qianye1001 commented on issue #10302:
URL: https://github.com/apache/rocketmq/issues/10302#issuecomment-4542174573

   ## 🤖 Auto-generated Fix Spec (v1)
   
   A detailed implementation spec has been generated for SNI multi-domain TLS 
support.
   
   ### Summary
   
   **Root Cause:** `ProxyConfig` and `ProxyAndTlsProtocolNegotiator` only 
support a single certificate model with static `SslContext`. No SNI handler 
exists in the pipeline.
   
   **Proposed Solution:**
   - Introduce `TlsDomainConfig` POJO for per-domain cert/key configuration
   - Add `TlsSniManager` to manage multiple `SslContext` instances with 
wildcard matching
   - Inject Netty `SniHandler` into both gRPC and Remoting pipelines
   - Extend `TlsCertificateManager` to watch multiple cert/key pairs 
independently
   - Fully backward compatible: empty `tlsDomainConfigs` behaves identically to 
current single-cert mode
   
   **Architecture:**
   ```
   ProxyConfig.tlsDomainConfigs
     "*.example.com" → cert/key
     "*.sample.org"  → cert/key
     default         → tlsCertPath/tlsKeyPath
            │
            ▼
      TlsSniManager (Map<pattern, SslContext>)
            │
       ┌────┴────┐
       ▼         ▼
     gRPC      Remoting
     pipeline  pipeline
   ```
   
   **Files to modify:** 16 total
   - 4 new files: `TlsDomainConfig`, `TlsSniManager`, `SniHostnameMatcher`, 
`TlsContextProvider`
   - 8 modified: `ProxyConfig`, `ProxyAndTlsProtocolNegotiator`, 
`TlsCertificateManager`, `GrpcServer`, `MultiProtocolTlsHelper`, 
`MultiProtocolRemotingServer`, `NettyRemotingServer`, `ProxyStartup`
   - 4 test files
   
   **SNI Matching Algorithm:**
   1. Exact match (O(1) lookup)
   2. Wildcard match: `foo.example.com` → `*.example.com` (with label-count 
guard)
   3. Fallback to default certificate
   
   **Configuration:**
   ```json
   {
     "tlsCertPath": "/etc/rocketmq/tls/default.crt",
     "tlsKeyPath": "/etc/rocketmq/tls/default.key",
     "tlsDomainConfigs": {
       "*.example.com": {
         "certPath": "/etc/rocketmq/tls/example.crt",
         "keyPath": "/etc/rocketmq/tls/example.key"
       }
     }
   }
   ```
   
   **Testing Strategy:**
   - Unit tests for `SniHostnameMatcher` and `TlsSniManager`
   - Netty `EmbeddedChannel` integration tests
   - Hot-reload tests
   - Manual verification with `openssl s_client`
   
   **Risks & Mitigations:**
   - gRPC negotiator interplay → resolve context in `SniHandler.newSslHandler`
   - Pipeline ordering → keep PROXY protocol handler before SNI
   - Concurrent reload races → use `volatile` references
   
   ---
   
   @qianye1001 The above is an auto-generated implementation spec based on your 
issue description.
   
   **Next steps:**
   - Review the detailed spec (322 lines with code snippets, architecture 
diagrams, and test plans)
   - Reply with one of the following commands:
   
   ```
   /approve          - Approve the spec, auto-generate a PR
   /revise <notes>   - Provide feedback for revision (e.g., "/revise simplify 
the matching algorithm")
   /reject           - Decline, close the auto-fix flow
   ```
   
   > ⏰ This flow will auto-expire in **72 hours** if no response is received.
   > 
   > The full spec is available at: 
`/tmp/apache_rocketmq/issue/10302/spec_v1.md`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to