tls: add DetectSni middleware
#3199
Conversation
Signed-off-by: Zahari Dichev <[email protected]>
Signed-off-by: Zahari Dichev <[email protected]>
There was a problem hiding this comment.
I'm a little skeptical on modifying the existing behavior--trying to decouple detection and termination, because the termination ends up being highly contingent on the other layer setting it up properly--we end up exposing a bunch of the implementation details outside the module, which is complex.
It seems like we probably need to get something exposed that only reads the SNI. The TLS server module can probably reuse some internals, but it would probably be easier to focus on adding something that does exactly what we need it do and only on that so we don't incur additional type complexity.
linkerd/tls/src/server.rs
Outdated
| @@ -107,27 +84,27 @@ impl<L, P, N> NewDetectTls<L, P, N> { | |||
| } | |||
| } | |||
|
|
|||
| impl<T, L, P, N> NewService<T> for NewDetectTls<L, P, N> | |||
| impl<T, L, P, N> NewService<(T, Option<ServerName>)> for NewDetectTls<L, P, N> | |||
There was a problem hiding this comment.
Using a tuple-target is a bit of an anti-pattern: it's fragile and doesn't really permit any intermediate layers to work. It may be appropriate here if we can bundle it up so that it's opaque to the caller, but it's preferable to use a Param or ExtractParam to get a ServerName from the target.
linkerd/tls/src/server.rs
Outdated
| params: self.params.clone(), | ||
| inner: self.inner.clone(), | ||
| } | ||
| } | ||
| } | ||
|
|
||
| impl<I, T, L, LIo, P, N, NSvc> Service<I> for DetectTls<T, L, P, N> | ||
| impl<I, T, L, LIo, P, N, NSvc> Service<DetectIo<I>> for DetectTls<T, L, P, N> |
There was a problem hiding this comment.
This no longer detects really, right? Should this be renamed to reflect what it does?
It's also pretty awkward to me that we pass an optional SNI and the local identity here and then at process-time we check whether we should actually do TLS termination.
@olix0r Makes sense. I have reverted these commits and pushed a simpler version that just adds a Not sure whether we want to just move all sni and client hellos internals into their own module that is used by both One option is to have the following mods:
WDYT? |
This reverts commit d909be7. Signed-off-by: Zahari Dichev <[email protected]>
This reverts commit 6c07804. Signed-off-by: Zahari Dichev <[email protected]>
Signed-off-by: Zahari Dichev <[email protected]>
zaharidichev
force-pushed
the
zd/split-tls-detection
branch
from
9602437
to
22c3a9c
Compare
| pub struct DetectSni<T, P, N> { | ||
| target: T, | ||
| inner: N, | ||
| timeout: Timeout, |
There was a problem hiding this comment.
I'm curious about the timeout handling here and whether this should be instrumented here. On a known TLS connection, what do we do in the face of a timeout? Error? The timeout case exists on the existing detection logic so that we can forward connections as opaque after a timeout elapses, but there's no such fallback logic here, is there? I'd probably have to go back to the higher level draft PR to get a sense of how this fits together, but my gut instinct is that we do not need a timeout here.
There was a problem hiding this comment.
Good point. So yes, essentially we would error with a SniDetectionTimeoutError if the timeout elapses. Does that make sense here?
|
Please update the commit message subject and description before merging: this no longer 'splits' TLS detection logic, we're adding a new DetectSni middleware to the TLS crate... The commit message body should include brief description of what this middleware does. |
zaharidichev
changed the title
DetectSni middleware
This change adds a new
DetectSnimiddleware to be used in the outbound stackin order to extract the SNI extension from the
ClientHelloof a TLS session and applyrouting decisions based on it.
In contrast to
DetectTlsthis new middleware is concerned with just extracting the SNIas opposed to terminating the TLS session.
Signed-off-by: Zahari Dichev [email protected]