-
-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SniHandler support? #3489
Comments
Glad you enjoy it. Look at dynamic routing: https://jooby.io/#router-dynamic-routing You basically can mount an app base on some condition (like header). There is a shortcut too:
|
Thank you for your response. Yes, I have seen this feature. But I mean entirely different domains (in this case, it is technically impossible), if we have test.com and test.org and they have different SSL certificates. I understand that a redirect can be used, but in my case, it serves as a "fallback," so a regular SslContext won't suffice. Perhaps we can rewrite the current SslOptions abstraction and create something like a condition: if the number of SSL certificates is more than one, then use SniHandler for each domain through DomainWildcardMappingBuilder. I am not sure if such mechanisms exist in frameworks other than Netty, unfortunately, and I don't know how difficult it would be to add support for all network engines. But it seems this "out-of-the-box" feature would be extremely useful. |
In 2.x (if I remember correctly) there was a request to support multiple applications on same JVM. That means a single server listening on multiples ports. Probably that could help here too. |
@Luuzzi just out of curiosity why are you not terminating the SSL with a proxy or load balancer? Are you using a TCP load balancer instead of HTTP/s (as I think that is the only way you can load balance terminating SSL by the endpoint)? EDIT the only time I could see wanting to handle this at the endpoint is:
Number 2 is for multitenancy of customers (or whoever) to upload their SSL certificates (or letscrypt). Number 2 I would imagine is nontrivial to support in Jooby. |
@jknack I don't think that would work unless they terminate at the load balancer which makes the SniHandler moot. That is if you are not terminating the load balancer it is essentially a pass through (TCP proxy) and thus they can only direct traffic based on other things (like health checks) and not host name (e.g. direct to different ports on same machine). Maybe there are some newer load balancers that can act as TCP proxy and sniff the SNI extension that I'm unaware of. Otherwise they have to run each domain on its own IP address (assuming they want 443 externally). That is why I'm curious what @Luuzzi is trying to do here. If they are just trying to have SSL for development purposes of two different domains and not a dynamic amount I would recommend they develop with a load balancer. That is you startup Jooby and the load balancer with your certificates and this is less hard these days with Docker. Load up Nginx and have it loaded with the certificates and direct traffic unencrypted to Jooby. |
We do not use load balancers or proxies, they are unnecessary for our tasks. We simply listen on port 443 instead of doing something like 8443 -> 443. And yes, the problem is that we need dynamic SSL configuration. We have many domains with the same routes. Imagine registering FooApp multiple times for different hosts as @jknack described, but they serve different content depending on the host, and the whole process is dynamic, meaning they can expand and be removed. Overall, I have already developed a solution using your framework by overriding classes. But you might consider this change for the future. I understand that this is a non-trivial task because other network frameworks likely do not have such a simple and convenient SniHandler as Netty. Regards! |
Yes that is correct. Similarly to how Jooby has a facade or abstraction with Alternatively BTW I don't blame you for wanting something like this because I too have had the need (dynamic SSL + host registration) and ended up doing it with custom nginx extensions. I just had to ask the questions because most folks are not in the camp we are in. It looks like Jetty and Netty are possible but Undertow not as much. |
Good day, and sorry for the delayed responses — I’m currently on a short vacation. Right now, I have a rather crude solution where I simply extend I could try to organize a PR, but I’ll need some time to make it "organic"... Meaning, not breaking backward compatibility and ensuring the solution looks good within the context of In short — if we're not in a hurry, I can do it. |
no hurry at all. thanks! |
Hello. First of all, thank you for this amazing framework, it looks incredible!
I would like to ask how to integrate SNI SSL support for multiple domains without having to launch several servers and instead operate on a single instance. I am using Netty. Is there a way to safely integrate into the channel pipeline without rewriting the start method? This feature would be very helpful.
The text was updated successfully, but these errors were encountered: