qianye1001 opened a new pull request, #10295:
URL: https://github.com/apache/rocketmq/pull/10295

   ## Summary
   
   - Introduces **SNI (Server Name Indication)** support to RocketMQ Proxy, 
allowing multiple TLS domains (e.g. `*.alibaba-inc.com`, `*.rocketmq.com`) to 
be served with independent certificates on the same port
   - New `TlsDomainConfig` POJO for per-domain cert/key path configuration in 
`ProxyConfig`
   - New `TlsSniManager` manages multiple `SslContext` instances with wildcard 
matching (`*.domain.com`) and independent hot-reload
   - `ProxyAndTlsProtocolNegotiator` (gRPC) and `NettyRemotingServer` 
(Remoting) both use `SniHandler` for SNI-aware certificate selection
   - `TlsCertificateManager` extended to watch multiple cert/key pairs 
independently per domain
   - **Fully backward compatible**: when no `tlsDomainConfigs` is configured, 
behavior is identical to the existing single-cert model
   
   ## Configuration
   
   ```yaml
   # Existing config retained as default fallback
   tlsCertPath: /path/to/default.crt
   tlsKeyPath: /path/to/default.key
   tlsCertWatchIntervalMs: 3600000
   
   # New: domain-to-certificate mapping
   tlsDomainConfigs:
     "*.alibaba-inc.com":
       certPath: /path/to/alibaba.crt
       keyPath: /path/to/alibaba.key
     "*.rocketmq.com":
       certPath: /path/to/rocketmq.crt
       keyPath: /path/to/rocketmq.key
   ```
   
   ## Files Changed
   
   | File | Change |
   |---|---|
   | `proxy/.../config/TlsDomainConfig.java` | **New** — per-domain TLS config 
POJO |
   | `proxy/.../config/ProxyConfig.java` | Add `tlsDomainConfigs` map field + 
getters/setters |
   | `proxy/.../service/cert/TlsSniManager.java` | **New** — multi-domain 
SslContext manager with wildcard matching |
   | `proxy/.../service/cert/TlsCertificateManager.java` | Extended for 
multi-domain file watching |
   | `proxy/.../grpc/ProxyAndTlsProtocolNegotiator.java` | Use `SniHandler` + 
`TlsSniManager` for gRPC SNI |
   | `proxy/.../grpc/GrpcServer.java` | Update reload handler to use renamed 
method |
   | `proxy/.../remoting/MultiProtocolRemotingServer.java` | Wire up 
`TlsContextProvider` with SNI lookup |
   | `proxy/.../ProxyStartup.java` | Initialize `TlsSniManager` before 
`TlsCertificateManager` |
   | `remoting/.../netty/TlsContextProvider.java` | **New** — SslContext holder 
bridge (remoting ↔ proxy) |
   | `remoting/.../netty/NettyRemotingServer.java` | `TlsModeHandler` uses 
`SniHandler` via `TlsContextProvider` |
   
   ## Wildcard Matching Rules
   
   - Exact match first
   - Wildcard match: `foo.rocketmq.com` matches `*.rocketmq.com`
   - Bare domain: `rocketmq.com` matches `*.rocketmq.com`
   - Multi-level subdomain (`a.b.rocketmq.com`) does NOT match `*.rocketmq.com` 
→ default
   - No match → fallback to default certificate
   
   ## Test Plan
   
   - [ ] Unit tests for `TlsSniManager` wildcard matching and fallback
   - [ ] Unit tests for `TlsCertificateManager` multi-domain watching
   - [ ] Integration: gRPC/Remoting connect with different SNI hostnames, 
verify correct cert
   - [ ] Manual: `openssl s_client -servername` verification
   - [ ] Backward compat: no `tlsDomainConfigs` → single cert works as before
   - [ ] Hot reload: replace cert, new connection uses new cert, others 
unaffected
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to