HTTPS Sender

jaeger-core/src/main/java/io/jaegertracing/Configuration.java

@@ -152,6 +152,12 @@ public class Configuration {
    */
   public static final String JAEGER_TRACEID_128BIT = JAEGER_PREFIX + "TRACEID_128BIT";
 
+  /**
+   *  TLS certificates (in comma-separated BASE64 SHA256 Hash) for certificates pinning,
+   *  used in case of HTTPS communication to the endpoint.
+   */
+  public static final String JAEGER_TLS_CERTIFICATE_PINNING = JAEGER_PREFIX + "TLS_CERTIFICATE_PINNING";
+
   /**
    * The supported trace context propagation formats.
    */
@@ -614,6 +620,11 @@ public static class SenderConfiguration {
      */
     private String authPassword;
 
+    /**
+     * The comma-separated certificate list for the endpoint which is self-signed, for example
+     */
+    private String[] serverCertificateHashes;
+
     public SenderConfiguration() {
     }
 
@@ -647,6 +658,13 @@ public SenderConfiguration withAuthPassword(String password) {
       return this;
     }
 
+    public SenderConfiguration withCertificatePinning(String certs) {
+      if (certs != null) {
+        this.serverCertificateHashes = certs.split(",");
+      }
+      return this;
+    }
+
     /**
      * Returns a sender if one was given when creating the configuration, or attempts to create a sender based on the
      * configuration's state.
@@ -671,13 +689,15 @@ public static SenderConfiguration fromEnv() {
       String authToken = getProperty(JAEGER_AUTH_TOKEN);
       String authUsername = getProperty(JAEGER_USER);
       String authPassword = getProperty(JAEGER_PASSWORD);
+      String certHashes = getProperty(JAEGER_TLS_CERTIFICATE_PINNING);
 
       return new SenderConfiguration()
               .withAgentHost(agentHost)
               .withAgentPort(agentPort)
               .withEndpoint(collectorEndpoint)
               .withAuthToken(authToken)
               .withAuthUsername(authUsername)
+              .withCertificatePinning(certHashes)
               .withAuthPassword(authPassword);
     }
   }

jaeger-core/src/test/java/io/jaegertracing/ConfigurationTest.java

@@ -70,6 +70,7 @@ public void clearProperties() throws NoSuchFieldException, IllegalAccessExceptio
     System.clearProperty(Configuration.JAEGER_TAGS);
     System.clearProperty(Configuration.JAEGER_ENDPOINT);
     System.clearProperty(Configuration.JAEGER_AUTH_TOKEN);
+    System.clearProperty(Configuration.JAEGER_TLS_CERTIFICATE_PINNING);
     System.clearProperty(Configuration.JAEGER_USER);
     System.clearProperty(Configuration.JAEGER_PASSWORD);
     System.clearProperty(Configuration.JAEGER_PROPAGATION);

jaeger-crossdock/docker-compose.yml

@@ -8,13 +8,14 @@ services:
             - go
             - java-udp
             - java-http
+            - java-https
             - python
             - nodejs
         environment:
-            - WAIT_FOR=test_driver,go,java-udp,java-http,python,nodejs
-            - WAIT_FOR_TIMEOUT=60s
+            - WAIT_FOR=test_driver,go,java-udp,java-http,java-https,python,nodejs,jaeger-collector-https-proxy
+            - WAIT_FOR_TIMEOUT=90s
 
-            - CALL_TIMEOUT=60s
+            - CALL_TIMEOUT=90s
 
             - AXIS_CLIENT=go
             - AXIS_S1NAME=go,java-udp,python,nodejs
@@ -27,7 +28,7 @@ services:
             - BEHAVIOR_TRACE=client,s1name,sampled,s2name,s2transport,s3name,s3transport
 
             - AXIS_TESTDRIVER=test_driver
-            - AXIS_SERVICES=java-udp,java-http
+            - AXIS_SERVICES=java-udp,java-http,java-https
 
             - BEHAVIOR_ENDTOEND=testdriver,services
 
@@ -64,11 +65,31 @@ services:
         environment:
             - SENDER=http
 
+    java-https:
+        build: .
+        ports:
+            - "8080-8082"
+        environment:
+            - SENDER=https
+            - COLLECTOR_HOST_PIN=sha256/n6Ovey/sJws9vKJpESmWyQf9Oocak9J51mmPKGm4S0E=
+        depends_on:
+            - jaeger-collector
+
+    jaeger-collector-https-proxy:
+        build: https-proxy
+        ports:
+            - "8080"
+            - "14443"
+        restart: on-failure
+        depends_on:
+            - jaeger-collector
+
     test_driver:
         image: jaegertracing/test-driver
         depends_on:
             - jaeger-query
             - jaeger-collector
             - jaeger-agent
+            - jaeger-collector-https-proxy
         ports:
             - "8080"

jaeger-crossdock/https-proxy/Dockerfile

@@ -0,0 +1,12 @@
+FROM nginx:alpine
+
+# Overwrite default configuration
+ADD build/proxy.conf /etc/nginx/conf.d/default.conf
+# Install generated certificates; run `gen.sh` first
+ADD build/proxy.crt /etc/nginx/proxy.crt
+ADD build/proxy.key /etc/nginx/proxy.key
+
+EXPOSE 8080 14443
+
+# Poll healthcheck port until it returns 2xx or 3xx.
+CMD ["sh", "-c", "while ! { wget --spider -S http://jaeger-collector:14269; }; do echo waiting for healthcheck; sleep 1; done; nginx -g 'daemon off;'"]

jaeger-crossdock/https-proxy/authority.crt

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbTCCARSgAwIBAgIJAJXCC2VdhrxqMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMM
+B1RFU1QgQ0EwHhcNMTkwMzA3MTQzODIwWhcNMjkwMzA3MTQzODIwWjASMRAwDgYD
+VQQDDAdURVNUIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAhYnw9zYU0G3
+VZ48nNlT5jAs096pX0zeHM/yxiJe+DS5Yj0EJXM/0A1Of2zqxbyJpaEIFcqTmTTy
+TXCE7I6B6aNTMFEwHQYDVR0OBBYEFLXSxii6ZFvw427zs7ct/B+eHv2QMB8GA1Ud
+IwQYMBaAFLXSxii6ZFvw427zs7ct/B+eHv2QMA8GA1UdEwEB/wQFMAMBAf8wCgYI
+KoZIzj0EAwIDRwAwRAIgBrX7CX8zNoRLAZ48jGcqI8RuNlpkj0S+UShIQjwez3AC
+IGuqhnGb9JZSiZmIQaYdSE6T/sQaX7iDnwEgKGMI8OB7
+-----END CERTIFICATE-----

jaeger-crossdock/https-proxy/authority.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAA24MB8sxrLG1an0nG1DCH6J32iqrtborxFOjdqWNCmoAoGCCqGSM49
+AwEHoUQDQgAEAhYnw9zYU0G3VZ48nNlT5jAs096pX0zeHM/yxiJe+DS5Yj0EJXM/
+0A1Of2zqxbyJpaEIFcqTmTTyTXCE7I6B6Q==
+-----END EC PRIVATE KEY-----

jaeger-crossdock/https-proxy/gen.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [[ $# -ne 2 ]]; then
+    echo usage: $0 '<proxy-name> <forward-target>'
+    exit 1
+fi
+
+SERVER=$1
+FORWARD=$2
+TARGET=build/proxy
+
+# generate secrets
+cd $(dirname $0)
+mkdir -p ./build
+openssl ecparam -genkey -name prime256v1 -out ${TARGET}.key
+openssl req -new -sha256 -key ${TARGET}.key -out ${TARGET}.csr -subj \
+    "/CN=${SERVER}/"
+openssl x509 -req -sha256 -days 1 -CA authority.crt -CAkey authority.key -CAcreateserial -in ${TARGET}.csr -out ${TARGET}.crt
+chmod 644 ${TARGET}.key
+
+cat authority.crt >> ${TARGET}.crt
+
+# generate nginx settings
+SERVER=${SERVER} FORWARD=${FORWARD} envsubst < "proxy.template.conf" > ${TARGET}.conf

jaeger-crossdock/https-proxy/proxy.template.conf

@@ -0,0 +1,20 @@
+server {
+    listen 8080;
+    server_name ${SERVER};
+    location / {
+        root /usr/share/nginx/html/;
+				index index.html;
+    }
+}
+
+server {
+    listen 14443 ssl;
+    server_name ${SERVER};
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_certificate /etc/nginx/proxy.crt;
+    ssl_certificate_key /etc/nginx/proxy.key;
+    location / {
+        proxy_pass http://${FORWARD};
+    }
+}

jaeger-crossdock/rules.mk

@@ -5,14 +5,14 @@ JAEGER_COMPOSE_URL=https://raw.githubusercontent.com/jaegertracing/jaeger/master
 XDOCK_JAEGER_YAML=$(PROJECT)/jaeger-docker-compose.yml
 
 .PHONY: crossdock
-crossdock: gradle-compile crossdock-download-jaeger
-	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) kill java-udp java-http
-	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) rm -f java-udp java-http
-	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) build java-udp java-http
+crossdock: gradle-compile crossdock-proxy-secret-gen crossdock-download-jaeger
+	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) kill java-udp java-http java-https
+	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) rm -f java-udp java-http java-https
+	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) build java-udp java-http java-https
 	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) run crossdock
 
 .PHONY: crossdock-fresh
-crossdock-fresh: gradle-compile crossdock-download-jaeger
+crossdock-fresh: gradle-compile crossdock-proxy-secret-gen crossdock-download-jaeger
 	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) down --rmi all
 	docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) run crossdock
 
@@ -30,3 +30,7 @@ crossdock-clean:
 .PHONY: crossdock-download-jaeger
 crossdock-download-jaeger:
 	curl -o $(XDOCK_JAEGER_YAML) $(JAEGER_COMPOSE_URL)
+
+.PHONY: crossdock-proxy-secret-gen
+crossdock-proxy-secret-gen:
+	$(PROJECT)/https-proxy/gen.sh jaeger-collector-https-proxy jaeger-collector:14268

jaeger-crossdock/src/main/java/io/jaegertracing/crossdock/JerseyServer.java

@@ -53,6 +53,7 @@ public class JerseyServer {
   private static final String SAMPLING_HOST_PORT = "SAMPLING_HOST_PORT";
   private static final String AGENT_HOST = "AGENT_HOST";
   private static final String COLLECTOR_HOST_PORT = "COLLECTOR_HOST_PORT";
+  private static final String COLLECTOR_HOST_PIN = "COLLECTOR_HOST_PIN";
 
   // TODO should not be static, should be final
   public static Client client;
@@ -125,6 +126,8 @@ public static void main(String[] args) throws Exception {
             new EndToEndBehaviorResource(new EndToEndBehavior(getEvn(SAMPLING_HOST_PORT, "jaeger-agent:5778"),
                 "crossdock-" + serviceName,
                 senderFromEnv(getEvn(COLLECTOR_HOST_PORT, "jaeger-collector:14268"),
+                    getEvn(COLLECTOR_HOST_PORT, "jaeger-collector-https-proxy:14443"),
+                    getEvn(COLLECTOR_HOST_PIN, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="),
                     getEvn(AGENT_HOST, "jaeger-agent")))),
             new HealthResource()));
 
@@ -141,17 +144,23 @@ private static String getEvn(String envName, String defaultValue) {
     return env;
   }
 
-  private static Sender senderFromEnv(String collectorHostPort, String agentHost) {
+  private static Sender senderFromEnv(String collectorHostPort,
+      String collectorHttpsHostPort, String collectorHttpsPin, String agentHost) {
     String senderEnvVar = System.getenv(Constants.ENV_PROP_SENDER_TYPE);
     if ("http".equalsIgnoreCase(senderEnvVar)) {
       return new HttpSender.Builder(String.format("http://%s/api/traces", collectorHostPort))
           .build();
+    } else if ("https".equalsIgnoreCase(senderEnvVar)) {
+      return new HttpSender.Builder(String.format("https://%s/api/traces", collectorHttpsHostPort))
+          .withCertificatePinning(new String[] {collectorHttpsPin})
+          .acceptSelfSigned()
+          .build();
     } else if ("udp".equalsIgnoreCase(senderEnvVar) || senderEnvVar == null || senderEnvVar.isEmpty()) {
       return new UdpSender(agentHost, 0, 0);
     }
 
     throw new IllegalStateException("Env variable " + Constants.ENV_PROP_SENDER_TYPE
-        + ", is not valid, choose 'udp' or 'http'");
+        + ", is not valid, choose 'udp', 'http' or 'https'");
   }
 
   private static String serviceNameFromEnv() {