Skip to content

Adding origin-side ALPN configuration. #8972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bneradt merged 1 commit into from
Aug 8, 2022
Merged

Adding origin-side ALPN configuration. #8972

bneradt merged 1 commit into from
Aug 8, 2022

Conversation

@bneradt
Copy link
Contributor

@bneradt bneradt commented Jul 21, 2022

Adding the ability for ATS to specify the ALPN string it sends in the
TLS ClientHello handshake.

@bneradt bneradt added the TLS label Jul 21, 2022
@bneradt bneradt added this to the 10-Dev milestone Jul 21, 2022
@bneradt bneradt requested a review from maskit July 21, 2022 01:31
@bneradt bneradt self-assigned this Jul 21, 2022
maskit
maskit requested changes Jul 21, 2022
View reviewed changes
Copy link
Member

@maskit maskit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for making this PR, and adding the autest. I repeated my comments on #8963 so we can discuss here.

I think none of them is a blocker, but I'd like to hear opinions from others about the alpn_protocols setting. The documentation would need to be updated accordingly (it should tell which protocols are available anyway).

doc/admin-guide/files/records.config.en.rst
Enables (``1``) or disables (``0``) TLSv1_3 in the ATS client context. If not specified, enabled by default

.. ts:cv:: CONFIG proxy.config.ssl.client.alpn_protocols STRING ""
Copy link
Member

@maskit maskit Jul 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if users want to set "ALPN string".

The ALPN protocol IDs are inconsistent; The ID for HTTP/1.1 is "http/1.1" but not "h1.1" where ones for HTTP/2 and 3 are "h2" and "h3". I don't think these IDs are user friendly.

Even if we use those raw IDs, the doc should say what IDs are available. Obviously we can't set "spdy/1", although it's a registered valid ID. We shouldn't send "h3" on a regular TLS connection, and similarly we shouldn't send "h2" on a QUIC connection.

Also, the order of IDs is unclear if a user is unfamiliar with ALPN.

I don't have a good idea right now, but I think we need discussion about this setting at minimum. Changing this setting would be an incompatible change and we wouldn't be able to change it until 11.0 once we make 10.0 release with this setting.

Copy link
Contributor Author

@bneradt bneradt Aug 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are all really good points. I think I've addressed each of your thoughts:

  1. I've updated the ALPN parsing logic to enforce that the user only passes expected protocols, currently http/1.1 and http/1.0. With HTTP/2 to origin we'll add h2. If any other protocol strings are passed, a WARNING is emitted and no ALPN extension is sent (the default behavior). This makes the configuration "fool-proof" for the user in that they can't break anything by configuring it, and a WARNING is emitted if something is wrong with their configured ALPN.
  2. I expanded our documentation of this feature, pointing to the ALPN RFC and the official IANA list of registered ALPN protocol strings. I also explicitly documented the ALPN protocols ATS supports. (Again, we'll add h2 with the HTTP/2 to origin PR.)

Thank you for your thoughtful feedback on this, @maskit. It really improved this feature.

Copy link
Member

@maskit maskit Aug 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for updating the documentation. At minimum it works for me, but I can't tell if users want to read the external documents. The example configurations are nice. I guess most users would just see the examples, and copy a setting value from there. In that sense, whether name or ID is not really important, although I think using names (or aliases) requires less knowledge.

I'm not going to judge if the setting format is user friendly, but if I made a Web UI for a CDN service that uses ATS, it'd have a reorderable list for this setting and the items would have protocol names but not IDs. It wouldn't even tell it's a setting for ALPN.

And very strictly speaking, "," is a valid character for an ALPN protocol ID. I hope future protocol IDs (which we want to support) won't use it.

@maskit
Copy link
Member

maskit commented Jul 21, 2022
edited
Loading

I'd like to hear how you (especially who are not too familiar with ALPN) want to configure which protocols to use/offer for origin connection.

Examples:

  • h2,http/1.1 -- ALPN protocol IDs
  • http2,http1 -- Aliases
  • all -- Another alias to use all available protocols, and prioritize newer one

@maskit
Copy link
Member

maskit commented Jul 21, 2022

For server_ports, we no longer need to specify http/2 explicitly though, these protocol names (not IDs) are available.
https://docs.trafficserver.apache.org/admin-guide/configuration/session-protocol.en.html

@bryancall bryancall requested a review from shinrich July 25, 2022 23:16
@shinrich
Copy link
Member

shinrich commented Jul 27, 2022

I'm confused why are we bringing this forward to 10-dev, but not just bringing in the Http2 to origin branch? Does this logic come from there?

@bneradt
Copy link
Contributor Author

bneradt commented Jul 27, 2022

I'm confused why are we bringing this forward to 10-dev, but not just bringing in the Http2 to origin branch? Does this logic come from there?

Correct @shinrich. This comes from the HTTP/2 to origin PR (#8963) from which this PR was requested.

@maskit
Copy link
Member

maskit commented Jul 27, 2022

As for target branch, I'm fine with either 10-dev or master. I requested making this PR to have more eyes.

@bneradt bneradt force-pushed the alpn_configuration branch 4 times, most recently from 398e025 to b41ef83 Compare August 4, 2022 22:51
maskit
maskit reviewed Aug 5, 2022
View reviewed changes
@bneradt bneradt force-pushed the alpn_configuration branch 5 times, most recently from 580ad1a to 0f2481e Compare August 5, 2022 23:31
@bneradt
Adding origin-side ALPN configuration.
2878c53 
Adding the ability for ATS to specify the ALPN string it sends in the
TLS ClientHello handshake.
@bneradt bneradt force-pushed the alpn_configuration branch from 0f2481e to 2878c53 Compare August 6, 2022 02:36
maskit
maskit approved these changes Aug 8, 2022
View reviewed changes
Copy link
Member

@maskit maskit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't tell whether users like the setting format, but it works for me at minimum.

@bneradt bneradt merged commit 791941a into apache:10-Dev Aug 8, 2022
@bneradt bneradt deleted the alpn_configuration branch August 8, 2022 23:45
@bneradt bneradt mentioned this pull request Aug 22, 2022
Closed
@zwoop zwoop modified the milestones: 10-Dev, 10.0.0 Feb 2, 2023
JosiahWI pushed a commit to JosiahWI/trafficserver that referenced this pull request Jul 19, 2023
@bneradt
Pull in ASF ALPN configuration changes. (apache#725)
72038e3 
This pulls in the changes from review comments from ASF for ATS ALPN
configuration:
apache#8972
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maskit maskit maskit approved these changes

@djcarlin djcarlin Awaiting requested review from djcarlin

@mlibbey mlibbey Awaiting requested review from mlibbey

@mtorluemke mtorluemke Awaiting requested review from mtorluemke

@shinrich shinrich Awaiting requested review from shinrich

Assignees

@bneradt bneradt

Labels

TLS

Projects

None yet

Milestone

10.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@bneradt @maskit @shinrich @zwoop