github-actions[bot] commented on code in PR #65212:
URL: https://github.com/apache/doris/pull/65212#discussion_r3527133981
##########
fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/RestBaseController.java:
##########
@@ -292,7 +294,10 @@ public Object forwardToMaster(HttpServletRequest request,
@Nullable Object body)
HttpEntity<Object> entity = new HttpEntity<>(body, headers);
- RestTemplate restTemplate = new RestTemplate();
+ RestTemplate restTemplate =
InternalHttpClientProviderFactory.getProvider()
+ .getRestTemplate(InternalHttpClientProvider.Target.FE);
+ redirectUrl = InternalHttpClientProviderFactory.getProvider()
Review Comment:
`forwardToMaster` can still forward HTTPS requests to the master's plain
HTTP port. The URL above is built from `request.getScheme()` plus
`env.getMasterHttpPort()`, and the master heartbeat records that port from
`Config.http_port`. When a follower receives an HTTPS request, `redirectUrl` is
already `https://<master>:<http_port>/...`, so the OSS normalizer returns it
unchanged via the `isHttps(url)` branch instead of rewriting to
`Config.https_port`. The new `RestTemplate` call then tries TLS on the HTTP
listener, breaking follower-forwarded APIs under HTTPS. Please build an
internal `http://<master>:http_port` URL before normalization, or otherwise
make FE-target normalization correct this scheme/port pair.
##########
fe/fe-core/src/main/java/org/apache/doris/httpv2/client/OssInternalHttpClientProvider.java:
##########
@@ -0,0 +1,93 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.httpv2.client;
+
+import org.apache.doris.common.Config;
+import org.apache.doris.tls.server.TlsProtocolSet;
+
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
+import org.springframework.web.client.RestTemplate;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+
+public class OssInternalHttpClientProvider implements
InternalHttpClientProvider {
+ private static final int MAX_CONN_TOTAL = 256;
+ private static final int MAX_CONN_PER_ROUTE = 64;
+
+ private final CloseableHttpClient httpClient;
+ private final RestTemplate restTemplate;
+
+ public OssInternalHttpClientProvider() {
+ PoolingHttpClientConnectionManager connectionManager = new
PoolingHttpClientConnectionManager();
+ connectionManager.setMaxTotal(MAX_CONN_TOTAL);
+ connectionManager.setDefaultMaxPerRoute(MAX_CONN_PER_ROUTE);
+ httpClient = HttpClients.custom()
+ .setConnectionManager(connectionManager)
+ .evictExpiredConnections()
+ .evictIdleConnections(30,
java.util.concurrent.TimeUnit.SECONDS)
+ .build();
+ restTemplate = new RestTemplate();
+ }
+
+ @Override
+ public String normalizeInternalUrl(String url, Target target) {
+ if (TlsProtocolSet.isHttpTlsActive()) {
+ throw new UnsupportedOperationException("FE HTTP TLS requires TLS
module");
+ }
+ if (!Config.enable_https || target != Target.FE || isHttps(url)) {
+ return url;
+ }
+ return rewriteSchemeAndPort(url, "https", Config.https_port);
+ }
+
+ @Override
+ public HttpURLConnection openConnection(String url, Target target) throws
IOException {
+ return (HttpURLConnection) new URL(normalizeInternalUrl(url,
target)).openConnection();
+ }
+
+ @Override
+ public CloseableHttpClient getHttpClient(Target target) {
+ return httpClient;
+ }
+
+ @Override
+ public RestTemplate getRestTemplate(Target target) {
+ return restTemplate;
+ }
+
+ private static boolean isHttps(String url) {
+ return url != null && url.regionMatches(true, 0, "https://", 0,
"https://".length());
+ }
+
+ private static String rewriteSchemeAndPort(String url, String scheme, int
port) {
+ try {
+ URI uri = new URI(url);
+ URI rewritten = new URI(scheme, uri.getUserInfo(), uri.getHost(),
port,
+ uri.getPath(), uri.getQuery(), uri.getFragment());
Review Comment:
This rewrite decodes already-escaped URL components while only trying to
switch the FE scheme/port. `URI.getPath()`, `getQuery()`, and `getFragment()`
return decoded components, so a caller that already encoded a query can be
changed during HTTPS normalization. For example `QueryProfileAction.queryInfo`
encodes a literal plus in `search` as `a%2Bb`, but this constructor rewrites it
as `search=a+b`; the target servlet decodes `+` as a space, so the remote FE
searches for `a b` instead of `a+b`. Please preserve the raw
path/query/fragment when rebuilding the URI, and add a unit test with an
encoded FE query parameter.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]