proxy: backend TLS support #1140
Conversation
|
Debating... looks like I could really cut down on the dedicated code by using a few function pointers, but:
Not sure it's worth it vs trying to slim down the existing functions slightly and just accepting some small code duplication with the benefit of not potentially breaking anything. Should remove the duplication from the edit: new plan, maybe: do some other work and come back to refactoring. since new connection related stuff isn't a hot path I could merge those codepaths with an if/else check for tls specific code. then leave the split stuff or use maybe one function ptr for the hot paths. |
|
might leave the error handling with correct structure but not very communicative. until we do certificates and peer checks there aren't many reasons outside of network for things to fail... that would significantly cut down the time to merge this initial pass. it already has more correct error handling than the main mc code :( |
|
last things I'm considering doing is some missing init code... then just run tests and merge as-is with experimental tags. |
|
Fixing this last bit sucks a little... Either need to add a guess I'll wrap this up tomorrow at this point. |
dormando
force-pushed
the
proxy_tls
branch
2 times, most recently
from
789b254
to
5e8fac8
Compare
|
this is as far as I care to take this right now; will leave it experimental and merge. it may or may not work. |
Has not been extensively tested or validated under benchmarks. Please let us know if you intend to use the feature, but feel free to try it out yourself since it will likely work. To use, within `mcp_config_pools`: mcp.init_tls() -- before making any backends mcp.backend_use_tls(true) or pass 'tls = true' as an argument to `mcp.backend` Does not currently support client certificates or peer verification. Let us know if you need this support and we will prioritize it.
WIP. Connects, handshakes, and routes requests as of this commit. Needs further work before mergeable.
TODO:
parameter for write buffer sizede-scopingproxy_network.cby refactoringproxy_tls.hto blank out functions if TLS not enabled at compile timeadd some specific counters for handshake/tls errorsde-scopingTODO MAYBE:
ETA: maybe a week? It does currently work, so it might not take long to finish.
GOALS:
#ifdefsoup and testing burden by using a shim for accessing OpenSSL and leaving some TLS related code always compiled in. The shim nulls itself out if TLS support is not compiled in.FOR FUTURE PR's:
I'm separating certificate work out of this PR so I can keep the change focused for initial validation. Tired of trying to waterfall every individual feature.
NOTES:
There is a companion PR to this work over in mcshredder: memcached/mcshredder#5 - this is a much more complicated approach that would be necessary to add
io_uringback to the proxy. Since we're not currently using io_uring I used a simpler approach that lets OpenSSL handle the socket fd and run syscalls itself.Since
proxy_network.cwas already structured to abstract out the read and write socket calls into just two small functions, this allowed the PR to be much less invasive than it would be otherwise.However, if you are naive you might think: "why aren't you using a function ptr for read/write and modify even less?" - well, OpenSSL is way more complicated than that and we need to change how we interact with the event loop based on what the library returns vs what any underlying socket thinks. It sucks.