Versions Compared

Old Version 17

changes.mady.by.user Dan Smith

Saved on

compared with

New Version 18

changes.mady.by.user Dan Smith

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 15

...

  • It is an anti-goal to deal with configuring the proxy itself.
  • It is an anti-goal to support all different kinds of proxies. In the future we may consider supporting other types of proxies, but this proposal is to support one specific type - a SNI proxy.
  • We're not recommending any specific SNI proxy
  • This proposal does not include supporting a proxy for WAN or P2P connectivity. In the future we may add support for that as well.

Solution

We will add a way for the user configuration option to the client to set a SNI proxy for the client to connect to the servers through. When this option is set, all connections from the client to the locator or the servers will use this SNI proxy. When configuring a Pool, the names of the locators or the names of the servers provided in the pool configuration will be passed as the Server Name Indicator field when the client connects to the proxy. The proxy must be able to resolve these names and connect to the correct locator or server.

This setting ideally should be at a pool level, because different pools may need to use different proxies.
To make it as easy as possible for users to extend our proxy implementation logic or implement their own, we will introduce a more general pool setting which will allow the users to override the creation of client server sockets with a custom SocketFactory. We will provide an implementation of this SocketFactory that will connect their client to an SNI proxy.
The way to configure the SNI proxy will therefore look something like this:

Code Block
poolFactory.setSocketFactory(Proxies.sni("proxyHostname", 443));

Below are the details on the new methods and interfaces added to the API to support this
Modified classesTherefore we propose the following pool configuration option:

Code Block
languagejava
PoolFactory {    
  /**    
   * Set the socketproxy to factorybe used bywhen this pool to create making connections tofrom both locators (ifthis pool.
   * configured@param usingproxyAddress {@link #addLocator(String, int)})is host and servers.
port formatted like *
the authority  * Sockets returned by this factory will have the rest of the configuration optionspart of a URL
   * specifiedbut onwithout thisany pooluserinfo andpart. onSee theRFC {@link3986 ClientCache} applied to them. In particular,for details. Examples:
   * sockets returned by this factory will be wrapped with SSLSockets if ssl is enabled
   * for this client cache.
   *
   * This factory can be used for configuring a proxy, or overriding various socket settings. "foo.bar.com:1234" is a fully-qualified domain name and port
   * For modifying SSL settings, see {@link SSLParameterExtension}
   * "1.2.3.4:567" is an IPv4 address and port
   * See {@link Proxies}
   *
   * @param socketFactory The {@link SocketFactory} to use "[1:2::1]:80" is an IPv6 address and port
   * @return a reference to <code> this </code>
  setProxy(ProxyType *type, @since Geode 1.13
   */
  PoolFactory setSocketFactory(SocketFactory socketFactory);String proxyAddress)
}

ClientCacheFactory {
  /**
   * (see description of PoolFactoryproxyAddress above)
   */
  setPoolSocketFactory(SocketFactory socketFactorysetPoolProxy(ProxyType type, String proxyAddress)
}

...

Code Block
package org.apache.geode.cache.client;
public interface SocketFactory
enum ProxyType {
   /**        
    * CreateUse a (unconnected) tcp socket for establishing a client.
   */
Socket createSocket() throws IOException;
}
package org.apache.geode.cache.client.proxy;
public class SniSocketFactory implements SocketFactory {
...
}

public class Proxies {
   public static SocketFactory sni(String hostname, int port)  
}SNI proxy. With an SNI proxy, the proxyAddress field should be specified as host:port        
    */   
   SNI; 
}


The proxyAddress parameter will be in the familiar URL format[1][2], specifically the authority part of a URL without any userinfo part.

Performance Impact

Connecting through a proxy may impact the performance of client/server messaging, but it is up to the user to decide if they want to use this feature or not. SNI proxies do require the use of TLS, which also adds overhead.

...

This is a client side setting, so there should be no backwards compatibility or upgrade concerns.
One concern with this SocketFactory approach is that is including the use of blocking, Java 1.0 sockets in the API. If, in the future we try to upgrade the internals of the client to use SocketChannel or netty or rsocket, we will have a difficult time continuing to support this SocketFactory API and may break users custom SocketFactory implementations.

Prior Art

Alternative ways to introduce a proxy would be:

...

Geode also added support to set the SNI field in the client hello as part of GEODE-7414. With those changes, a user can provide a SSLParameterExtension callback that can modify any of the SSLParameters, including the SNI server name. If a proxy of type SNI is set and the SSLParameterExtension is also set, the SSLParameterExtension will run after geode has set the SNI name, and can potential modify it.

FAQ

Is this platform specific?

...