Skip to content

[ISSUE #XXXXX] Add SNI multi-domain certificate support for Proxy TLS#10295

Closed
qianye1001 wants to merge 1 commit intoapache:developfrom
qianye1001:worktree-sni-multi-domain
Closed

[ISSUE #XXXXX] Add SNI multi-domain certificate support for Proxy TLS#10295
qianye1001 wants to merge 1 commit intoapache:developfrom
qianye1001:worktree-sni-multi-domain

Conversation

@qianye1001
Copy link
Copy Markdown
Contributor

@qianye1001 qianye1001 commented May 9, 2026

Summary

  • Introduces SNI (Server Name Indication) support to RocketMQ Proxy, allowing multiple TLS domains (e.g. *.alibaba-inc.com, *.rocketmq.com) to be served with independent certificates on the same port
  • New TlsDomainConfig POJO for per-domain cert/key path configuration in ProxyConfig
  • New TlsSniManager manages multiple SslContext instances with wildcard matching (*.domain.com) and independent hot-reload
  • ProxyAndTlsProtocolNegotiator (gRPC) and NettyRemotingServer (Remoting) both use SniHandler for SNI-aware certificate selection
  • TlsCertificateManager extended to watch multiple cert/key pairs independently per domain
  • Fully backward compatible: when no tlsDomainConfigs is configured, behavior is identical to the existing single-cert model

Configuration

# Existing config retained as default fallback
tlsCertPath: /path/to/default.crt
tlsKeyPath: /path/to/default.key
tlsCertWatchIntervalMs: 3600000

# New: domain-to-certificate mapping
tlsDomainConfigs:
  "*.alibaba-inc.com":
    certPath: /path/to/alibaba.crt
    keyPath: /path/to/alibaba.key
  "*.rocketmq.com":
    certPath: /path/to/rocketmq.crt
    keyPath: /path/to/rocketmq.key

Files Changed

File Change
proxy/.../config/TlsDomainConfig.java New — per-domain TLS config POJO
proxy/.../config/ProxyConfig.java Add tlsDomainConfigs map field + getters/setters
proxy/.../service/cert/TlsSniManager.java New — multi-domain SslContext manager with wildcard matching
proxy/.../service/cert/TlsCertificateManager.java Extended for multi-domain file watching
proxy/.../grpc/ProxyAndTlsProtocolNegotiator.java Use SniHandler + TlsSniManager for gRPC SNI
proxy/.../grpc/GrpcServer.java Update reload handler to use renamed method
proxy/.../remoting/MultiProtocolRemotingServer.java Wire up TlsContextProvider with SNI lookup
proxy/.../ProxyStartup.java Initialize TlsSniManager before TlsCertificateManager
remoting/.../netty/TlsContextProvider.java New — SslContext holder bridge (remoting ↔ proxy)
remoting/.../netty/NettyRemotingServer.java TlsModeHandler uses SniHandler via TlsContextProvider

Wildcard Matching Rules

  • Exact match first
  • Wildcard match: foo.rocketmq.com matches *.rocketmq.com
  • Bare domain: rocketmq.com matches *.rocketmq.com
  • Multi-level subdomain (a.b.rocketmq.com) does NOT match *.rocketmq.com → default
  • No match → fallback to default certificate

Test Plan

  • Unit tests for TlsSniManager wildcard matching and fallback
  • Unit tests for TlsCertificateManager multi-domain watching
  • Integration: gRPC/Remoting connect with different SNI hostnames, verify correct cert
  • Manual: openssl s_client -servername verification
  • Backward compat: no tlsDomainConfigs → single cert works as before
  • Hot reload: replace cert, new connection uses new cert, others unaffected

🤖 Generated with Claude Code

@claude
[ISSUE #XXXXX] Add SNI multi-domain certificate support for Proxy TLS
71fcbbd 
Introduce Server Name Indication (SNI) support to allow RocketMQ Proxy
to serve multiple TLS domains (e.g. *.alibaba-inc.com, *.rocketmq.com)
with independent certificates on the same port.

Key changes:
- New TlsDomainConfig POJO for per-domain cert/key configuration
- New TlsSniManager for wildcard-aware SslContext management
- Extended TlsCertificateManager for multi-domain file watching
- ProxyAndTlsProtocolNegotiator uses SniHandler for SNI-aware TLS
- NettyRemotingServer TlsModeHandler uses TlsContextProvider bridge
- TlsContextProvider in remoting module for SNI context lookup
- Backward compatible: single cert behavior unchanged when no
  tlsDomainConfigs is configured

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@qianye1001 qianye1001 mentioned this pull request May 9, 2026
Open
@qianye1001 qianye1001 closed this May 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@qianye1001