Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

grpc-js: initiate tls connection through http proxy #1369

Merged
merged 9 commits into from
Apr 20, 2020
Merged

grpc-js: initiate tls connection through http proxy #1369

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
af7f4f7
grpc-js: initiate tls connection through http proxy
mrfelton Apr 18, 2020
c650e59
grpc-js: always explicitly establish connection
mrfelton Apr 18, 2020
5af582e
grpc-js: pass secureContext through to proxied tls connection
mrfelton Apr 18, 2020
4e61f21
grpc-js: do not set host when instantiating tls socket
mrfelton Apr 18, 2020
2c5a8b1
grpc-js: ensure tls connection is used when requested
mrfelton Apr 18, 2020
11965fb
grpc-js: dont set createConnection when connecting with TLS and witho…
mrfelton Apr 18, 2020
b9e84f4
grpc-js: commenting working for node issue 32922
mrfelton Apr 19, 2020
48072d5
grpc-js: setting ALPNProtocols option for tls proxy
mrfelton Apr 19, 2020
eef75a5
grpc-js: use tls.ConnectionOptions type for proxy connection options
mrfelton Apr 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 23 additions & 5 deletions packages/grpc-js/src/http_proxy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,11 @@
import { URL } from 'url';
import { log } from './logging';
import { LogVerbosity } from './constants';
import { getDefaultAuthority } from './resolver';
import { parseTarget } from './resolver-dns';
import { Socket } from 'net';
import * as http from 'http';
import * as tls from 'tls';
import * as logging from './logging';
import {
SubchannelAddress,
Expand Down Expand Up @@ -157,7 +159,8 @@ export interface ProxyConnectionResult {

export function getProxiedConnection(
address: SubchannelAddress,
channelOptions: ChannelOptions
channelOptions: ChannelOptions,
connectionOptions: tls.ConnectionOptions
): Promise<ProxyConnectionResult> {
if (!('grpc.http_connect_target' in channelOptions)) {
return Promise.resolve<ProxyConnectionResult>({});
Expand Down Expand Up @@ -202,10 +205,25 @@ export function getProxiedConnection(
' through proxy ' +
proxyAddressString
);
resolve({
socket,
realTarget,
});
if ('secureContext' in connectionOptions) {
/* The proxy is connecting to a TLS server, so upgrade this socket
* connection to a TLS connection.
* This is a workaround for https://github.com/nodejs/node/issues/32922
* See https://github.com/grpc/grpc-node/pull/1369 for more info. */
const cts = tls.connect({
...connectionOptions,
host: getDefaultAuthority(realTarget),
socket: socket,
}, () => {
resolve({ socket: cts, realTarget });
}
);
} else {
resolve({
socket,
realTarget,
});
}
} else {
log(
LogVerbosity.ERROR,
Expand Down
38 changes: 36 additions & 2 deletions packages/grpc-js/src/subchannel.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import * as logging from './logging';
import { LogVerbosity } from './constants';
import { getProxiedConnection, ProxyConnectionResult } from './http_proxy';
import * as net from 'net';
import { ConnectionOptions } from 'tls';

const clientVersion = require('../../package.json').version;

Expand Down Expand Up @@ -300,7 +301,9 @@ export class Subchannel {
connectionOptions.servername = sslTargetNameOverride;
}
if (proxyConnectionResult.socket) {
connectionOptions.socket = proxyConnectionResult.socket;
connectionOptions.createConnection = (authority, option) => {
return proxyConnectionResult.socket!;
};
}
} else {
/* In all but the most recent versions of Node, http2.connect does not use
Expand All @@ -317,6 +320,7 @@ export class Subchannel {
}
};
}

connectionOptions = Object.assign(
connectionOptions,
this.subchannelAddress
Expand Down Expand Up @@ -412,7 +416,37 @@ export class Subchannel {
}

private startConnectingInternal() {
getProxiedConnection(this.subchannelAddress, this.options).then(
/* Pass connection options through to the proxy so that it's able to
* upgrade it's connection to support tls if needed.
* This is a workaround for https://github.com/nodejs/node/issues/32922
* See https://github.com/grpc/grpc-node/pull/1369 for more info. */
const connectionOptions: ConnectionOptions =
this.credentials._getConnectionOptions() || {};

if ('secureContext' in connectionOptions) {
mrfelton marked this conversation as resolved.
Show resolved Hide resolved
connectionOptions.ALPNProtocols = ['h2'];
// If provided, the value of grpc.ssl_target_name_override should be used
// to override the target hostname when checking server identity.
// This option is used for testing only.
if (this.options['grpc.ssl_target_name_override']) {
const sslTargetNameOverride = this.options[
'grpc.ssl_target_name_override'
]!;
connectionOptions.checkServerIdentity = (
host: string,
cert: PeerCertificate
): Error | undefined => {
return checkServerIdentity(sslTargetNameOverride, cert);
};
connectionOptions.servername = sslTargetNameOverride;
}
}

getProxiedConnection(
this.subchannelAddress,
this.options,
connectionOptions
).then(
(result) => {
this.createSession(result);
},
Expand Down