search

lyft / presto-gateway

A load balancer / proxy / gateway for prestodb
Apache License 2.0
358 stars 156 forks source link

SSL support #108

Open kien-truong opened 4 years ago

kien-truong commented 4 years ago

It's not obvious whether presto-gateway currently support SSL-enabled Presto or not. Because Presto-Gateway need to parse the query, it needs to terminate the client's SSL connection by itself before forwarding the request to a Presto coordinator.

I suppose one cannot simply add an SSL backend and expects it to works.

puneetjaiswal commented 4 years ago

It should not be a problem if you are using signed certs on backend coordinator - https://github.com/lyft/presto-gateway/blob/master/proxyserver/src/main/java/com/lyft/data/proxyserver/ProxyServletImpl.java#L30 We are setting TrustAll in SSLFactory so it should work for self signed certs too. Did you face any issue with this?

kien-truong commented 4 years ago

Thanks. We're just not sure how to setup presto-gateway with our certificate so that it accepts SSL connections from clients as well.

puneetjaiswal commented 4 years ago

  1. If you are having a load-balancer before gateway, you could bind the certs on LB and let TLS terminate right there. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html

  2. If you want GW to start with HTTPS you will have to add the certs here - https://github.com/lyft/presto-gateway/blob/master/gateway-ha/src/main/java/com/lyft/data/gateway/ha/config/RequestRouterConfiguration.java#L14

We recommend going with option 1 here.

PennyAndWang commented 4 years ago
  1. If you are having a load-balancer before gateway, you could bind the certs on LB and let TLS terminate right there. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
  2. If you want GW to start with HTTPS you will have to add the certs here - https://github.com/lyft/presto-gateway/blob/master/gateway-ha/src/main/java/com/lyft/data/gateway/ha/config/RequestRouterConfiguration.java#L14

We recommend going with option 1 here.

@puneetjaiswal , I want to try option 2, but I am confused the difference between requestRouter config and applicationConnectors config .

johnwhumphreys commented 4 years ago

@PennyAndWang - Did you manage to get option 2 working? We are looking to do the same as we have end-to-end TLS requirements.

labelhero commented 3 years ago

@PennyAndWang or @johnwhumphreys Were you able to implement option 2 successfully. I am trying to implement option 2 however I am getting below error

io.dropwizard.configuration.ConfigurationValidationException: ../gateway-ha-config.yml has the following errors:
  * keyStorePassword should not be null or empty
  * keyStorePath should not be null

    at io.dropwizard.configuration.BaseConfigurationFactory.validate(BaseConfigurationFactory.java:238)
    at io.dropwizard.configuration.BaseConfigurationFactory.build(BaseConfigurationFactory.java:128)
    at io.dropwizard.configuration.BaseConfigurationFactory.build(BaseConfigurationFactory.java:89)
    at io.dropwizard.cli.ConfiguredCommand.parseConfiguration(ConfiguredCommand.java:126)
    at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:74)
    at io.dropwizard.cli.Cli.run(Cli.java:78)
    at io.dropwizard.Application.run(Application.java:93)
    at com.lyft.data.gateway.ha.HaGatewayLauncher.main(HaGatewayLauncher.java:25)

@puneetjaiswal This is how I provided keystore details.By the way I am using self signed cert. Am I missing anything here?Please help

requestRouter:
  port: 8080
  name: prestoRouter
  historySize: 1000
  ssl: True
  keystorePath: <PATH/TO/keystore.jks>
  keystorePass: xxxxxxxx

  server:
  applicationConnectors:
    - type: https
      port: 8090
  adminConnectors:
    - type: http
      port: 8091
johnwhumphreys commented 3 years ago

My team got it working with SSL, but I wasn't paying attention to the details to be honest. I'll see if I can get someone to drop some notes.

But first... the error says "keyStorePath" and you have "keystorePath" - any chance this is just a casing issue? Same for the other word.

labelhero commented 3 years ago

@johnwhumphreys That's great!! Could you please drop some details whenever you have chance. Thanks..

lanrecA commented 1 year ago

Hi All, it's 2023 and I know I'm late to the party :) . I'm currently implementing this for my team. I'm using self signed cert in local with my Mac hostname (example: 232929-123f.companyname.com) as the CN in the key&certificate.

I'm getting 400 Invalid SNI error. I tried following recommendation here - https://stackoverflow.com/questions/69945173/org-eclipse-jetty-http-badmessageexception-400-invalid-sni but that doesn't seems to be helping. Can provide additional details if needed. I'll appreciate your suggestion/recommendation. Thanks

Error 400 Host does not match SNI

HTTP ERROR 400 Host does not match SNI

URI:/v1/statement
STATUS:400
MESSAGE:Host does not match SNI
SERVLET:-
CAUSED BY:org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI

Caused by:

org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI
    at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:279)
    at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:210)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:396)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:645)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:392)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555)
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410)
    at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
    at java.base/java.lang.Thread.run(Thread.java:829)
ps it works great connecting to http trino clusters. Just trying to get it to work with https trino endpoint has been a struggle. Thanks