-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: disable HTTP/2 ALPN handshake for connections on routes configured with AI-proxy. #13735
Open
oowl
wants to merge
12
commits into
master
Choose a base branch
from
disable-h2-alpn-ai-proxy
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+608
−33
Open
Changes from all commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
f88161b
chore(tls): move tls-related function to ce from ee
oowl 2340e90
feat(ai-proxy): disbale the http2 alpn handshake for the request hitt…
oowl 7bc75ab
fix code
oowl 960de22
fix code
oowl 0f25a22
fix code
oowl 0f5ca2d
fix code
oowl 9936bd7
fix code
oowl 22aa630
fix code
oowl 48e2ce5
fix code
oowl 4f301df
fix code
oowl 31185ee
fix code
oowl 30414a6
fix code
oowl File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
message: | | ||
**ai-proxy**: Disabled HTTP/2 ALPN handshake for connections on routes configured with AI-proxy. | ||
type: feature | ||
scope: Plugin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
-- This software is copyright Kong Inc. and its licensors. | ||
-- Use of the software is subject to the agreement between your organization | ||
-- and Kong Inc. If there is no such agreement, use is governed by and | ||
-- subject to the terms of the Kong Master Software License Agreement found | ||
-- at https://konghq.com/enterprisesoftwarelicense/. | ||
-- [ END OF LICENSE 0867164ffc95e54f04670b5169c09574bdbd9bba ] | ||
|
||
--- Copyright 2019 Kong Inc. | ||
local ngx_ssl = require "ngx.ssl" | ||
local ssl_clt = require "ngx.ssl.clienthello" | ||
local sni_filter = require("kong.tls.plugins.sni_filter") | ||
local pl_stringx = require "pl.stringx" | ||
local server_name = ngx_ssl.server_name | ||
local PREFIX_SNIS_PSEUDO_INDEX = sni_filter.PREFIX_SNIS_PSEUDO_INDEX | ||
local POSTFIX_SNIS_PSEUDO_INDEX = sni_filter.POSTFIX_SNIS_PSEUDO_INDEX | ||
local startswith = pl_stringx.startswith | ||
local endswith = pl_stringx.endswith | ||
|
||
local _M = {} | ||
|
||
local kong = kong | ||
local EMPTY_T = {} | ||
|
||
|
||
local function match_sni(snis, server_name) | ||
if server_name then | ||
-- search plain snis | ||
if snis[server_name] then | ||
kong.log.debug("matched the plain sni ", server_name) | ||
return snis[server_name] | ||
end | ||
|
||
-- TODO: use radix tree to accelerate the search once we have an available implementation | ||
-- search snis with the leftmost wildcard | ||
for sni, sni_t in pairs(snis[POSTFIX_SNIS_PSEUDO_INDEX] or EMPTY_T) do | ||
if endswith(server_name, sni_t.value) then | ||
kong.log.debug(server_name, " matched the sni with the leftmost wildcard ", sni) | ||
return sni_t | ||
end | ||
end | ||
|
||
-- search snis with the rightmost wildcard | ||
for sni, sni_t in pairs(snis[PREFIX_SNIS_PSEUDO_INDEX] or EMPTY_T) do | ||
if startswith(server_name, sni_t.value) then | ||
kong.log.debug(server_name, " matched the sni with the rightmost wildcard ", sni) | ||
return sni_t | ||
end | ||
end | ||
end | ||
|
||
if server_name then | ||
kong.log.debug("client sent an unknown sni ", server_name) | ||
|
||
else | ||
kong.log.debug("client didn't send an sni") | ||
end | ||
|
||
if snis["*"] then | ||
kong.log.debug("mTLS is enabled globally") | ||
return snis["*"] | ||
end | ||
end | ||
|
||
function _M.execute(snis_set) | ||
|
||
local server_name = server_name() | ||
|
||
local sni_mapping = match_sni(snis_set, server_name) | ||
|
||
if sni_mapping then | ||
-- TODO: improve detection of ennoblement once we have DAO functions | ||
-- to filter plugin configurations based on plugin name | ||
|
||
kong.log.debug("enabled, will request certificate from client") | ||
|
||
local chain | ||
-- send CA DN list | ||
if sni_mapping.ca_cert_chain then | ||
kong.log.debug("set client ca certificate chain") | ||
chain = sni_mapping.ca_cert_chain.ctx | ||
end | ||
|
||
local res, err = kong.client.tls.request_client_certificate(chain) | ||
if not res then | ||
kong.log.err("unable to request client to present its certificate: ", | ||
err) | ||
end | ||
|
||
-- disable session resumption to prevent inability to access client | ||
-- certificate in later phases | ||
res, err = kong.client.tls.disable_session_reuse() | ||
if not res then | ||
kong.log.err("unable to disable session reuse for client certificate: ", | ||
err) | ||
end | ||
end | ||
end | ||
|
||
function _M.execute_client_hello(snis_set, options) | ||
if not snis_set then | ||
return | ||
end | ||
|
||
oowl marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if not options then | ||
return | ||
end | ||
|
||
if not options.disable_http2 then | ||
return | ||
end | ||
|
||
local server_name, err = ssl_clt.get_client_hello_server_name() | ||
if err then | ||
kong.log.debug("unable to get client hello server name: ", err) | ||
return | ||
end | ||
|
||
local sni_mapping = match_sni(snis_set, server_name) | ||
|
||
if sni_mapping then | ||
local res, err = kong.client.tls.disable_http2_alpn() | ||
if not res then | ||
kong.log.err("unable to disable http2 alpn: ", err) | ||
end | ||
end | ||
end | ||
|
||
return _M |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if this could cause similar performance impact, just the same as the mTLS plugin's case. Suggest we introduce this PR after https://github.com/Kong/kong-ee/pull/10510/files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's merge the current PR first,it seems that's different functionality in here. When the ee PR merged, I will cherry-pick it to CE ( actually can not directly cherry-pick due to ee and ce db related core code difference)