[ISSUE #10302] Add SNI multi-domain certificate support for Proxy TLS#10587
Open
RockteMQ-AI wants to merge 1 commit into
Open
[ISSUE #10302] Add SNI multi-domain certificate support for Proxy TLS#10587RockteMQ-AI wants to merge 1 commit into
RockteMQ-AI wants to merge 1 commit into
Conversation
…xy TLS Introduce Server Name Indication (SNI) support for RocketMQ Proxy, allowing multiple domains with different TLS certificates to be served on the same port. Key changes: - Add TlsDomainConfig POJO for per-domain cert/key configuration - Add SniHostnameMatcher for wildcard hostname matching - Add TlsSniManager for managing multiple SslContext instances (gRPC) - Add TlsContextProvider for remoting-side SNI support - Extend ProxyConfig with tlsDomainConfigs map - Extend TlsCertificateManager for multi-pair file watching - Wire SniHandler into gRPC ProxyAndTlsProtocolNegotiator pipeline - Wire domain SSL support into remoting MultiProtocolTlsHelper - Add comprehensive unit tests for matcher and SNI manager When tlsDomainConfigs is empty, behavior is identical to the current single-certificate model (full backward compatibility). Fixes apache#10302
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## develop #10587 +/- ##
=============================================
- Coverage 48.26% 48.10% -0.17%
- Complexity 13433 13436 +3
=============================================
Files 1378 1382 +4
Lines 100817 101085 +268
Branches 13040 13074 +34
=============================================
- Hits 48660 48623 -37
- Misses 46211 46493 +282
- Partials 5946 5969 +23 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add SNI (Server Name Indication) multi-domain certificate support for RocketMQ Proxy TLS, enabling multiple domains with different TLS certificates to be served on the same Proxy port for both gRPC and Remoting protocols.
Problem
Currently RocketMQ Proxy supports only a single certificate model —
ProxyConfighas onlytlsCertPath/tlsKeyPathfor one cert/key pair, and both gRPC and Remoting servers build a singleSslContext. This makes it impossible to serve multiple top-level domains with different certificates on the same Proxy port.Fixes #10302
Solution
Introduced SNI support using Netty's
SniHandler. The Proxy inspects the TLS ClientHello's SNI hostname and dynamically selects the corresponding certificate.New files (4):
TlsDomainConfig.java— per-domain cert/key path POJOSniHostnameMatcher.java— wildcard hostname matching (exact > wildcard > bare-domain fallback)TlsSniManager.java— manages multipleSslContextinstances for gRPC (shaded Netty)TlsContextProvider.java— manages multipleSslContextinstances for Remoting (non-shaded Netty)Modified files (7):
ProxyConfig.java— addedtlsDomainConfigsmapTlsCertificateManager.java— extended for multi-pair file watching with per-domain reloadProxyAndTlsProtocolNegotiator.java— usesSniHandlerwhen domain configs presentGrpcServer.java— registers domain TLS reload handlerMultiProtocolTlsHelper.java— addedbuildDomainSslContext()for remotingMultiProtocolRemotingServer.java— acceptsTlsContextProviderfor SNIRemotingProtocolServer.java— wires domain SSL contexts into remoting serverWildcard matching rules:
foo.example.com)foo.example.commatches*.example.comexample.commatches*.example.coma.b.example.com) does NOT match*.example.comBackward compatibility: When
tlsDomainConfigsis not configured, behavior is identical to the current single-certificate model.Testing
SniHostnameMatcherTest(12 test cases covering full wildcard matrix)TlsSniManagerTest(13 test cases covering context resolution, reload, mapping)TlsCertificateManagerTestpasses (12 tests, no regression)ProxyAndTlsProtocolNegotiatorTestpasses (4 tests, no regression)mvn compile)Changes
proxy/src/main/java/.../config/TlsDomainConfig.java: New POJO for per-domain cert/key configurationproxy/src/main/java/.../config/ProxyConfig.java: AddedtlsDomainConfigsfield with getter/setterproxy/src/main/java/.../service/cert/SniHostnameMatcher.java: Wildcard hostname matching logicproxy/src/main/java/.../service/cert/TlsSniManager.java: Multi-context manager for gRPC SNIproxy/src/main/java/.../service/cert/TlsContextProvider.java: Multi-context manager for Remoting SNIproxy/src/main/java/.../service/cert/TlsCertificateManager.java: Extended for multi-pair watchingproxy/src/main/java/.../grpc/ProxyAndTlsProtocolNegotiator.java: SNI handler in gRPC pipelineproxy/src/main/java/.../grpc/GrpcServer.java: Domain reload handler registrationproxy/src/main/java/.../remoting/MultiProtocolTlsHelper.java: Domain SSL context builderproxy/src/main/java/.../remoting/MultiProtocolRemotingServer.java: TlsContextProvider supportproxy/src/main/java/.../remoting/RemotingProtocolServer.java: Domain SSL wiring