qianye1001 opened a new pull request, #10301:
URL: https://github.com/apache/rocketmq/pull/10301
## Summary
- Introduces **SNI (Server Name Indication)** support to RocketMQ Proxy,
allowing multiple TLS domains to be served with independent certificates on the
same port
- New `TlsDomainConfig` POJO for per-domain cert/key path configuration in
`ProxyConfig`
- New `TlsSniManager` manages multiple `SslContext` instances with wildcard
matching and independent hot-reload
- `ProxyAndTlsProtocolNegotiator` (gRPC) and `NettyRemotingServer`
(Remoting) both use `SniHandler` for SNI-aware certificate selection
- `TlsCertificateManager` extended to watch multiple cert/key pairs
independently per domain
- **Fully backward compatible**: when no `tlsDomainConfigs` is configured,
behavior is identical to the existing single-cert model
## Configuration
```yaml
# Existing config retained as default fallback
tlsCertPath: /path/to/default.crt
tlsKeyPath: /path/to/default.key
tlsCertWatchIntervalMs: 3600000
# New: domain-to-certificate mapping
tlsDomainConfigs:
"*.example.com":
certPath: /path/to/example.crt
keyPath: /path/to/example.key
"*.sample.org":
certPath: /path/to/sample.crt
keyPath: /path/to/sample.key
```
## Files Changed
| File | Change |
|---|---|
| `proxy/.../config/TlsDomainConfig.java` | **New** — per-domain TLS config
POJO |
| `proxy/.../config/ProxyConfig.java` | Add `tlsDomainConfigs` map field +
getters/setters |
| `proxy/.../service/cert/TlsSniManager.java` | **New** — multi-domain
SslContext manager with wildcard matching |
| `proxy/.../service/cert/TlsCertificateManager.java` | Extended for
multi-domain file watching |
| `proxy/.../grpc/ProxyAndTlsProtocolNegotiator.java` | Use `SniHandler` +
`TlsSniManager` for gRPC SNI |
| `proxy/.../grpc/GrpcServer.java` | Update reload handler to use renamed
method |
| `proxy/.../remoting/MultiProtocolRemotingServer.java` | Wire up
`TlsContextProvider` with SNI lookup |
| `proxy/.../ProxyStartup.java` | Initialize `TlsSniManager` before
`TlsCertificateManager` |
| `remoting/.../netty/TlsContextProvider.java` | **New** — SslContext holder
bridge (remoting ↔ proxy) |
| `remoting/.../netty/NettyRemotingServer.java` | `TlsModeHandler` uses
`SniHandler` via `TlsContextProvider` |
## Wildcard Matching Rules
- Exact match first
- Wildcard match: `foo.example.com` matches `*.example.com`
- Bare domain: `example.com` matches `*.example.com`
- Multi-level subdomain (`a.b.example.com`) does NOT match `*.example.com` →
default
- No match → fallback to default certificate
## Test Plan
- [ ] Unit tests for `TlsSniManager` wildcard matching and fallback
- [ ] Unit tests for `TlsCertificateManager` multi-domain watching
- [ ] Integration: gRPC/Remoting connect with different SNI hostnames,
verify correct cert
- [ ] Manual: `openssl s_client -servername` verification
- [ ] Backward compat: no `tlsDomainConfigs` → single cert works as before
- [ ] Hot reload: replace cert, new connection uses new cert, others
unaffected
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]