This is an automated email from the ASF dual-hosted git repository. rdhabalia pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/pulsar.wiki.git
The following commit(s) were added to refs/heads/master by this push: new 25335e9 ats example 25335e9 is described below commit 25335e9948eb67346c3e6f1bb66770d8a6f36325 Author: Rajan Dhabalia <rdhaba...@apache.org> AuthorDate: Tue Mar 31 19:56:50 2020 -0700 ats example --- PIP-60:-Support-Proxy-server-with-SNI-routing.md | 75 +++++++++++++++++++++++- 1 file changed, 74 insertions(+), 1 deletion(-) diff --git a/PIP-60:-Support-Proxy-server-with-SNI-routing.md b/PIP-60:-Support-Proxy-server-with-SNI-routing.md index d266f10..d1f7f94 100644 --- a/PIP-60:-Support-Proxy-server-with-SNI-routing.md +++ b/PIP-60:-Support-Proxy-server-with-SNI-routing.md @@ -59,4 +59,77 @@ We can also use proxy-server in geo-replication to create a proxy between two br --broker-url-secure pulsar+ssl://my-dmz-broker.com:6651 \ --proxy-url pulsar+ssl://my-dmz-proxy.com:4443 \ --proxy-protocol SNI -``` \ No newline at end of file +``` + +## Example +This section shows SNI-routing using ATS-proxy server. This section shows how to configure ATS proxy-server and pulsar-client to create TCP tunnel between client and broker. + +![image](https://user-images.githubusercontent.com/2898254/78093926-21eabd80-7388-11ea-8982-4a4d644a2b39.png) + [Figure 3: Pulsar SNI Routing with ATS proxy server] + +In this example, Pulsar broker cluster is behind the ATS proxy. Pulsar brokers can’t be accessed by any host except ATS proxy. So, if client wants to connect to pulsar-cluster then client can use ATS-proxy server to create a TCP tunnel with brokers. Pulsar client can use SNI-routing proxy protocol to connect to ATS-proxy and asks ATS-proxy to create TCP tunnel with a target broker. + +This example shows, how can we configure ATS-proxy so, when client passes target broker name into SNI header then ATS-proxy server can find out appropriate broker-url based on configured sni-mapping and forward request to appropriate target broker by creating tcp tunnel with that broker. + +### ATS Configuration +In order to enable SNI routing into ATS proxy, we need to manage 2 configuration files: +1. [ssl_server_name.config](https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/ssl_server_name.yaml.en.html) + +This file is used to configure aspects of TLS connection handling for both inbound and outbound connections. The configuration is driven by the SNI values provided by the inbound connection. So, this file manages mapping between hostname which comes into SNI header and actual broker-url where request needs to be forwarded for that host. +ssl_server_name.config + +``` +server_config = { + { + fqdn = 'pulsar-broker-vip', + # Forward to Pulsar broker which is listening on 6651 + tunnel_route = 'pulsar-broker-vip:6651' + }, + { + fqdn = 'pulsar-broker1', + # Forward to Pulsar broker-1 which is listening on 6651 + tunnel_route = 'pulsar-broker1:6651' + }, + { + fqdn = 'pulsar-broker2', + # Forward to Pulsar broker-2 which is listening on 6651 + tunnel_route = 'pulsar-broker2:6651' + }, +} +``` + +2.[records.config](https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html) + +The records.config file, located in /usr/local/etc/trafficserver/) is a list of configurable variables used by the Traffic Server software. One of the requirements of SNI routing in ATS is that it only works over TLS. Therefore, Pulsar brokers and ATS proxy-server should have tls enabled. We will define tls configuration for ATS-proxy server into records.config file. + +``` +CONFIG proxy.config.http.connect_ports STRING 4443 6651 +# ats-proxy cert file +CONFIG proxy.config.ssl.client.cert.path STRING /ats-cert.pem +# ats-proxy key file +CONFIG proxy.config.ssl.client.cert.filename STRING /ats-key.pem +# ssl-port on which ats will listen +CONFIG proxy.config.http.server_ports STRING 4443:ssl 4080 +``` +Once, `ssl_server_name.config` and `records.config` are configured, ATS-proxy server is ready to handle SNI routing and can create TCP tunnel beween client and broker. + +### Pulsar-client Configuration +Now, ATS proxy server is configured and ready to handle SNI routing and create TCP tunnel between client and broker. With this PIP, pulsar-client supports SNI routing by connecting to proxy and sending target broker url into SNI header. Pulsar-client handles SNI routing internally and entire connection handling is abstracted from user. User have to only configure following proxy configuration intially when user creates a pulsar-client to use SNI routing protocol. +``` +String brokerServiceUrl = “pulsar+ssl://pulsar-broker-vip:6651/”; +String proxyUrl = “pulsar+ssl://ats-proxy:443”; +ClientBuilder clientBuilder = PulsarClient.builder() + .serviceUrl(brokerServiceUrl) + .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH) + .enableTls(true) + .allowTlsInsecureConnection(false) + .proxyServiceUrl(proxyUrl, ProxyProtocol.SNI) + .operationTimeout(1000, TimeUnit.MILLISECONDS); + +Map<String, String> authParams = new HashMap<>(); +authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH); +authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH); +clientBuilder.authentication(AuthenticationTls.class.getName(), authParams); + +PulsarClient pulsarClient = clientBuilder.build(); +```