-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL support #108
Comments
It should not be a problem if you are using signed certs on backend coordinator - https://github.com/lyft/presto-gateway/blob/master/proxyserver/src/main/java/com/lyft/data/proxyserver/ProxyServletImpl.java#L30 |
Thanks. We're just not sure how to setup presto-gateway with our certificate so that it accepts SSL connections from clients as well. |
We recommend going with option 1 here. |
@puneetjaiswal , I want to try option 2, but I am confused the difference between |
@PennyAndWang - Did you manage to get option 2 working? We are looking to do the same as we have end-to-end TLS requirements. |
@PennyAndWang or @johnwhumphreys Were you able to implement option 2 successfully. I am trying to implement option 2 however I am getting below error
@puneetjaiswal This is how I provided keystore details.By the way I am using self signed cert. Am I missing anything here?Please help
|
My team got it working with SSL, but I wasn't paying attention to the details to be honest. I'll see if I can get someone to drop some notes. But first... the error says "keyStorePath" and you have "keystorePath" - any chance this is just a casing issue? Same for the other word. |
@johnwhumphreys That's great!! Could you please drop some details whenever you have chance. Thanks.. |
Hi All, it's 2023 and I know I'm late to the party :) . I'm currently implementing this for my team. I'm using self signed cert in local with my Mac hostname (example: 232929-123f.companyname.com) as the CN in the key&certificate. I'm getting 400 Invalid SNI error. I tried following recommendation here - HTTP ERROR 400 Host does not match SNI
Caused by:org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:279) at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:210) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:396) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:645) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:392) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.base/java.lang.Thread.run(Thread.java:829) ps |
It's not obvious whether
presto-gateway
currently support SSL-enabled Presto or not. Because Presto-Gateway need to parse the query, it needs to terminate the client's SSL connection by itself before forwarding the request to a Presto coordinator.I suppose one cannot simply add an SSL backend and expects it to works.
The text was updated successfully, but these errors were encountered: