tls: moving the server name into SocketAddressProvider#16574
tls: moving the server name into SocketAddressProvider#16574mattklein123 merged 20 commits intoenvoyproxy:mainfrom
Conversation
Before the connection reach to TCPPorxy filter or HCM, the server name won't be populated into stream info. It leads to the access log get empty server name. This patch populate the server name in the path of closing socket. Signed-off-by: He Jie Xu <hejie.xu@intel.com>
soulxu
changed the title
soulxu
changed the title
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
snowp
left a comment
snowp
left a comment
There was a problem hiding this comment.
Thanks for working on a fix here! High level question on the approach
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
soulxu
changed the title
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
|
/retest |
|
Retrying Azure Pipelines: |
snowp
left a comment
snowp
left a comment
There was a problem hiding this comment.
Thanks this seems like a better direction to me, a few comments.
@ggreenway do you also want to review this?
ggreenway
left a comment
ggreenway
left a comment
There was a problem hiding this comment.
This is looking good; I like this approach better.
source/server/active_tcp_listener.cc
Outdated
| void ActiveTcpListener::newConnection(Network::ConnectionSocketPtr&& socket, | ||
| std::unique_ptr<StreamInfo::StreamInfo> stream_info) { | ||
| // populate the SNI into stream info, the network filters needn't do that again. | ||
| if (!socket->requestedServerName().empty()) { |
There was a problem hiding this comment.
Can this be done unconditionally? I would expect that calling setRequestedServerName() with an empty string would have no effect.
There was a problem hiding this comment.
It has a constructor even for empty string https://github.com/envoyproxy/envoy/blob/main/source/common/stream_info/stream_info_impl.h#L237. Or we can move the check inside the setRequestedServerName(), but that will block the case when want to set the server name back to empty. Although I'm not sure we have any case to set the server name back to empty, but it still feels bad for an interface.
There was a problem hiding this comment.
I think it is functionally the same without this check; setting it to empty is the same as not setting it. Please remove the conditional to simplify the code. Same in unlink().
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
|
/retest |
|
Retrying Azure Pipelines: |
ggreenway
left a comment
ggreenway
left a comment
There was a problem hiding this comment.
Please add another test case for listener filter timeout that verifies the server name is set.
/wait
source/server/active_tcp_listener.cc
Outdated
| void ActiveTcpListener::newConnection(Network::ConnectionSocketPtr&& socket, | ||
| std::unique_ptr<StreamInfo::StreamInfo> stream_info) { | ||
| // populate the SNI into stream info, the network filters needn't do that again. | ||
| if (!socket->requestedServerName().empty()) { |
There was a problem hiding this comment.
I think it is functionally the same without this check; setting it to empty is the same as not setting it. Please remove the conditional to simplify the code. Same in unlink().
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
|
thanks for the review, I will update soon! |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
|
/retest |
|
Retrying Azure Pipelines: |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
I didn't realize until now how similar it is. There's an accessor for the requestedServerName on the Connection, which I didn't realize. Maybe we can just delete that entirely, and say that the way to get it is always from the streamInfo, and make sure it's always populated on the streamInfo. Then it becomes a simpler problem than the addresses. It's only used in about ~10 places off of the Connection. Thoughts @mattklein123 ? |
I think this would be fine, but keep in mind that there are unfortunately multiple stacked stream infos (connection, stream, etc.) so we need to make sure to not actually break copying the data over. Another option would be just adding this to |
Hope I understand correctly. I search the socket address issue #14133, so the goal here is not to carry the info anywhere, avoid the bug we always forget to populate the info somewhere, just share the same info from the connection. So we can put the server_name into the socket address provider(need to rename it). Is it correct? @mattklein123 If it is correct, I found other than the 'server name', we also can put the 'downstream ssl info' envoy/source/common/http/conn_manager_impl.cc Line 651 in 233546f envoy/source/common/http/conn_manager_impl.cc Line 654 in 233546f into the socket address provider. Those are used for l4 stream info and http stream info and also populated from the connection. Also, @ggreenway mentioned, we should clean up the way to get the stream info, it should be always from the stream info. for example: let me know whether this is the direction you guys looking for, I'm happy to work on it :) |
|
Yeah in general ^ makes sense to me. In general if we can consolidate information that should never change into a single structure to avoid bugs in copying it around that would be optimal. |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
|
@mattklein123 @ggreenway I'm going to separate the whole thing into different PR since I found the PR will become huge and hard to review, this PR is just moving the server_name inside SocketAddressProvider. Then I will have other PRs for moving 'ssl info' and 'connection id'. Then a PR for ensure the server name only get from the address provider, the last PR will rename the SocketAddressProvider to proper name. But let me know if you have other perference. |
soulxu
changed the title
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
|
fyi, I create an issue to track the whole thing #17168 |
|
Check CI? /wait |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Thanks this looks like a great improvement. One small comment.
/wait
| */ | ||
| virtual const Address::InstanceConstSharedPtr& directRemoteAddress() const PURE; | ||
|
|
||
| /** |
There was a problem hiding this comment.
Just to leave an intermediate comment trail, can you add a TODO above here on what you plan to rename it to? Otherwise this will get confusing if someone looks at it now.
There was a problem hiding this comment.
yea, good point. let me add a TODO
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
* main: (51 commits) listener: add filter chain match support for direct source address (envoyproxy#17118) Increase common/common coverage (envoyproxy#17193) crash_dump: Added local_end_stream_ to crash dump for H2. (envoyproxy#17199) codeql: improve Ubuntu dependency installation (envoyproxy#16556) ci: Move tooling tests to tooling job (envoyproxy#17071) Fix issue with Windows container image (envoyproxy#17113) fix filter linking urls (envoyproxy#17185) bug fix: fix bug that check_format.py will check files which are ignored (envoyproxy#17195) tls: moving the server name into SocketAddressProvider (envoyproxy#16574) network: Use std::make_unique and std::make_shared in source/common/network instead of bare new() (envoyproxy#17177) Revert "alpha matching: support generic action factory context (envoyproxy#17025)" (envoyproxy#17191) ci: Dont clone filter example where not required (envoyproxy#17182) alpha matching: support generic action factory context (envoyproxy#17025) xds: Clarify comment for RouteMatch.case_sensitive field. (envoyproxy#17176) ci: Only publish the required docker image (envoyproxy#17080) coverage: fixing flake (envoyproxy#17190) api: add cluster_specifier_plugin to RouteAction (envoyproxy#16944) wasm: update V8 to v9.2.230.13. (envoyproxy#17183) wasm: update Proxy-Wasm C++ Host and SDK to latest (2021-06-24). (envoyproxy#17174) owners: add Piotr as senior extension maintainer (envoyproxy#17175) ... Signed-off-by: Garrett Bourg <bourg@squareup.com>
) Before the connection reach to TCPPorxy filter or HCM, the server name won't be populated into stream info. It leads to the access log get empty server name. This patch populate the server name in the path of closing socket. Signed-off-by: He Jie Xu <hejie.xu@intel.com> Signed-off-by: chris.xin <xinchuantao@qq.com>
6 participants
Commit Message: tls: moving the server name into SocketAddressProvider
Additional Description:
Making the SocketAddressProvider is single source of server name.
Risk Level: low
Testing: n/a
Part of #17168
Fixes #14922
Signed-off-by: He Jie Xu hejie.xu@intel.com