Composable protocols configuration of the server.

[alexey-milovidov]

The idea is to make the configuration of the protocols (TCP, HTTP, HTTPS, MySQL, etc) and the ports to listen more flexible.

1. It should be possible to specify a custom list of listen_host and listen_port for every protocol.
2. A protocol can be listed multiple times in the config (with different settings).
3. Default user and database can be overridden in every protocol entry.
4. It should be possible to configure different TLS certificates for different protocols.
5. It should be possible to configure TLS and PROXYv1 as wrappers on top of other protocols, e.g. enable PROXYv1 on top of TLS on top of HTTP.
6. Allow configuring IP filtering for every protocol.

Use case

Examples:

• allow TCP protocol without TLS on localhost with the default user named "root" and allow TCP with TLS for internet with the default user named "default";
• bind server to multiple network interfaces, but also on different ports;
• wrap HTTP protocol under PROXYv1 protocol;
• use different ports for user queries and internal communication for distributed queries.

Describe the solution you'd like

A hierarchical configuration where one protocol can be built on top of the parameters of another protocol.
Example:

<protocols>
    <http>
        <type>http</type>
        <listen>
            <host>::</host>
            <port>8081</port>
        </listen>
    </http>
    <http_proxy>
        <type>proxy_v1</type>
        <impl>
            <type>http</type>
        </impl>
        <listen>
            <host>::</host>
            <port>8081</port>
        </listen>
        <default_database>test</default_database>
    </http_proxy>
...

Details

Old-style configuration should remain to be available.
The global listen_host and listen_port configuration should be used as a default for the new configuration.
The types https, tcp_secure and similar should be available as shortcuts of more explicit configuration (tls on top of http).
The protocols for embedded Keeper can be specified inside its configuration but with the same style.

Notes

MySQL and PostgreSQL protocols are using a different approach for TLS. Instead of transparent wrapping of the protocol in TLS after connection, they are doing TLS handshake after negotiating the protocol. It means, they cannot be presented as TLS over an unencrypted protocol.

[filimonov]

PR (not finished, but code should work) #27442

[yakov-olkhovskiy]

I think there is no point to complicate things with <impl> section - we don't need multiple encapsulations since we already have TLS versions for native TCP (tcp_port_secure) and HTTP (https_port) - so the only one encapsulation makes sense - PROXY. So I would propose next structure:

<protocols>
    <endpoint_name> # just a name
        <type>http|https|tcp|tcp_secure</type> # protocol type
        <proxy>v1</proxy> # proxy encapsulation, optional, in future can be extended with v2
        <listen> # IP address to listen, can be extended with interface (currently I don't see we support it)
            <host>::</host>
            <port>8081</port>
        </listen>
        <certificate>certificate.crt</certificate> # dedicated certificate for https/tcp_secure, optional
        <private_key>private_key.key</private_key> # private key
        <default_user>root</default_user> # optional
        <default_database>test</default_database> # optional
    </endpoint_name>
    ...
</protocols>

[alexey-milovidov]

I imagine that the proxy encapsulation can be before or after TLS encapsulation for TCP.
I want to make encapsulations "first class" to allow these options, rather than treating "proxy" as some special kind of encapsulations.
It will be not surprising if we will need more types of encapsulations.

[yakov-olkhovskiy]

But what the purpose of PROXY inside of TLS? PROXY meant to relay not only client address to the server but also provide proxy with destination address -how else proxy will know destination address? and TLS is point-to-point encryption - i.e. intermediate proxy server should have access to PROXY record in order to resend package to the destination - if PROXY record is inside TLS then proxy server just can't access it... am I missing something here?

[yakov-olkhovskiy]

...unless we want to establish a secure connection between client and proxy... but why?

[alexey-milovidov]

Proxy just adding this field to let the upstream server know the real address of the client.
I also don't know a use case of TLS on top of Proxy on top of TCP. But if we will make it really composable, it will be better.

[alexey-milovidov]

I only have some vague vision of what other protocol encapsulations we may need.
Here is one more or less practical example: #29378 (comment)

[yakov-olkhovskiy]

but it's not only to let the upstream server know client's address - consider next:

client ---> proxy ---> server

1. client is sending packet to proxy - which means destination address in IP header is proxy's - and in order to relay information to proxy to which destination this packet should be delivered, DATA section of this packet contains PROXY record with destination address
2. proxy receives packet from client, extracts destination address from PROXY record and resend this packet to the server - this time destination address in IP header is server's
3. server receives packet from proxy - which means source address in IP header is proxy's - in order to restore client's address server extract it from PROXY record

it's how I understand it works - am I mistaken somehow?

[yakov-olkhovskiy]

Report on issue investigation.
First of all let me state results of our discussion. It was clarified that there can be cases of any kind of PROXY-TLS encapsulations - it can be TLS wrapper over PROXY as well as PROXY over TLS. So it makes sense to have configuration flexible enough to implement this.

Now about possible implementation.
Currently we are using Poco library for network communication with underlying BoringSSL for security layer. Poco implements TLS layer through subclassing StreamSocket to SecureStreamSocket - such architecture does not allow encapsulation of data streams - i.e. it's impossible to make TLS over TLS - i.e. TLS either enabled on the stream or disabled. So, with current architecture initially proposed configuration structure (which implies free encapsulation of protocols - including TLS over TLS) is impossible to achieve. However there is another avenue I think we can pursue if we decide to invest efforts for implementation - Poco provides SocketStream class which is an extension of standard IO stream on top of StreamSocket - which means that TLS can be implemented as an IO filter and therefore chained with any other filters including itself. Currently I'm not sure how hard it is to implement - it will involve dealing with OpenSSL API (which BoringSSL is fork of) - which is quite cumbersome to use...

@alexey-milovidov what do you think? should we restrict encapsulation? or let's try to implement streaming on top of socket?

[alexey-milovidov]

No need to try making TLS over TLS work (no practical sense), but it still makes sense to make our configuration look like it is just a wrapper.