Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS support wanted #149

Closed
firebat opened this issue Apr 16, 2019 · 4 comments
Closed

TLS support wanted #149

firebat opened this issue Apr 16, 2019 · 4 comments
Assignees
@dbl-x
Labels
release
Milestone
1.6.1 release

Comments

@firebat
Copy link

firebat commented Apr 16, 2019
edited
Loading

Is your feature request related to a problem? Please describe.
我们的系统跨机房部署,初步方案为 nginx / https 走rest接口,这就需要开发人员做许多额外的工作(协议转换,HA 等),而Router、负载均衡、这些策略在现有众多的rpc框架中已经做的很好了,只需添加TLS支持即可,再外部无法提供更多安全支持或更复杂的情况下,以最小代价达到安全通信。

Describe the solution you'd like
Bolt基于Netty实现,增加SSL支持代价较小。RpcServer 添加

bolt.ssl.switch=false|true
bolt.ssl.keystore=<keystore-file>
bolt.ssl.keystore.password=<keystore-file-password>
bolt.ssl.keystore.type=pcks12

RpcClient使用的Url增加useSSL=true,开启Netty的SslHandler。

Describe alternatives you've considered

Additional context
RpcServer容易修改,改动量比较小。

ChannelPipeline pipeline = channel.pipeline();
if (sslSwitch) {
    pipeline.addLast("sslHandler", new SslHandler(createSslContext().newEngine(channel.alloc())));
}
pipeline.addLast("decoder", codec.newDecoder());
pipeline.addLast("encoder", codec.newEncoder());

客户端需要调整的略多,AbstractConnectionFactory的ChannelInitializer需要调整,在createConnection的时候根据Url的配置去构造Handler列表。

protected Channel doCreateConnection(String targetIP, int targetPort, int connectTimeout)
                                                                                         throws Exception {
    //
    ......
    bootstrap.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, connectTimeout)
                     .handler(new ChannelInitializer<SocketChannel>() {

        @Override
        protected void initChannel(SocketChannel channel) {
            ChannelPipeline pipeline = channel.pipeline();
            if (url.useSSL()) {
                pipeline.addLast("sslHandler", new SslHandler(createSslContext().newEngine(channel.alloc())));
            }
@dbl-x dbl-x added the req:todo will be fix or implement later label Jun 27, 2019
@dbl-x
Copy link
Contributor

dbl-x commented Jun 27, 2019

@firebat 可以提PR来解决这个问题;目前规划版本暂无此功能。

@killme2008 killme2008 mentioned this issue Sep 11, 2019
Closed
@zongtanghu
Copy link

This feature request is much more import!We need it! @dbl-x

@killme2008
Copy link

I am working on this feature, and the PR will be created today.

killme2008 pushed a commit to killme2008/sofa-bolt that referenced this issue Nov 27, 2019
(feat) Supports SSL for rpc server/client, sofastack#149
b7d1799
@killme2008 killme2008 mentioned this issue Nov 27, 2019
Merged
killme2008 pushed a commit to killme2008/sofa-bolt that referenced this issue Nov 27, 2019
(feat) Supports SSL for rpc server/client, sofastack#149
1fd43d6
dbl-x pushed a commit that referenced this issue Nov 28, 2019
@killme2008 @dbl-x
(feat) Supports SSL for rpc server/client, #149 (#197)
7e61eaf
@dbl-x dbl-x added this to the 1.6.1 release milestone Nov 28, 2019
@dbl-x dbl-x added release and removed req:todo will be fix or implement later labels Nov 28, 2019
@cytnju
Copy link
Contributor

cytnju commented Nov 28, 2019

fixed #197

@cytnju cytnju closed this as completed Nov 28, 2019
dbl-x pushed a commit that referenced this issue Dec 16, 2019
@cytnju @dbl-x
release 1.6.1 (#209)
dfd0c07 
* (feat) add flush consolidation handler (#161)

* (feat) add flush consolidation option

* 1. upgrade version to 1.5.6 (#169)

2. fix NPE in channelInactive
3. handling reconnection situation with no connection binding with channel
4. du not scan connection pool associated with task that has not been don
5. add CONNECT_FAILED event type and print user event log

* Change org from alipay to sofatack. (#172)

* Update .travis.yml (#177)

* modify ReconnectManager to be compatible with version 1.5.x

* upgrade netty version to fix CNNVD-201909-1264 vulnerability (#189)

* 应该一个是序列化一个是反序列化 (#191)

fix unit test bug in class NormalStringCustomSerializer.

* (feat) Supports SSL for rpc server/client, #149 (#197)

* support server random port constructor. fix #196 (#199)

* fix AbstractLifeCycle concurrency problem Fixes gh-163 (#188)

* fix  AsynMultiInterestUserProcessor dispatch to sync handleRequest  method problem. gh-157

* Revert "fix  AsynMultiInterestUserProcessor dispatch to sync handleRequest  method problem. gh-157"

This reverts commit 2784f9e.

* support server random port constructor

* add rejection-processable InvokeCallback to provide flexible options when user executor rejected task. see #178(#178) (#202)

* complete tcp related config. see #171(#171) (#205)

* optimize DefaultConnectionManager contructor (#201)

* support availability check with life cycle. #195 (#204)

* support availability check with life cycle. #123(#123)

* complete unit test of life cycle available check

* fix CI error

* Fix/multi processor bug (#207)

* fix spell mistake and some test codes (#194)

* fix multi-processor bug

* fix PMD

* support user processor with life cycle interface fix #123 (#200)

* support user processor with life cycle interface

* make sure user processor startup if client/server has startup

* add state check before operate user processor in order to prevent from some unnecessary exception

* fix some codes (#208)

* change version
@dbl-x dbl-x mentioned this issue Jul 6, 2020
Merged
cytnju added a commit that referenced this issue Jul 6, 2020
@dbl-x @cytnju
release 1.6.1 (#209) (#229)
94c3623 
* release 1.6.1 (#209)

* (feat) add flush consolidation handler (#161)

* (feat) add flush consolidation option

* 1. upgrade version to 1.5.6 (#169)

2. fix NPE in channelInactive
3. handling reconnection situation with no connection binding with channel
4. du not scan connection pool associated with task that has not been don
5. add CONNECT_FAILED event type and print user event log

* Change org from alipay to sofatack. (#172)

* Update .travis.yml (#177)

* modify ReconnectManager to be compatible with version 1.5.x

* upgrade netty version to fix CNNVD-201909-1264 vulnerability (#189)

* 应该一个是序列化一个是反序列化 (#191)

fix unit test bug in class NormalStringCustomSerializer.

* (feat) Supports SSL for rpc server/client, #149 (#197)

* support server random port constructor. fix #196 (#199)

* fix AbstractLifeCycle concurrency problem Fixes gh-163 (#188)

* fix  AsynMultiInterestUserProcessor dispatch to sync handleRequest  method problem. gh-157

* Revert "fix  AsynMultiInterestUserProcessor dispatch to sync handleRequest  method problem. gh-157"

This reverts commit 2784f9e.

* support server random port constructor

* add rejection-processable InvokeCallback to provide flexible options when user executor rejected task. see #178(#178) (#202)

* complete tcp related config. see #171(#171) (#205)

* optimize DefaultConnectionManager contructor (#201)

* support availability check with life cycle. #195 (#204)

* support availability check with life cycle. #123(#123)

* complete unit test of life cycle available check

* fix CI error

* Fix/multi processor bug (#207)

* fix spell mistake and some test codes (#194)

* fix multi-processor bug

* fix PMD

* support user processor with life cycle interface fix #123 (#200)

* support user processor with life cycle interface

* make sure user processor startup if client/server has startup

* add state check before operate user processor in order to prevent from some unnecessary exception

* fix some codes (#208)

* change version

* update travis ci config

Co-authored-by: cytnju <muyun.cyt@antfin.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dbl-x dbl-x

Labels
release
Projects
None yet
Milestone
1.6.1 release
Development

No branches or pull requests
5 participants
@killme2008 @firebat @dbl-x @zongtanghu @cytnju