pingcap · ti-chi-bot · Dec 22, 2023 · Dec 22, 2023 · Dec 22, 2023
diff --git a/conf/proxy.toml b/conf/proxy.toml
@@ -3,7 +3,6 @@
 [proxy]
 # addr = "0.0.0.0:6000"
 # tcp-keep-alive = true
-# require-backend-tls = true
 
 # possible values:
 #   "" => disable proxy protocol.
@@ -108,6 +107,8 @@ graceful-close-conn-timeout = 15
 	# proxy HTTP port will use this
 	# auto-certs = true
 
+# require-backend-tls = false
+
 [metrics]
 
 # WARNING: know what you are doing, these two are for debugging.

diff --git a/lib/config/proxy.go b/lib/config/proxy.go
@@ -46,7 +46,6 @@ type KeepAlive struct {
 }
 
 type ProxyServerOnline struct {
-	RequireBackendTLS bool      `yaml:"require-backend-tls,omitempty" toml:"require-backend-tls,omitempty" json:"require-backend-tls,omitempty"`
 	MaxConnections    uint64    `yaml:"max-connections,omitempty" toml:"max-connections,omitempty" json:"max-connections,omitempty"`
 	ConnBufferSize    int       `yaml:"conn-buffer-size,omitempty" toml:"conn-buffer-size,omitempty" json:"conn-buffer-size,omitempty"`
 	FrontendKeepalive KeepAlive `yaml:"frontend-keepalive" toml:"frontend-keepalive" json:"frontend-keepalive"`
@@ -113,10 +112,11 @@ func (c TLSConfig) HasCA() bool {
 }
 
 type Security struct {
-	ServerSQLTLS  TLSConfig `yaml:"server-tls,omitempty" toml:"server-tls,omitempty" json:"server-tls,omitempty"`
-	ServerHTTPTLS TLSConfig `yaml:"server-http-tls,omitempty" toml:"server-http-tls,omitempty" json:"server-http-tls,omitempty"`
-	ClusterTLS    TLSConfig `yaml:"cluster-tls,omitempty" toml:"cluster-tls,omitempty" json:"cluster-tls,omitempty"`
-	SQLTLS        TLSConfig `yaml:"sql-tls,omitempty" toml:"sql-tls,omitempty" json:"sql-tls,omitempty"`
+	ServerSQLTLS      TLSConfig `yaml:"server-tls,omitempty" toml:"server-tls,omitempty" json:"server-tls,omitempty"`
+	ServerHTTPTLS     TLSConfig `yaml:"server-http-tls,omitempty" toml:"server-http-tls,omitempty" json:"server-http-tls,omitempty"`
+	ClusterTLS        TLSConfig `yaml:"cluster-tls,omitempty" toml:"cluster-tls,omitempty" json:"cluster-tls,omitempty"`
+	SQLTLS            TLSConfig `yaml:"sql-tls,omitempty" toml:"sql-tls,omitempty" json:"sql-tls,omitempty"`
+	RequireBackendTLS bool      `yaml:"require-backend-tls,omitempty" toml:"require-backend-tls,omitempty" json:"require-backend-tls,omitempty"`
 }
 
 func DefaultKeepAlive() (frontend, backendHealthy, backendUnhealthy KeepAlive) {
@@ -139,7 +139,6 @@ func NewConfig() *Config {
 
 	cfg.Proxy.Addr = "0.0.0.0:6000"
 	cfg.Proxy.FrontendKeepalive, cfg.Proxy.BackendHealthyKeepalive, cfg.Proxy.BackendUnhealthyKeepalive = DefaultKeepAlive()
-	cfg.Proxy.RequireBackendTLS = true
 	cfg.Proxy.PDAddrs = "127.0.0.1:2379"
 	cfg.Proxy.GracefulCloseConnTimeout = 15
 

diff --git a/lib/config/proxy_test.go b/lib/config/proxy_test.go
@@ -21,7 +21,6 @@ var testProxyConfig = Config{
 		Addr:    "0.0.0.0:4000",
 		PDAddrs: "127.0.0.1:4089",
 		ProxyServerOnline: ProxyServerOnline{
-			RequireBackendTLS:          true,
 			MaxConnections:             1,
 			FrontendKeepalive:          KeepAlive{Enabled: true},
 			ProxyProtocol:              "v2",
@@ -75,6 +74,7 @@ var testProxyConfig = Config{
 			Cert:               "b",
 			Key:                "c",
 		},
+		RequireBackendTLS: true,
 	},
 }
 

diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -63,7 +63,7 @@ type SQLServer struct {
 }
 
 // NewSQLServer creates a new SQLServer.
-func NewSQLServer(logger *zap.Logger, cfg config.ProxyServer, certMgr *cert.CertManager, hsHandler backend.HandshakeHandler) (*SQLServer, error) {
+func NewSQLServer(logger *zap.Logger, cfg *config.Config, certMgr *cert.CertManager, hsHandler backend.HandshakeHandler) (*SQLServer, error) {
 	var err error
 	s := &SQLServer{
 		logger:    logger,
@@ -76,9 +76,9 @@ func NewSQLServer(logger *zap.Logger, cfg config.ProxyServer, certMgr *cert.Cert
 		},
 	}
 
-	s.reset(&cfg.ProxyServerOnline)
+	s.reset(cfg)
 
-	s.addrs = strings.Split(cfg.Addr, ",")
+	s.addrs = strings.Split(cfg.Proxy.Addr, ",")
 	s.listeners = make([]net.Listener, len(s.addrs))
 	for i, addr := range s.addrs {
 		s.listeners[i], err = net.Listen("tcp", addr)
@@ -90,17 +90,17 @@ func NewSQLServer(logger *zap.Logger, cfg config.ProxyServer, certMgr *cert.Cert
 	return s, nil
 }
 
-func (s *SQLServer) reset(cfg *config.ProxyServerOnline) {
+func (s *SQLServer) reset(cfg *config.Config) {
 	s.mu.Lock()
-	s.mu.tcpKeepAlive = cfg.FrontendKeepalive.Enabled
-	s.mu.maxConnections = cfg.MaxConnections
-	s.mu.requireBackendTLS = cfg.RequireBackendTLS
-	s.mu.proxyProtocol = cfg.ProxyProtocol != ""
-	s.mu.gracefulWait = cfg.GracefulWaitBeforeShutdown
-	s.mu.gracefulClose = cfg.GracefulCloseConnTimeout
-	s.mu.healthyKeepAlive = cfg.BackendHealthyKeepalive
-	s.mu.unhealthyKeepAlive = cfg.BackendUnhealthyKeepalive
-	s.mu.connBufferSize = cfg.ConnBufferSize
+	s.mu.tcpKeepAlive = cfg.Proxy.FrontendKeepalive.Enabled
+	s.mu.maxConnections = cfg.Proxy.MaxConnections
+	s.mu.requireBackendTLS = cfg.Security.RequireBackendTLS
+	s.mu.proxyProtocol = cfg.Proxy.ProxyProtocol != ""
+	s.mu.gracefulWait = cfg.Proxy.GracefulWaitBeforeShutdown
+	s.mu.gracefulClose = cfg.Proxy.GracefulCloseConnTimeout
+	s.mu.healthyKeepAlive = cfg.Proxy.BackendHealthyKeepalive
+	s.mu.unhealthyKeepAlive = cfg.Proxy.BackendUnhealthyKeepalive
+	s.mu.connBufferSize = cfg.Proxy.ConnBufferSize
 	s.mu.Unlock()
 }
 
@@ -118,7 +118,7 @@ func (s *SQLServer) Run(ctx context.Context, cfgch <-chan *config.Config) {
 					// prevent panic on closing chan
 					return
 				}
-				s.reset(&ach.Proxy.ProxyServerOnline)
+				s.reset(ach)
 			}
 		}
 	})

diff --git a/pkg/proxy/proxy_test.go b/pkg/proxy/proxy_test.go
@@ -28,9 +28,10 @@ import (
 
 func TestCreateConn(t *testing.T) {
 	lg, _ := logger.CreateLoggerForTest(t)
+	cfg := &config.Config{}
 	certManager := cert.NewCertManager()
-	require.NoError(t, certManager.Init(&config.Config{}, lg, nil))
-	server, err := NewSQLServer(lg, config.ProxyServer{}, certManager, &panicHsHandler{})
+	require.NoError(t, certManager.Init(cfg, lg, nil))
+	server, err := NewSQLServer(lg, cfg, certManager, &panicHsHandler{})
 	require.NoError(t, err)
 	server.Run(context.Background(), nil)
 	defer func() {
@@ -70,9 +71,11 @@ func TestGracefulCloseConn(t *testing.T) {
 	// Graceful shutdown finishes immediately if there's no connection.
 	lg, _ := logger.CreateLoggerForTest(t)
 	hsHandler := backend.NewDefaultHandshakeHandler(nil)
-	cfg := config.ProxyServer{
-		ProxyServerOnline: config.ProxyServerOnline{
-			GracefulCloseConnTimeout: 10,
+	cfg := &config.Config{
+		Proxy: config.ProxyServer{
+			ProxyServerOnline: config.ProxyServerOnline{
+				GracefulCloseConnTimeout: 10,
+			},
 		},
 	}
 	server, err := NewSQLServer(lg, cfg, nil, hsHandler)
@@ -129,7 +132,7 @@ func TestGracefulCloseConn(t *testing.T) {
 	}
 
 	// Graceful shutdown will shut down after GracefulCloseConnTimeout.
-	cfg.GracefulCloseConnTimeout = 1
+	cfg.Proxy.GracefulCloseConnTimeout = 1
 	server, err = NewSQLServer(lg, cfg, nil, hsHandler)
 	require.NoError(t, err)
 	createClientConn()
@@ -147,10 +150,12 @@ func TestGracefulCloseConn(t *testing.T) {
 func TestGracefulShutDown(t *testing.T) {
 	lg, _ := logger.CreateLoggerForTest(t)
 	hsHandler := backend.NewDefaultHandshakeHandler(nil)
-	cfg := config.ProxyServer{
-		ProxyServerOnline: config.ProxyServerOnline{
-			GracefulWaitBeforeShutdown: 2,
-			GracefulCloseConnTimeout:   10,
+	cfg := &config.Config{
+		Proxy: config.ProxyServer{
+			ProxyServerOnline: config.ProxyServerOnline{
+				GracefulWaitBeforeShutdown: 2,
+				GracefulCloseConnTimeout:   10,
+			},
 		},
 	}
 	server, err := NewSQLServer(lg, cfg, nil, hsHandler)
@@ -182,8 +187,10 @@ func TestMultiAddr(t *testing.T) {
 	certManager := cert.NewCertManager()
 	err := certManager.Init(&config.Config{}, lg, nil)
 	require.NoError(t, err)
-	server, err := NewSQLServer(lg, config.ProxyServer{
-		Addr: "0.0.0.0:0,0.0.0.0:0",
+	server, err := NewSQLServer(lg, &config.Config{
+		Proxy: config.ProxyServer{
+			Addr: "0.0.0.0:0,0.0.0.0:0",
+		},
 	}, certManager, &panicHsHandler{})
 	require.NoError(t, err)
 	server.Run(context.Background(), nil)
@@ -203,25 +210,27 @@ func TestWatchCfg(t *testing.T) {
 	lg, _ := logger.CreateLoggerForTest(t)
 	hsHandler := backend.NewDefaultHandshakeHandler(nil)
 	cfgch := make(chan *config.Config)
-	server, err := NewSQLServer(lg, config.ProxyServer{}, nil, hsHandler)
+	server, err := NewSQLServer(lg, &config.Config{}, nil, hsHandler)
 	require.NoError(t, err)
 	server.Run(context.Background(), cfgch)
 	cfg := &config.Config{
 		Proxy: config.ProxyServer{
 			ProxyServerOnline: config.ProxyServerOnline{
-				RequireBackendTLS:        true,
 				MaxConnections:           100,
 				ConnBufferSize:           1024 * 1024,
 				ProxyProtocol:            "v2",
 				GracefulCloseConnTimeout: 100,
 			},
 		},
+		Security: config.Security{
+			RequireBackendTLS: true,
+		},
 	}
 	cfgch <- cfg
 	require.Eventually(t, func() bool {
 		server.mu.RLock()
 		defer server.mu.RUnlock()
-		return server.mu.requireBackendTLS == cfg.Proxy.RequireBackendTLS &&
+		return server.mu.requireBackendTLS == cfg.Security.RequireBackendTLS &&
 			server.mu.maxConnections == cfg.Proxy.MaxConnections &&
 			server.mu.connBufferSize == cfg.Proxy.ConnBufferSize &&
 			server.mu.proxyProtocol == (cfg.Proxy.ProxyProtocol != "") &&
@@ -235,7 +244,7 @@ func TestRecoverPanic(t *testing.T) {
 	certManager := cert.NewCertManager()
 	err := certManager.Init(&config.Config{}, lg, nil)
 	require.NoError(t, err)
-	server, err := NewSQLServer(lg, config.ProxyServer{}, certManager, &panicHsHandler{})
+	server, err := NewSQLServer(lg, &config.Config{}, certManager, &panicHsHandler{})
 	require.NoError(t, err)
 	server.Run(context.Background(), nil)
 

diff --git a/pkg/server/api/config_test.go b/pkg/server/api/config_test.go
@@ -23,7 +23,6 @@ func TestConfig(t *testing.T) {
 [proxy]
 addr = '0.0.0.0:6000'
 pd-addrs = '127.0.0.1:2379'
-require-backend-tls = true
 graceful-close-conn-timeout = 15
 
 [proxy.frontend-keepalive]
@@ -76,12 +75,12 @@ max-backups = 3
 	doHTTP(t, http.MethodGet, "/api/admin/config?format=json", nil, func(t *testing.T, r *http.Response) {
 		all, err := io.ReadAll(r.Body)
 		require.NoError(t, err)
-		require.Equal(t, `{"proxy":{"addr":"0.0.0.0:6000","pd-addrs":"127.0.0.1:2379","require-backend-tls":true,"frontend-keepalive":{"enabled":true},"backend-healthy-keepalive":{"enabled":true,"idle":60000000000,"cnt":5,"intvl":3000000000,"timeout":15000000000},"backend-unhealthy-keepalive":{"enabled":true,"idle":10000000000,"cnt":5,"intvl":1000000000,"timeout":5000000000},"graceful-close-conn-timeout":15},"api":{"addr":"0.0.0.0:3080"},"advance":{"ignore-wrong-namespace":true},"security":{"server-tls":{"min-tls-version":"1.1"},"server-http-tls":{"min-tls-version":"1.1"},"cluster-tls":{"min-tls-version":"1.1"},"sql-tls":{"min-tls-version":"1.1"}},"metrics":{"metrics-addr":"","metrics-interval":0},"log":{"encoder":"tidb","level":"info","log-file":{"max-size":300,"max-days":3,"max-backups":3}}}`,
+		require.Equal(t, `{"proxy":{"addr":"0.0.0.0:6000","pd-addrs":"127.0.0.1:2379","frontend-keepalive":{"enabled":true},"backend-healthy-keepalive":{"enabled":true,"idle":60000000000,"cnt":5,"intvl":3000000000,"timeout":15000000000},"backend-unhealthy-keepalive":{"enabled":true,"idle":10000000000,"cnt":5,"intvl":1000000000,"timeout":5000000000},"graceful-close-conn-timeout":15},"api":{"addr":"0.0.0.0:3080"},"advance":{"ignore-wrong-namespace":true},"security":{"server-tls":{"min-tls-version":"1.1"},"server-http-tls":{"min-tls-version":"1.1"},"cluster-tls":{"min-tls-version":"1.1"},"sql-tls":{"min-tls-version":"1.1"}},"metrics":{"metrics-addr":"","metrics-interval":0},"log":{"encoder":"tidb","level":"info","log-file":{"max-size":300,"max-days":3,"max-backups":3}}}`,
 			string(regexp.MustCompile(`"workdir":"[^"]+",`).ReplaceAll(all, nil)))
 		require.Equal(t, http.StatusOK, r.StatusCode)
 	})
 
-	doHTTP(t, http.MethodPut, "/api/admin/config", strings.NewReader("proxy.require-backend-tls = false"), func(t *testing.T, r *http.Response) {
+	doHTTP(t, http.MethodPut, "/api/admin/config", strings.NewReader("security.require-backend-tls = true"), func(t *testing.T, r *http.Response) {
 		require.Equal(t, http.StatusOK, r.StatusCode)
 	})
 	sum := ""
@@ -102,7 +101,7 @@ max-backups = 3
 		require.Equal(t, sum, string(sumreg.Find(all)))
 		require.Equal(t, http.StatusOK, r.StatusCode)
 	})
-	doHTTP(t, http.MethodPut, "/api/admin/config", strings.NewReader("proxy.require-backend-tls = true"), func(t *testing.T, r *http.Response) {
+	doHTTP(t, http.MethodPut, "/api/admin/config", strings.NewReader("security.require-backend-tls = false"), func(t *testing.T, r *http.Response) {
 		require.Equal(t, http.StatusOK, r.StatusCode)
 	})
 	doHTTP(t, http.MethodGet, "/api/debug/health", nil, func(t *testing.T, r *http.Response) {

diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -133,7 +133,7 @@ func NewServer(ctx context.Context, sctx *sctx.Context) (srv *Server, err error)
 		} else {
 			hsHandler = backend.NewDefaultHandshakeHandler(srv.NamespaceManager)
 		}
-		srv.Proxy, err = proxy.NewSQLServer(lg.Named("proxy"), cfg.Proxy, srv.CertManager, hsHandler)
+		srv.Proxy, err = proxy.NewSQLServer(lg.Named("proxy"), cfg, srv.CertManager, hsHandler)
 		if err != nil {
 			err = errors.WithStack(err)
 			return