Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL support #108

Open
kien-truong opened this issue May 8, 2020 · 9 comments
Open

SSL support #108

kien-truong opened this issue May 8, 2020 · 9 comments

Comments

@kien-truong
Copy link

It's not obvious whether presto-gateway currently support SSL-enabled Presto or not. Because Presto-Gateway need to parse the query, it needs to terminate the client's SSL connection by itself before forwarding the request to a Presto coordinator.

I suppose one cannot simply add an SSL backend and expects it to works.
@puneetjaiswal
Copy link
Contributor

It should not be a problem if you are using signed certs on backend coordinator - https://github.com/lyft/presto-gateway/blob/master/proxyserver/src/main/java/com/lyft/data/proxyserver/ProxyServletImpl.java#L30
We are setting TrustAll in SSLFactory so it should work for self signed certs too.
Did you face any issue with this?

@kien-truong
Copy link
Author

Thanks. We're just not sure how to setup presto-gateway with our certificate so that it accepts SSL connections from clients as well.

@puneetjaiswal
Copy link
Contributor

  1. If you are having a load-balancer before gateway, you could bind the certs on LB and let TLS terminate right there.
    https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html

  2. If you want GW to start with HTTPS you will have to add the certs here -
    https://github.com/lyft/presto-gateway/blob/master/gateway-ha/src/main/java/com/lyft/data/gateway/ha/config/RequestRouterConfiguration.java#L14

We recommend going with option 1 here.

@PennyAndWang
Copy link

  1. If you are having a load-balancer before gateway, you could bind the certs on LB and let TLS terminate right there.
    https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
  2. If you want GW to start with HTTPS you will have to add the certs here -
    https://github.com/lyft/presto-gateway/blob/master/gateway-ha/src/main/java/com/lyft/data/gateway/ha/config/RequestRouterConfiguration.java#L14

We recommend going with option 1 here.

@puneetjaiswal , I want to try option 2, but I am confused the difference between requestRouter config and applicationConnectors config .

@johnwhumphreys
Copy link

@PennyAndWang - Did you manage to get option 2 working? We are looking to do the same as we have end-to-end TLS requirements.

@labelhero
Copy link

@PennyAndWang or @johnwhumphreys Were you able to implement option 2 successfully. I am trying to implement option 2 however I am getting below error

io.dropwizard.configuration.ConfigurationValidationException: ../gateway-ha-config.yml has the following errors:
  * keyStorePassword should not be null or empty
  * keyStorePath should not be null

	at io.dropwizard.configuration.BaseConfigurationFactory.validate(BaseConfigurationFactory.java:238)
	at io.dropwizard.configuration.BaseConfigurationFactory.build(BaseConfigurationFactory.java:128)
	at io.dropwizard.configuration.BaseConfigurationFactory.build(BaseConfigurationFactory.java:89)
	at io.dropwizard.cli.ConfiguredCommand.parseConfiguration(ConfiguredCommand.java:126)
	at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:74)
	at io.dropwizard.cli.Cli.run(Cli.java:78)
	at io.dropwizard.Application.run(Application.java:93)
	at com.lyft.data.gateway.ha.HaGatewayLauncher.main(HaGatewayLauncher.java:25)

@puneetjaiswal This is how I provided keystore details.By the way I am using self signed cert. Am I missing anything here?Please help

requestRouter:
  port: 8080
  name: prestoRouter
  historySize: 1000
  ssl: True
  keystorePath: <PATH/TO/keystore.jks>
  keystorePass: xxxxxxxx
  
  server:
  applicationConnectors:
    - type: https
      port: 8090
  adminConnectors:
    - type: http
      port: 8091

@johnwhumphreys
Copy link

My team got it working with SSL, but I wasn't paying attention to the details to be honest. I'll see if I can get someone to drop some notes.

But first... the error says "keyStorePath" and you have "keystorePath" - any chance this is just a casing issue? Same for the other word.

@labelhero
Copy link

@johnwhumphreys That's great!! Could you please drop some details whenever you have chance. Thanks..

@lanrecA
Copy link

lanrecA commented Mar 14, 2023
edited

Hi All, it's 2023 and I know I'm late to the party :) . I'm currently implementing this for my team. I'm using self signed cert in local with my Mac hostname (example: 232929-123f.companyname.com) as the CN in the key&certificate.

I'm getting 400 Invalid SNI error. I tried following recommendation here -
https://stackoverflow.com/questions/69945173/org-eclipse-jetty-http-badmessageexception-400-invalid-sni but that doesn't seems to be helping. Can provide additional details if needed. I'll appreciate your suggestion/recommendation. Thanks

<title>Error 400 Host does not match SNI</title>

HTTP ERROR 400 Host does not match SNI

URI:/v1/statement
STATUS:400
MESSAGE:Host does not match SNI
SERVLET:-
CAUSED BY:org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI

Caused by:

org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI
	at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:279)
	at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:210)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:396)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:645)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:392)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555)
	at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410)
	at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
	at java.base/java.lang.Thread.run(Thread.java:829)

ps
it works great connecting to http trino clusters. Just trying to get it to work with https trino endpoint has been a struggle. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kien-truong @puneetjaiswal @johnwhumphreys @PennyAndWang @labelhero @lanrecA