hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: Best way to use one SSLContext for different origin servers in a proxy
Date Wed, 10 May 2017 05:46:00 GMT
Thank you the pointer. I am experimenting based on your idea.

Gary

On Tue, May 9, 2017 at 2:04 AM, Oleg Kalnichevski <olegk@apache.org> wrote:

> On Tue, 2017-05-09 at 01:39 -0700, Gary Gregory wrote:
> > On May 9, 2017 1:00 AM, "Oleg Kalnichevski" <olegk@apache.org> wrote:
> >
> > On Tue, 2017-05-09 at 00:21 -0700, Gary Gregory wrote:
> > > Hi All,
> > >
> > > We have a nice example in HttpCore for an HTTP reverse proxy here:
> > >
> > > https://hc.apache.org/httpcomponents-core-4.4.x/httpcore-nio/exampl
> > > es
> > > /org/apache/http/examples/nio/NHttpReverseProxy.java
> > >
> > > I've taken this example and morphed into a different beast. I am
> > > wondering
> > > how I can let each origin server client have its own SSLContext in
> > > order
> > > for me to given them different TrustStrategy implementations.
> > >
> > > In our example, we set things up like this:
> > >
> > >         final IOEventDispatch *connectingEventDispatch *= new
> > > DefaultHttpClientIODispatch(
> > >                 clientHandler, ConnectionConfig.DEFAULT);
> > >
> > >         final IOEventDispatch listeningEventDispatch = new
> > > DefaultHttpServerIODispatch(
> > >                 serviceHandler, ConnectionConfig.DEFAULT);
> > >
> > >         Thread t = new Thread(new Runnable() {
> > >
> > >             public void run() {
> > >                 try {
> > >                     connectingIOReactor.execute(*connectingEventDis
> > > pa
> > > tch*);
> > >                 } catch (InterruptedIOException ex) {
> > >                     System.err.println("Interrupted");
> > >                 } catch (IOException ex) {
> > >                     ex.printStackTrace();
> > >                 } finally {
> > >                     try {
> > >                         listeningIOReactor.shutdown();
> > >                     } catch (IOException ex2) {
> > >                         ex2.printStackTrace();
> > >                     }
> > >                 }
> > >             }
> > >
> > >         });
> > >         t.start();
> > >
> > >
> > > In my case I build the connectingEventDispatch with our lower-level
> > > APIs in
> > > order to pass in the SSLContext like this:
> > >
> > > ConnectionConfig clientConnectionConfig = ConnectionConfig.DEFAULT;
> > > IOEventDispatch *connectingEventDispatch *=
> > >     clientSslContext == null ?
> > >     new DefaultHttpClientIODispatch(clientHandler,
> > > clientConnectionConfig)
> > > :
> > >     new DefaultHttpClientIODispatch(clientHandler,
> > > *clientSslContext*,
> > > clientConnectionConfig);
> > >
> > > But this SSLContext is used for ALL origin servers (a.k.a. target
> > > hosts)
> > >
> > > Do I need to build a connectingEventDispatch for each SSLContext I
> > > need and
> > > then execute each like the above:
> > >
> > > connectingIOReactor.execute(connectingEventDispatch);
> > >
> > > Each execute in its own thread?
> > >
> > > Or is there a cleaner, more HttpCore way to do this?
> > >
> >
> > I suppose the IOEventDispatch#onConnect would be the right place to
> > implement TLS upgrade. One can employ various strategies here, for
> > instance, passing some sort of config object as an attachment to the
> > session request and building SSL context for the session based on
> > that
> > config.
> >
> >
> > Hi Oleg,
> >
> > I am not talking about upgrading connections, even though that would
> > be
> > nice but a separate topic. I
> >
> > I know at startup whether I need SSL or not for each origin server
> > and
> > which TrustStrategy for origin server. I am wondering how to install
> > a TS
> > for each given origin server.
>
>
> I am not sure I understand the problem you are having. One would set up
> trust material when upgrading to SSL/TLS, wound not one?
>
> ---
>
> class MyIODispatch extends AbstractIODispatch<DefaultNHttpClientConnection>
> {
>
>     @Override
>     protected DefaultNHttpClientConnection createConnection(final
> IOSession session) {
>
>         InetSocketAddress remoteAddress = (InetSocketAddress)
> session.getRemoteAddress();
>         if ("secure-origin".equalsIgnoreCase(remoteAddress.getHostName()))
> {
>
>             SSLContext sslContext = SSLContextBuilder.create()
>                     .loadTrustMaterial(new TrustStrategy() {
>                         @Override
>                         public boolean isTrusted(X509Certificate[] chain,
> String authType) throws CertificateException {
>                             return true;
>                         }
>                     })
>                     .build();
>             SSLIOSession sslioSession = new SSLIOSession(session,
> SSLMode.CLIENT, sslContext, null);
>             session.setAttribute(SSLIOSession.SESSION_KEY, sslioSession);
>         }
>         return new DefaultNHttpClientConnection(session, 8 * 1024);
>     }
> }
> ---
>
> Oleg
>
> >
> > It is still a little too early for me to port my app to 5.0 as I am
> > still
> > flushing out features. I certainly plan on doing that and helping
> > with 5.0
> > as much as I can.
> >
> > Gary
> >
> >
> > Oleg
> >
> > PS: I hope that TLS upgrade APIs in 5.0 are much nicer.
> >
> >
> > > Thank you!
> > > Gary
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> > For additional commands, e-mail: dev-help@hc.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
>


-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<https://www.amazon.com/gp/product/1617290459/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459&linkCode=as2&tag=garygregory-20&linkId=cadb800f39946ec62ea2b1af9fe6a2b8>

<http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1617290459>
JUnit in Action, Second Edition
<https://www.amazon.com/gp/product/1935182021/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021&linkCode=as2&tag=garygregory-20&linkId=31ecd1f6b6d1eaf8886ac902a24de418%22>

<http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182021>
Spring Batch in Action
<https://www.amazon.com/gp/product/1935182951/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951&linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B%7Blink_id%7D%7D%22%3ESpring+Batch+in+Action>
<http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182951>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message