[pulsar.wiki] branch master updated: ats example

Tue, 31 Mar 2020 19:57:40 -0700 

This is an automated email from the ASF dual-hosted git repository.

rdhabalia pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.wiki.git


The following commit(s) were added to refs/heads/master by this push:
     new 25335e9  ats example
25335e9 is described below

commit 25335e9948eb67346c3e6f1bb66770d8a6f36325
Author: Rajan Dhabalia <rdhaba...@apache.org>
AuthorDate: Tue Mar 31 19:56:50 2020 -0700

    ats example
---
 PIP-60:-Support-Proxy-server-with-SNI-routing.md | 75 +++++++++++++++++++++++-
 1 file changed, 74 insertions(+), 1 deletion(-)

diff --git a/PIP-60:-Support-Proxy-server-with-SNI-routing.md 
b/PIP-60:-Support-Proxy-server-with-SNI-routing.md
index d266f10..d1f7f94 100644
--- a/PIP-60:-Support-Proxy-server-with-SNI-routing.md
+++ b/PIP-60:-Support-Proxy-server-with-SNI-routing.md
@@ -59,4 +59,77 @@ We can also use proxy-server in geo-replication to create a 
proxy between two br
 --broker-url-secure pulsar+ssl://my-dmz-broker.com:6651 \
 --proxy-url pulsar+ssl://my-dmz-proxy.com:4443 \
 --proxy-protocol SNI
-```
\ No newline at end of file
+```
+
+## Example
+This section shows SNI-routing using ATS-proxy server. This section shows how 
to configure ATS proxy-server and pulsar-client to create TCP tunnel between 
client and broker.
+
+![image](https://user-images.githubusercontent.com/2898254/78093926-21eabd80-7388-11ea-8982-4a4d644a2b39.png)
+                                                        [Figure 3: Pulsar SNI 
Routing with ATS proxy server]
+
+In this example, Pulsar broker cluster is behind the ATS proxy. Pulsar brokers 
can’t be accessed by any host except ATS proxy. So, if client wants to connect 
to pulsar-cluster then client can use ATS-proxy server to create a TCP tunnel 
with brokers. Pulsar client can use SNI-routing proxy protocol to connect to 
ATS-proxy and asks ATS-proxy to create TCP tunnel with a target broker.
+
+This example shows, how can we configure ATS-proxy so, when client passes 
target broker name into SNI header then ATS-proxy server can find out 
appropriate broker-url based on configured sni-mapping and forward request to 
appropriate target broker by creating tcp tunnel with that broker.
+
+### ATS Configuration
+In order to enable SNI routing into ATS proxy, we need to manage 2 
configuration files:
+1. 
[ssl_server_name.config](https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/ssl_server_name.yaml.en.html)
+
+This file is used to configure aspects of TLS connection handling for both 
inbound and outbound connections. The configuration is driven by the SNI values 
provided by the inbound connection. So, this file manages mapping between 
hostname which comes into SNI header and actual broker-url where request needs 
to be forwarded for that host.   
+ssl_server_name.config
+
+```
+server_config = {
+  {
+     fqdn = 'pulsar-broker-vip',
+     # Forward to Pulsar broker which is listening on 6651
+     tunnel_route = 'pulsar-broker-vip:6651'
+  },
+  {
+     fqdn = 'pulsar-broker1',
+     # Forward to Pulsar broker-1 which is listening on 6651
+     tunnel_route = 'pulsar-broker1:6651'
+  },
+  {
+     fqdn = 'pulsar-broker2',
+     # Forward to Pulsar broker-2 which is listening on 6651
+     tunnel_route = 'pulsar-broker2:6651'
+  },
+}
+```
+
+2.[records.config](https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html)
+
+The records.config file, located in /usr/local/etc/trafficserver/) is a list 
of configurable variables used by the Traffic Server software. One of the 
requirements of SNI routing in ATS is that it only works over TLS. Therefore, 
Pulsar brokers and ATS proxy-server should have tls enabled. We will define tls 
configuration for ATS-proxy server into records.config file.
+
+```
+CONFIG proxy.config.http.connect_ports STRING 4443 6651
+# ats-proxy cert file
+CONFIG proxy.config.ssl.client.cert.path STRING /ats-cert.pem
+# ats-proxy key file
+CONFIG proxy.config.ssl.client.cert.filename STRING /ats-key.pem
+# ssl-port on which ats will listen
+CONFIG proxy.config.http.server_ports STRING 4443:ssl 4080
+```
+Once, `ssl_server_name.config` and `records.config` are configured, ATS-proxy 
server is ready to handle SNI routing and can create TCP tunnel beween client 
and broker.
+
+### Pulsar-client Configuration
+Now, ATS proxy server is configured and ready to handle SNI routing and create 
TCP tunnel between client and broker. With this PIP, pulsar-client supports SNI 
routing by connecting to proxy and sending target broker url into SNI header. 
Pulsar-client handles SNI routing internally and entire connection handling is 
abstracted from user. User have to only configure following proxy configuration 
intially when user creates a pulsar-client to use SNI routing protocol.
+```
+String brokerServiceUrl = “pulsar+ssl://pulsar-broker-vip:6651/”;
+String proxyUrl = “pulsar+ssl://ats-proxy:443”;
+ClientBuilder clientBuilder = PulsarClient.builder()
+               .serviceUrl(brokerServiceUrl)
+        .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
+        .enableTls(true)
+        .allowTlsInsecureConnection(false)
+        .proxyServiceUrl(proxyUrl, ProxyProtocol.SNI)
+        .operationTimeout(1000, TimeUnit.MILLISECONDS);
+
+Map<String, String> authParams = new HashMap<>();
+authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
+authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+clientBuilder.authentication(AuthenticationTls.class.getName(), authParams);
+
+PulsarClient pulsarClient = clientBuilder.build();
+```

Reply via email to