mirror of
https://github.com/google/nomulus.git
synced 2025-05-01 12:37:52 +02:00
84eab90000
When not running locally, the logging formatter is set to convert the log record to a single-line JSON string that Stackdriver logging agent running in GKE will pick up and parse correctly. Also removed redundant logging handler in the proxy frontend connection. They have two problems: 1) it is possible to leak PII when all frontend traffic is logged, such as client IPs. Even though this is less of a concern because the GCP TCP proxy load balancer masquerade source IPs. 2) We are only logging the HTTP request/response that the frontend connection is sending to/receiving from the backend connection, but the backend already has its own logging handler to log the same message that it gets from/sends to the GAE app, so the logging in the frontend connection does not really give extra information. Logging of some potential PII information such as the source IP of a proxied connection are also removed. Thirdly, added a k8s autoscaling object that scales the containers based on CPU load. The default target load is 80%. This, in connection with GKE cluster VM autoscaling, means that when traffic is low, we'll only have one VM running one container of the proxy. Fixes a bug where the MetricsComponent generates a separate ProxyConfig that does not call parse method on the command line args passed, resulting default Environment always being used in constructing the metric reporter. Lastly a little bit of cleaning of the MOE config script, no newlines are necessary as the BUILD are formatted after string substitution. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=188029019
80 lines
3 KiB
Java
80 lines
3 KiB
Java
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package google.registry.proxy.handler;
|
|
|
|
import static com.google.common.base.Preconditions.checkNotNull;
|
|
import static google.registry.proxy.Protocol.PROTOCOL_KEY;
|
|
|
|
import google.registry.proxy.Protocol.BackendProtocol;
|
|
import google.registry.util.FormattingLogger;
|
|
import io.netty.channel.Channel;
|
|
import io.netty.channel.ChannelHandler.Sharable;
|
|
import io.netty.channel.ChannelInitializer;
|
|
import io.netty.channel.embedded.EmbeddedChannel;
|
|
import io.netty.handler.ssl.SslContextBuilder;
|
|
import io.netty.handler.ssl.SslHandler;
|
|
import io.netty.handler.ssl.SslProvider;
|
|
import java.security.cert.X509Certificate;
|
|
import javax.annotation.Nullable;
|
|
import javax.inject.Inject;
|
|
import javax.inject.Named;
|
|
import javax.inject.Singleton;
|
|
import javax.net.ssl.SSLEngine;
|
|
import javax.net.ssl.SSLParameters;
|
|
|
|
/**
|
|
* Adds a client side SSL handler to the channel pipeline.
|
|
*
|
|
* <p>This <b>must</b> be the first handler provided for any handler provider list, if it is
|
|
* provided. The type parameter {@code C} is needed so that unit tests can construct this handler
|
|
* that works with {@link EmbeddedChannel};
|
|
*/
|
|
@Singleton
|
|
@Sharable
|
|
public class SslClientInitializer<C extends Channel> extends ChannelInitializer<C> {
|
|
|
|
private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
|
|
private final SslProvider sslProvider;
|
|
private final X509Certificate[] trustedCertificates;
|
|
|
|
@Inject
|
|
SslClientInitializer(
|
|
SslProvider sslProvider,
|
|
@Nullable @Named("relayTrustedCertificates") X509Certificate... trustCertificates) {
|
|
logger.infofmt("Client SSL Provider: %s", sslProvider);
|
|
this.sslProvider = sslProvider;
|
|
this.trustedCertificates = trustCertificates;
|
|
}
|
|
|
|
@Override
|
|
protected void initChannel(C channel) throws Exception {
|
|
BackendProtocol protocol = (BackendProtocol) channel.attr(PROTOCOL_KEY).get();
|
|
checkNotNull(protocol, "Protocol is not set for channel: %s", channel);
|
|
SslHandler sslHandler =
|
|
SslContextBuilder.forClient()
|
|
.sslProvider(sslProvider)
|
|
.trustManager(trustedCertificates)
|
|
.build()
|
|
.newHandler(channel.alloc(), protocol.host(), protocol.port());
|
|
|
|
// Enable hostname verification.
|
|
SSLEngine sslEngine = sslHandler.engine();
|
|
SSLParameters sslParameters = sslEngine.getSSLParameters();
|
|
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
|
|
sslEngine.setSSLParameters(sslParameters);
|
|
|
|
channel.pipeline().addLast(sslHandler);
|
|
}
|
|
}
|