trinodb / trino-gateway

https://trinodb.github.io/trino-gateway/
Apache License 2.0
163 stars 72 forks source link

Support more insecure configuration for Trino #538

Open Mrzyxing opened 3 weeks ago

Mrzyxing commented 3 weeks ago

We have some self-signed HTTPS servers and are using it in an insecure mode, but we cannot proxy it for two reasons:

In our enviromnet, there are many insecure usage, Is there any way to simply skip SSL verification, or is there a plan to add this configuration?

oneonestar commented 3 weeks ago

Does this work for you? https://trinodb.github.io/trino-gateway/security/?h=insecure#extra-self-signed-certificate-in-trino

Mrzyxing commented 3 weeks ago

Does this work for you? https://trinodb.github.io/trino-gateway/security/?h=insecure#extra-self-signed-certificate-in-trino

Not actually. Execute ~/trino-cli-418-executable.jar --server https://proxy-address:443 --catalog hive --user admin --password --insecure with select * from system.runtime.nodes , and it will returen an error of ProxyResponseHandler because ProxyRequestHandler post this sql to a https server via /v1/statement/ but use the default JettyClient which not support the insecure (or just not recongnize ?). Currently, I am just foce enable JettyClient support insecure as follow work around:

# io.trino.gateway.baseapp.BaseApp.java

    private static void registerProxyResources(Binder binder)
    {
        jaxrsBinder(binder).bind(RouteToBackendResource.class);
        jaxrsBinder(binder).bind(RouterPreMatchContainerRequestFilter.class);
        jaxrsBinder(binder).bind(ProxyRequestHandler.class);
        # trust all
        binder.bind(SslContextFactory.Client.class).toInstance(new SslContextFactory.Client(true));
        httpClientBinder(binder).bindHttpClient("proxy", ForProxy.class);
        httpClientBinder(binder).bindHttpClient("monitor", ForMonitor.class);
    }

It worked, but looks like ugly.