Proxy support and SNI routing of pulsar

Catalog

Pulsar Medium ATS-SNI Routing

（1） by layer-4 SNI routing Set up ATS Proxy 

（2） Use  SNI routing To configure  Pulsar-client

（2） Use SNI routing Conduct  geo-replication

A proxy server is a mediation server , It spans Internet Forward requests from multiple clients to different servers . The proxy server plays a role in both forward and reverse proxy scenarios “ Traffic police ” Role , And bring load balancing to your system 、 performance 、 Security 、 Automatic capacity expansion and reduction .

Pulsar The agent in acts as a reverse agent , And in brokers Create a gateway in front of .Pulsar I won't support it Apache Traffic Server（ATS）、HAProxy、Nginx and Envoy Etc . But these proxy servers all support SNI route （SNI routing）.SNI Routing is used to route traffic to the destination , Without ending SSL Connect . The first 4 Layer routing provides greater transparency , Because the outbound connection is checked clent TCP The destination address in the packet .

Pulsar client （Java、C++、Python） Support SNI Routing protocol , So you can go through proxy Connect to brokers . This document will guide you on how to set up ATS agent 、 Enable SNI Routing and passing ATS The agent will Pulsar client Connect to broker .

Pulsar Medium ATS-SNI Routing

To support ATS Of the 4 layer SNI route （layer-4 SNI routing）, The inbound connection must be TLS Connect .Pulsar client Support based on TLS Connected SNI Routing protocol , So when Pulsar client adopt ATS The proxy connects to broker when ,Pulsar take ATS As a reverse proxy .

Pulsar Support SNI Route for regional replication （geo-replication）, therefore brokers Can pass ATS proxy Connect to... In other clusters brokers.

This section describes how to set up and use ATS As a reverse proxy , In order to Pulsar clients Can be used based on TLS Connected SNI Routing protocol through ATS proxy Connect to brokers.

（1） by layer-4 SNI routing Set up ATS Proxy 

For support  layer-4 SNI routing You need to configure  records.conf and ssl_server_name.conf files.

The records.config file is located in the /usr/local/etc/trafficserver/ directory by default. This document lists ATS Configurable variables used .

To configure  records.config files, Please complete the following steps .

• change proxy Listening TLS port (http.server_ports), modify proxy certs (ssl.client.cert.path and ssl.client.cert.filename) Make sure TLS unobstructed (TLS tunneling).
• To configure tunneling to the broker Service port for , If  Pulsar brokers Monitoring  4443  and  6651 port , stay  http.connect_ports Add in configuration  brokers Service port .

Here's an example .

# PROXY TLS PORT
CONFIG proxy.config.http.server_ports STRING 4443:ssl 4080
# PROXY CERTS FILE PATH
CONFIG proxy.config.ssl.client.cert.path STRING /proxy-cert.pem
# PROXY KEY FILE PATH
CONFIG proxy.config.ssl.client.cert.filename STRING /proxy-key.pem

# The range of origin server ports that can be used for tunneling via CONNECT. # Traffic Server allows tunnels only to the specified ports. Supports both wildcards (*) and ranges (e.g. 0-1023).
CONFIG proxy.config.http.connect_ports STRING 4443 6651

ssl_server_name  File is used to configure the processing of inbound and outbound  TLS Connect , To configure （configuration） Provided by inbound connection SNI Values determine . This file consists of a number of column configuration items , Each configuration item consists of SNI value （fqdn） identification . Create inbound TLS When the connection ,TLS In negotiation SNI The value will match the item specified in this file . If the values match , Then the value specified in this item will override the default value .

The following example shows an example from client The inbound SNI Mapping of host names , And the actual... That should redirect the request broker service URL. such as , If  client End send SNI header pulsar-broker1, be proxy Redirect request to pulsar-broker1:6651 service URL To create TLS Tunnel （tunnel ）.

server_config = {
  {
     fqdn = 'pulsar-broker-vip',
     # Forward to Pulsar broker which is listening on 6651
     tunnel_route = 'pulsar-broker-vip:6651'
  },
  {
     fqdn = 'pulsar-broker1',
     # Forward to Pulsar broker-1 which is listening on 6651
     tunnel_route = 'pulsar-broker1:6651'
  },
  {
     fqdn = 'pulsar-broker2',
     # Forward to Pulsar broker-2 which is listening on 6651
     tunnel_route = 'pulsar-broker2:6651'
  },
}

Before you configure  ssl_server_name.config and records.config  After the document ,ATS-proxy The server processes SNI Route and client  End sum broker Create between TCP Tunnel （TCP tunnel）.

（2） Use  SNI routing To configure  Pulsar-client

ATS SNI-routing Only applicable to TLS. You first need to work for ATS proxy and brokers Enable TLS, To configure SNI Routing protocol , And then through ATS proxy take Pulsar clients Connect to brokers .Pulsar clients Support SNI route , You can connect proxy And aim broker URL Send to SNI header. This process is handled internally . When you use  SNI routing protocol establish  Pulsar client when , You just need to initialize the following configuration .

String brokerServiceUrl = “pulsar+ssl://pulsar-broker-vip:6651/”;
String proxyUrl = “pulsar+ssl://ats-proxy:443”;
ClientBuilder clientBuilder = PulsarClient.builder()
        .serviceUrl(brokerServiceUrl)
        .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
        .enableTls(true)  //  Turn on TLS
        .allowTlsInsecureConnection(false)
        .proxyServiceUrl(proxyUrl, ProxyProtocol.SNI) //  Agent configuration 
        .operationTimeout(1000, TimeUnit.MILLISECONDS);

Map<String, String> authParams = new HashMap();
authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
clientBuilder.authentication(AuthenticationTls.class.getName(), authParams);

PulsarClient pulsarClient = clientBuilder.build();

（2） Use SNI routing Conduct  geo-replication

You can use ATS proxy Conduct geo-replication .Pulsar brokers By using SNI Route to geo-replication Medium brokers. To ensure broker Of SNI Routing can connect across clusters , You need to SNI proxy URL Configure as cluster metadata （cluster metadata）. If... Is configured in the cluster metadata SNI proxy URL, You can use the SNI On the route proxy Connect to across clusters broker .

In this case , One Pulsar The cluster is deployed to two separate areas  us-west  and  us-east, Both areas are configured ATS proxy, For each area  brokers All support  ATS proxy. We have configured cluster metadata in both clusters , So in any cluster  brokers Can use  SNI routing And through  ATS proxy Connected to another cluster  brokers.

(a) Configure the cluster metadata for us-east with us-east broker service URL and us-east ATS proxy URL with SNI proxy-protocol. // Configure cluster metadata

./pulsar-admin clusters update \
--broker-url-secure pulsar+ssl://east-broker-vip:6651 \
--url http://east-broker-vip:8080 \
--proxy-protocol SNI \
--proxy-url pulsar+ssl://east-ats-proxy:443

(b) Configure the cluster metadata for us-west with us-west broker service URL and us-west ATS proxy URL with SNI proxy-protocol.

./pulsar-admin clusters update \
--broker-url-secure pulsar+ssl://west-broker-vip:6651 \
--url http://west-broker-vip:8080 \
--proxy-protocol SNI \
--proxy-url pulsar+ssl://west-ats-proxy:443