THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
To be Reviewed By: DRAFT3/20/2020
Authors: Dan Smith, Ernie Burghardt
Status: Draft Draft | Discussion | Active | Dropped | Superseded
Superseded by: N/A
...
This setting ideally should be at a pool level, because different pools may need to use different proxies.
To make it as easy as possible for users to extend our proxy implementation logic or implement their own, we will introduce a more general pool setting which ; a custom SocketFactory. This will allow the users to override the creation of client-server sockets with a custom SocketFactory. We will provide an implementation of this SocketFactory that will connect their client to an a SNI proxy.
The way to configure the SNI proxy will therefore look something like this:
|
In order for this proxy to work, the SNI hostname field in the TLS handshake must be set to the name of the locator or server we are trying to connect to. With a slightly larger SocketFactory interface, we could potentially only send this SNI hostname when an SNI proxy is configured. However, we propose that the Geode client will always send the SNI hostname field as part of the handshake. We feel adding the SNI hostname will only be helpful to users, who may decide to use to to present different SSL certificates for different hostnames, or other use cases for this hostname.
Below are the details on the new methods and interfaces added to the API to support this
Modified classes:
/** * Set the socket factory used by this pool to create connections to both locators (if * configured using {@link #addLocator(String, int)}) and servers. * * Sockets returned by this factory will have the rest of the configuration options * specified on this pool and on the {@link ClientCache} applied to them. In particular, * sockets returned by this factory will be wrapped with SSLSockets if ssl is enabled * for this client cache. * * This factory can be used for configuring a proxy, or overriding various socket settings. * For modifying SSL settings, see {@link SSLParameterExtension} * * See {@link Proxies} * * @param socketFactory The {@link SocketFactory} to use * @return a reference to <code> this </code> * @since Geode 1.13 */ PoolFactory setSocketFactory(SocketFactory * see {@link SocketFactory} |
New classes
/** /** * Create a (unconnected) tcp socket for establishing a client. */Socket createSocket() throws an unconnected tcp socket for establishing a client.
|
| Code Block |
|---|
package org.apache.geode.cache.client.proxy; |
...
public class SniSocketFactory implements SocketFactory |
...
{ public SniSocketFactory(String hostname, int port) { ... |
...
} public class ProxySocketFactories { public static SocketFactory sni(String hostname, int |
...
port)
} |
XML Support
We will also add support for the new SocketFactory option in XML. The SocketFactory can be added using the standard mechanism for declaring classes in Geode's XML - implementing declarable and passing in a provided set of properties
| Code Block |
|---|
<pool>
<socket-factory>
<class-name>com.company.app.CustomSocketFactory</class-name>
<parameter name="proxyHost">
<string>proxy.company.com</string>
</parameter>
</socket-factory>
</pool> |
Performance Impact
Connecting through a proxy may impact the performance of client/server messaging, but it is up to the user to decide if they want to use this feature or not. SNI proxies do require the use of TLS, which also adds overhead.
...
This is a client side setting , so there should be no backwards compatibility or upgrade concerns with the setting. We are sending a new piece of information as part of the TLS handshake, but this is a TLS extension and it will be ignored by servers and locators.
One concern with this SocketFactory approach is that is including the use of blocking, Java 1.0 sockets in the API. If , in the future we try to upgrade the internals of the client to use SocketChannel or netty or rsocket, we will have a difficult time continuing to support this SocketFactory API and may break users' custom SocketFactory implementations.
...
Geode also added support to set the SNI field hostname in the client hello as part of GEODE-7414. With those changes , a user can provide a SSLParameterExtension callback that can modify any of the SSLParameters , including the SNI server namehostname. If a proxy of type SNI is set and the SSLParameterExtension is also set, the SSLParameterExtension will run after geode has set the SNI namehostname, and can potential modify it.
...
What are minor adjustments that had to be made to the proposal since it was approved?
References
[1] Description of URL syntax from Wikipedia article on URLs https://en.wikipedia.org/wiki/URL#Syntax
...