search

housepower / clickhouse_sinker

Easily load data from kafka to ClickHouse
https://housepower.github.io/clickhouse_sinker
Apache License 2.0
515 stars 118 forks source link

Is it possible to establish a connection to the clickhouse "tcp_port_secure" port? #113

Closed voriol closed 3 years ago

voriol commented 3 years ago

Hi!

Is it possible to establish a connection to the clickhouse "tcp_port_secure" port?

https://clickhouse.tech/docs/en/operations/server-configuration-parameters/settings/#server_configuration_parameters-tcp_port_secure

This requires the client to use a certificate file +key +CA:

<!-- Config set into /etc/clickhouse-client/. It's used if no other configs are found. -->
<config>
    <openSSL>
        <client> <!-- Used for connection to server's secure tcp port -->
            <certificateFile>/etc/clickhouse-client/client.crt</certificateFile>
            <privateKeyFile>/etc/clickhouse-client/client.key</privateKeyFile>
            <caConfig>/etc/clickhouse-client/ca-fullchain.crt</caConfig>
            <loadDefaultCAFile>true</loadDefaultCAFile>
            <cacheSessions>true</cacheSessions>
            <disableProtocols>sslv2,sslv3</disableProtocols>
            <preferServerCiphers>true</preferServerCiphers>
            <!-- Use for self-signed: <verificationMode>none</verificationMode> -->
            <invalidCertificateHandler>
                <!-- Use for self-signed: <name>AcceptCertificateHandler</name> -->
                <name>RejectCertificateHandler</name>
            </invalidCertificateHandler>
        </client>
    </openSSL>
</config>

Thanks!

sundy-li commented 3 years ago

Hello, currently not, but it may be a feature.

tls_config - name of a TLS config with client certificates, registered using clickhouse.RegisterTLSConfig(); implies secure to be true, unless explicitly specified
voriol commented 3 years ago

Sounds good! thank you @sundy-li

yuzhichang commented 3 years ago

@voriol I tried change clickhouse-server and clickhouse-client config but got following error:

Code: 210. DB::NetException: SSL Exception: error:14000086:SSL routines::certificate verify failed (192.168.101.106:9440)

Do you know if there's a tutorial on this?

yuzhichang commented 3 years ago

Found a tutorial: https://altinity.com/blog/2019/3/5/clickhouse-networking-part-2

yuzhichang commented 3 years ago

e5b466ebe2ab07230dbc09bf693d6282316755fc (will be released in v1.8.12) fixed this. It adds the following config:

type ClickHouseConfig struct {
......
    // Whether enable TLS encryption with clickhouse-server
    Secure bool
    // Whether skip verify clickhouse-server cert
    InsecureSkipVerify bool
}