-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enhancement(tls settings): support of SNI when connecting to remote server #21365
Conversation
8dd1a5a
to
06b56a0
Compare
06b56a0
to
0a73680
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this enhancement @anil-db ! I left one comment inline. Could you also:
- Add a changelog entry per https://github.com/vectordotdev/vector/blob/master/changelog.d/README.md
- Run
make generate-component-docs
to regerenate the docs to add this new option?
Added. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you! Just a few more minor comments.
src/http.rs
Outdated
.unwrap() | ||
.downcast_ref::<openssl::error::ErrorStack>() | ||
.unwrap(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than unwrap
could we use expect
? It's not immediately clear to me why these unwraps are safe and I think expect
would make that clearer since you can provide a reason.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed it to expect and provided reason why it is expected.
src/http.rs
Outdated
Err(error) => { | ||
error | ||
.source() | ||
.expect("was expecting to have a source in tlsError variant returned from apply_connect_configuration(). See SetSniSnafu.") | ||
.downcast_ref::<openssl::error::ErrorStack>() | ||
.expect("was expecting the source error to be of type openssl::error::ErrorStack from apply_connect_configuration(). See SetSniSnafu."); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding the expect
s. I'm not a huge fan of asserting that a specific enum variant from a Snafu error was returned. I tried to refactor this but wasn't able to push to this branch. Could you apply this patch?
9a5fabeb0e - (HEAD -> anil-db/support-sni) Refactor to get rid of `expect`s (23 seconds ago) <Jesse Szwedko>
diff --git a/lib/vector-core/src/tls/mod.rs b/lib/vector-core/src/tls/mod.rs
index 96b9253f4f..9e065cb212 100644
--- a/lib/vector-core/src/tls/mod.rs
+++ b/lib/vector-core/src/tls/mod.rs
@@ -191,7 +191,9 @@ fn tls_connector(settings: &MaybeTlsSettings) -> Result<ConnectConfiguration> {
.context(TlsBuildConnectorSnafu)?;
let tls_setting = settings.tls().cloned();
if let Some(tls_setting) = &tls_setting {
- tls_setting.apply_connect_configuration(&mut configure)?;
+ tls_setting
+ .apply_connect_configuration(&mut configure)
+ .context(SetSniSnafu)?;
}
Ok(configure)
}
diff --git a/lib/vector-core/src/tls/settings.rs b/lib/vector-core/src/tls/settings.rs
index 1e68563011..1dcdc932b8 100644
--- a/lib/vector-core/src/tls/settings.rs
+++ b/lib/vector-core/src/tls/settings.rs
@@ -20,8 +20,8 @@ use super::{
AddCertToStoreSnafu, AddExtraChainCertSnafu, CaStackPushSnafu, DerExportSnafu,
EncodeAlpnProtocolsSnafu, FileOpenFailedSnafu, FileReadFailedSnafu, MaybeTls, NewCaStackSnafu,
NewStoreBuilderSnafu, ParsePkcs12Snafu, Pkcs12Snafu, PrivateKeyParseSnafu, Result,
- SetAlpnProtocolsSnafu, SetCertificateSnafu, SetPrivateKeySnafu, SetSniSnafu,
- SetVerifyCertSnafu, TlsError, TlsIdentitySnafu, X509ParseSnafu,
+ SetAlpnProtocolsSnafu, SetCertificateSnafu, SetPrivateKeySnafu, SetVerifyCertSnafu, TlsError,
+ TlsIdentitySnafu, X509ParseSnafu,
};
pub const PEM_START_MARKER: &str = "-----BEGIN ";
@@ -343,12 +343,15 @@ impl TlsSettings {
Ok(())
}
- pub fn apply_connect_configuration(&self, connection: &mut ConnectConfiguration) -> Result<()> {
+ pub fn apply_connect_configuration(
+ &self,
+ connection: &mut ConnectConfiguration,
+ ) -> std::result::Result<(), openssl::error::ErrorStack> {
connection.set_verify_hostname(self.verify_hostname);
if let Some(server_name) = &self.server_name {
// Prevent native TLS lib from inferring default SNI using domain name from url.
connection.set_use_server_name_indication(false);
- connection.set_hostname(server_name).context(SetSniSnafu)?;
+ connection.set_hostname(server_name)?;
}
Ok(())
}
diff --git a/src/http.rs b/src/http.rs
index 9c30bdea49..43bd10eb88 100644
--- a/src/http.rs
+++ b/src/http.rs
@@ -14,7 +14,6 @@ use hyper_openssl::HttpsConnector;
use hyper_proxy::ProxyConnector;
use rand::Rng;
use serde_with::serde_as;
-use snafu::Error;
use snafu::{ResultExt, Snafu};
use std::{
fmt,
@@ -205,19 +204,10 @@ pub fn build_tls_connector(
let settings = tls_settings.tls().cloned();
https.set_callback(move |c, _uri| {
if let Some(settings) = &settings {
- match settings.apply_connect_configuration(c) {
- Ok(()) => (),
- Err(error) => {
- error
- .source()
- .expect("was expecting to have a source in tlsError variant returned from apply_connect_configuration(). See SetSniSnafu.")
- .downcast_ref::<openssl::error::ErrorStack>()
- .expect("was expecting the source error to be of type openssl::error::ErrorStack from apply_connect_configuration(). See SetSniSnafu.");
- }
- }
+ settings.apply_connect_configuration(c)
+ } else {
+ Ok(())
}
-
- Ok(())
});
Ok(https)
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes more sense. applied.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @anil-db !
Head branch was pushed to by a user without write access
Regression Detector ResultsRun ID: e53da310-03fb-46fa-9bb0-1e1baf64ade0 Metrics dashboard Baseline: 077dca8 Performance changes are noted in the perf column of each table:
No significant changes in experiment optimization goalsConfidence level: 90.00% There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.
|
perf | experiment | goal | Δ mean % | Δ mean % CI | links |
---|---|---|---|---|---|
✅ | file_to_blackhole | egress throughput | +7.42 | [+0.27, +14.57] |
Fine details of change detection per experiment
perf | experiment | goal | Δ mean % | Δ mean % CI | links |
---|---|---|---|---|---|
✅ | file_to_blackhole | egress throughput | +7.42 | [+0.27, +14.57] | |
➖ | splunk_hec_route_s3 | ingress throughput | +3.04 | [+2.72, +3.36] | |
➖ | syslog_regex_logs2metric_ddmetrics | ingress throughput | +0.99 | [+0.84, +1.15] | |
➖ | http_elasticsearch | ingress throughput | +0.38 | [+0.22, +0.53] | |
➖ | http_to_http_noack | ingress throughput | +0.13 | [+0.06, +0.21] | |
➖ | http_to_http_json | ingress throughput | +0.04 | [-0.00, +0.09] | |
➖ | splunk_hec_indexer_ack_blackhole | ingress throughput | +0.01 | [-0.07, +0.09] | |
➖ | splunk_hec_to_splunk_hec_logs_noack | ingress throughput | -0.00 | [-0.09, +0.09] | |
➖ | splunk_hec_to_splunk_hec_logs_acks | ingress throughput | -0.01 | [-0.12, +0.10] | |
➖ | datadog_agent_remap_blackhole | ingress throughput | -0.20 | [-0.30, -0.11] | |
➖ | syslog_loki | ingress throughput | -0.23 | [-0.32, -0.15] | |
➖ | syslog_log2metric_humio_metrics | ingress throughput | -0.28 | [-0.40, -0.16] | |
➖ | http_to_s3 | ingress throughput | -0.45 | [-0.72, -0.18] | |
➖ | syslog_splunk_hec_logs | ingress throughput | -0.50 | [-0.61, -0.40] | |
➖ | fluent_elasticsearch | ingress throughput | -0.54 | [-1.03, -0.04] | |
➖ | http_to_http_acks | ingress throughput | -0.55 | [-1.77, +0.66] | |
➖ | otlp_http_to_blackhole | ingress throughput | -0.81 | [-0.92, -0.69] | |
➖ | syslog_humio_logs | ingress throughput | -0.82 | [-0.93, -0.72] | |
➖ | datadog_agent_remap_datadog_logs_acks | ingress throughput | -1.01 | [-1.19, -0.82] | |
➖ | syslog_log2metric_splunk_hec_metrics | ingress throughput | -1.14 | [-1.28, -1.01] | |
➖ | http_text_to_http_json | ingress throughput | -1.37 | [-1.49, -1.25] | |
➖ | otlp_grpc_to_blackhole | ingress throughput | -1.77 | [-1.88, -1.66] | |
➖ | datadog_agent_remap_datadog_logs | ingress throughput | -1.86 | [-2.09, -1.63] | |
➖ | syslog_log2metric_tag_cardinality_limit_blackhole | ingress throughput | -2.07 | [-2.16, -1.99] | |
➖ | socket_to_socket_blackhole | ingress throughput | -2.68 | [-2.77, -2.60] | |
➖ | datadog_agent_remap_blackhole_acks | ingress throughput | -3.71 | [-3.82, -3.61] |
Explanation
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
Regression Detector ResultsRun ID: 4d6d09ff-85a2-44a9-a747-f96bd869c0ab Metrics dashboard Baseline: 04d21fb Performance changes are noted in the perf column of each table:
No significant changes in experiment optimization goalsConfidence level: 90.00% There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.
|
perf | experiment | goal | Δ mean % | Δ mean % CI | links |
---|---|---|---|---|---|
➖ | file_to_blackhole | egress throughput | -3.84 | [-10.50, +2.82] |
Fine details of change detection per experiment
perf | experiment | goal | Δ mean % | Δ mean % CI | links |
---|---|---|---|---|---|
➖ | syslog_humio_logs | ingress throughput | +4.34 | [+4.22, +4.45] | |
➖ | syslog_log2metric_splunk_hec_metrics | ingress throughput | +1.00 | [+0.91, +1.10] | |
➖ | syslog_regex_logs2metric_ddmetrics | ingress throughput | +0.61 | [+0.48, +0.74] | |
➖ | otlp_http_to_blackhole | ingress throughput | +0.29 | [+0.17, +0.41] | |
➖ | http_to_s3 | ingress throughput | +0.14 | [-0.13, +0.41] | |
➖ | http_to_http_noack | ingress throughput | +0.13 | [+0.06, +0.21] | |
➖ | http_to_http_json | ingress throughput | +0.03 | [-0.01, +0.07] | |
➖ | splunk_hec_indexer_ack_blackhole | ingress throughput | +0.03 | [-0.05, +0.11] | |
➖ | splunk_hec_to_splunk_hec_logs_noack | ingress throughput | +0.01 | [-0.08, +0.11] | |
➖ | splunk_hec_to_splunk_hec_logs_acks | ingress throughput | +0.00 | [-0.12, +0.12] | |
➖ | http_to_http_acks | ingress throughput | -0.05 | [-1.26, +1.17] | |
➖ | http_elasticsearch | ingress throughput | -0.24 | [-0.39, -0.08] | |
➖ | datadog_agent_remap_datadog_logs | ingress throughput | -0.31 | [-0.50, -0.13] | |
➖ | syslog_loki | ingress throughput | -0.36 | [-0.44, -0.27] | |
➖ | syslog_log2metric_tag_cardinality_limit_blackhole | ingress throughput | -0.43 | [-0.52, -0.35] | |
➖ | fluent_elasticsearch | ingress throughput | -0.71 | [-1.20, -0.22] | |
➖ | otlp_grpc_to_blackhole | ingress throughput | -0.78 | [-0.89, -0.66] | |
➖ | syslog_log2metric_humio_metrics | ingress throughput | -1.26 | [-1.38, -1.14] | |
➖ | datadog_agent_remap_blackhole | ingress throughput | -1.31 | [-1.42, -1.21] | |
➖ | http_text_to_http_json | ingress throughput | -1.38 | [-1.48, -1.27] | |
➖ | splunk_hec_route_s3 | ingress throughput | -1.59 | [-1.88, -1.30] | |
➖ | datadog_agent_remap_blackhole_acks | ingress throughput | -1.81 | [-1.92, -1.70] | |
➖ | syslog_splunk_hec_logs | ingress throughput | -1.87 | [-1.97, -1.78] | |
➖ | datadog_agent_remap_datadog_logs_acks | ingress throughput | -1.92 | [-2.10, -1.74] | |
➖ | socket_to_socket_blackhole | ingress throughput | -2.65 | [-2.70, -2.60] | |
➖ | file_to_blackhole | egress throughput | -3.84 | [-10.50, +2.82] |
Explanation
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
we have a usecase where server is behind a reverse proxy and it selects the right backend based on SNI provided.
This PR adds options to set SNI which sending to other IP/domain.
test configuration:
sent log data to http source using
curl -k "https://localhost:6000" -d "hi"
and captured client hello frame from wrieshark on triggered by http sink and other triggered by vector sink