[ISSUE #XXXXX] Add SNI multi-domain certificate support for Proxy TLS

[qianye1001]

Summary

• Introduces SNI (Server Name Indication) support to RocketMQ Proxy, allowing multiple TLS domains (e.g. *.alibaba-inc.com, *.rocketmq.com) to be served with independent certificates on the same port
• New TlsDomainConfig POJO for per-domain cert/key path configuration in ProxyConfig
• New TlsSniManager manages multiple SslContext instances with wildcard matching (*.domain.com) and independent hot-reload
• ProxyAndTlsProtocolNegotiator (gRPC) and NettyRemotingServer (Remoting) both use SniHandler for SNI-aware certificate selection
• TlsCertificateManager extended to watch multiple cert/key pairs independently per domain
• Fully backward compatible: when no tlsDomainConfigs is configured, behavior is identical to the existing single-cert model

Configuration

# Existing config retained as default fallback
tlsCertPath: /path/to/default.crt
tlsKeyPath: /path/to/default.key
tlsCertWatchIntervalMs: 3600000

# New: domain-to-certificate mapping
tlsDomainConfigs:
  "*.alibaba-inc.com":
    certPath: /path/to/alibaba.crt
    keyPath: /path/to/alibaba.key
  "*.rocketmq.com":
    certPath: /path/to/rocketmq.crt
    keyPath: /path/to/rocketmq.key

Files Changed

File	Change
proxy/.../config/TlsDomainConfig.java	New — per-domain TLS config POJO
proxy/.../config/ProxyConfig.java	Add tlsDomainConfigs map field + getters/setters
proxy/.../service/cert/TlsSniManager.java	New — multi-domain SslContext manager with wildcard matching
proxy/.../service/cert/TlsCertificateManager.java	Extended for multi-domain file watching
proxy/.../grpc/ProxyAndTlsProtocolNegotiator.java	Use SniHandler + TlsSniManager for gRPC SNI
proxy/.../grpc/GrpcServer.java	Update reload handler to use renamed method
proxy/.../remoting/MultiProtocolRemotingServer.java	Wire up TlsContextProvider with SNI lookup
proxy/.../ProxyStartup.java	Initialize TlsSniManager before TlsCertificateManager
remoting/.../netty/TlsContextProvider.java	New — SslContext holder bridge (remoting ↔ proxy)
remoting/.../netty/NettyRemotingServer.java	TlsModeHandler uses SniHandler via TlsContextProvider

Wildcard Matching Rules

• Exact match first
• Wildcard match: foo.rocketmq.com matches *.rocketmq.com
• Bare domain: rocketmq.com matches *.rocketmq.com
• Multi-level subdomain (a.b.rocketmq.com) does NOT match *.rocketmq.com → default
• No match → fallback to default certificate

Test Plan

• Unit tests for TlsSniManager wildcard matching and fallback
• Unit tests for TlsCertificateManager multi-domain watching
• Integration: gRPC/Remoting connect with different SNI hostnames, verify correct cert
• Manual: openssl s_client -servername verification
• Backward compat: no tlsDomainConfigs → single cert works as before
• Hot reload: replace cert, new connection uses new cert, others unaffected

🤖 Generated with Claude Code