+            - CALL_TIMEOUT=90s
 
             - AXIS_CLIENT=go
             - AXIS_S1NAME=go,java-udp,python,nodejs
@@ -27,7 +28,7 @@ services:
             - BEHAVIOR_TRACE=client,s1name,sampled,s2name,s2transport,s3name,s3transport
 
             - AXIS_TESTDRIVER=test_driver
-            - AXIS_SERVICES=java-udp,java-http
+            - AXIS_SERVICES=java-udp,java-http,java-https
 
             - BEHAVIOR_ENDTOEND=testdriver,services
 
@@ -64,11 +65,31 @@ services:
         environment:
             - SENDER=http
 
+    java-https:
+        build: .
+        ports:
+            - "8080-8082"
+        environment:
+            - SENDER=https
+            - COLLECTOR_HOST_PIN=sha256/n6Ovey/sJws9vKJpESmWyQf9Oocak9J51mmPKGm4S0E=
+        depends_on:
+            - jaeger-collector
+
+    jaeger-collector-https-proxy:
+        build: https-proxy
+        ports:
+            - "8080"
+            - "14443"
+        restart: on-failure
+        depends_on:
+            - jaeger-collector
+
     test_driver:
         image: jaegertracing/test-driver
         depends_on:
             - jaeger-query
             - jaeger-collector
             - jaeger-agent
+            - jaeger-collector-https-proxy
         ports:
             - "8080"

jaeger-crossdock/https-proxy/Dockerfile

@@ -0,0 +1,12 @@
+FROM nginx:alpine
+
+# Overwrite default configuration
+ADD build/proxy.conf /etc/nginx/conf.d/default.conf
+# Install generated certificates; run `gen.sh` first
+ADD build/proxy.crt /etc/nginx/proxy.crt
+ADD build/proxy.key /etc/nginx/proxy.key
+
+EXPOSE 8080 14443
+
+# Poll healthcheck port until it returns 2xx or 3xx.
+CMD ["sh", "-c", "while ! { wget --spider -S http://jaeger-collector:14269; }; do echo waiting for healthcheck; sleep 1; done; nginx -g 'daemon off;'"]

jaeger-crossdock/https-proxy/authority.crt

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbTCCARSgAwIBAgIJAJXCC2VdhrxqMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMM
+B1RFU1QgQ0EwHhcNMTkwMzA3MTQzODIwWhcNMjkwMzA3MTQzODIwWjASMRAwDgYD
+VQQDDAdURVNUIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAhYnw9zYU0G3
+VZ48nNlT5jAs096pX0zeHM/yxiJe+DS5Yj0EJXM/0A1Of2zqxbyJpaEIFcqTmTTy
+TXCE7I6B6aNTMFEwHQYDVR0OBBYEFLXSxii6ZFvw427zs7ct/B+eHv2QMB8GA1Ud
+IwQYMBaAFLXSxii6ZFvw427zs7ct/B+eHv2QMA8GA1UdEwEB/wQFMAMBAf8wCgYI
+KoZIzj0EAwIDRwAwRAIgBrX7CX8zNoRLAZ48jGcqI8RuNlpkj0S+UShIQjwez3AC
+IGuqhnGb9JZSiZmIQaYdSE6T/sQaX7iDnwEgKGMI8OB7
+-----END CERTIFICATE-----

jaeger-crossdock/https-proxy/authority.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAA24MB8sxrLG1an0nG1DCH6J32iqrtborxFOjdqWNCmoAoGCCqGSM49
+AwEHoUQDQgAEAhYnw9zYU0G3VZ48nNlT5jAs096pX0zeHM/yxiJe+DS5Yj0EJXM/
+0A1Of2zqxbyJpaEIFcqTmTTyTXCE7I6B6Q==
+-----END EC PRIVATE KEY-----

jaeger-crossdock/https-proxy/gen.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [[ $# -ne 2 ]]; then
+    echo usage: $0 '<proxy-name> <forward-target>'
+    exit 1
+fi
+
+SERVER=$1
+FORWARD=$2
+
+# Authority.crt & authority.key is pre-generated with hash code of sha256/n6Ovey/sJws9vKJpESmWyQf9Oocak9J51mmPKGm4S0E=
+# About this file:
+#   CN:        TEST CA
+#   Algorithm: ECDSA-SHA256
+#   Validity:
+#     Not Before: Mar 7 14:38:20 2019 GMT
+#     Not After:  Mar 7 14:38:20 2029 GMT
+#
+# To generate key: (not needed for cert renewal)
+# openssl ecparam -genkey -name prime256v1 -out authority.key
+#
+# To regenerate:
+# openssl req -new -sha256 -key authority.key -out authority.csr -subj "/CN=TEST CA/"
+# openssl x509 -trustout -signkey authority.key -days 3652 -req -in authority.csr -out authority.crt
+#
+# To check pin:
+# openssl ec -in authority.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
+AUTHORITY=authority
+TARGET=build/proxy
+
+# generate secrets
+cd $(dirname $0)
+mkdir -p ./build
+openssl ecparam -genkey -name prime256v1 -out ${TARGET}.key
+openssl req -new -sha256 -key ${TARGET}.key -out ${TARGET}.csr -subj \
+    "/CN=${SERVER}/"
+openssl x509 -req -sha256 -days 1 -CA ${AUTHORITY}.crt -CAkey ${AUTHORITY}.key -CAcreateserial -in ${TARGET}.csr -out ${TARGET}.crt
+chmod 644 ${TARGET}.key
+
+cat ${AUTHORITY}.crt >> ${TARGET}.crt
+
+# generate nginx settings
+SERVER=${SERVER} FORWARD=${FORWARD} envsubst < "proxy.template.conf" > ${TARGET}.conf

jaeger-crossdock/https-proxy/proxy.template.conf

@@ -0,0 +1,24 @@
+server {
+    listen 8080;
+    server_name ${SERVER};
+    location / {
+        root /usr/share/nginx/html/;
+        index index.html;
+    }
+}
+
+server {
+    listen 14443 ssl http2;
+    server_name ${SERVER};
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_session_cache shared:SSL:10m;
+    ssl_certificate /etc/nginx/proxy.crt;
+    ssl_certificate_key /etc/nginx/proxy.key;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+
+    location / {
+        proxy_pass http://${FORWARD};
+    }
+}

jaeger-crossdock/rules.mk

@@ -5,14 +5,14 @@ JAEGER_COMPOSE_URL=https://raw.githubusercontent.com/jaegertracing/jaeger/master
 XDOCK_JAEGER_YAML=$(PROJECT)/jaeger-docker-compose.yml
 
 .PHONY: crossdock
-crossdock: gradle-compile crossdock-download-jaeger
-	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) kill java-udp java-http
-	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) rm -f java-udp java-http
-	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) build java-udp java-http
+crossdock: gradle-compile crossdock-proxy-secret-gen crossdock-download-jaeger
+	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) kill java-udp java-http java-https
+	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) rm -f java-udp java-http java-https
+	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) build java-udp java-http java-https
 	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) run crossdock
 
 .PHONY: crossdock-fresh
-crossdock-fresh: gradle-compile crossdock-download-jaeger
+crossdock-fresh: gradle-compile crossdock-proxy-secret-gen crossdock-download-jaeger
 	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) down --rmi all
 	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) run crossdock
 
@@ -30,3 +30,7 @@ crossdock-clean:
 .PHONY: crossdock-download-jaeger
 crossdock-download-jaeger:
 	curl -o $(XDOCK_JAEGER_YAML) $(JAEGER_COMPOSE_URL)
+
+.PHONY: crossdock-proxy-secret-gen
+crossdock-proxy-secret-gen:
+	$(PROJECT)/https-proxy/gen.sh jaeger-collector-https-proxy jaeger-collector:14268

jaeger-crossdock/src/main/java/io/jaegertracing/crossdock/JerseyServer.java

@@ -53,6 +53,7 @@ public class JerseyServer {
   private static final String SAMPLING_HOST_PORT = "SAMPLING_HOST_PORT";
   private static final String AGENT_HOST = "AGENT_HOST";
   private static final String COLLECTOR_HOST_PORT = "COLLECTOR_HOST_PORT";
+  private static final String COLLECTOR_HOST_PIN = "COLLECTOR_HOST_PIN";
 
   // TODO should not be static, should be final
   public static Client client;
@@ -125,6 +126,8 @@ public static void main(String[] args) throws Exception {
             new EndToEndBehaviorResource(new EndToEndBehavior(getEvn(SAMPLING_HOST_PORT, "jaeger-agent:5778"),
                 "crossdock-" + serviceName,
                 senderFromEnv(getEvn(COLLECTOR_HOST_PORT, "jaeger-collector:14268"),
+                    getEvn(COLLECTOR_HOST_PORT, "jaeger-collector-https-proxy:14443"),
+                    getEvn(COLLECTOR_HOST_PIN, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="),
                     getEvn(AGENT_HOST, "jaeger-agent")))),
             new HealthResource()));
 
@@ -141,17 +144,23 @@ private static String getEvn(String envName, String defaultValue) {
     return env;
   }
 
-  private static Sender senderFromEnv(String collectorHostPort, String agentHost) {
+  private static Sender senderFromEnv(String collectorHostPort,
+      String collectorHttpsHostPort, String collectorHttpsPin, String agentHost) {
     String senderEnvVar = System.getenv(Constants.ENV_PROP_SENDER_TYPE);
     if ("http".equalsIgnoreCase(senderEnvVar)) {
       return new HttpSender.Builder(String.format("http://%s/api/traces", collectorHostPort))
           .build();
+    } else if ("https".equalsIgnoreCase(senderEnvVar)) {
+      return new HttpSender.Builder(String.format("https://%s/api/traces", collectorHttpsHostPort))
+          .withCertificatePinning(new String[] {collectorHttpsPin})
+          .acceptSelfSigned()
+          .build();
     } else if ("udp".equalsIgnoreCase(senderEnvVar) || senderEnvVar == null || senderEnvVar.isEmpty()) {
       return new UdpSender(agentHost, 0, 0);
     }
 
     throw new IllegalStateException("Env variable " + Constants.ENV_PROP_SENDER_TYPE
-        + ", is not valid, choose 'udp' or 'http'");
+        + ", is not valid, choose 'udp', 'http' or 'https'");
   }
 
   private static String serviceNameFromEnv() {