You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@skywalking.apache.org by GitBox <gi...@apache.org> on 2021/11/30 11:12:55 UTC

[GitHub] [skywalking] JaredTan95 opened a new pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

JaredTan95 opened a new pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215


   
   <!--
       ⚠️ Please make sure to read this template first, pull requests that don't accord with this template
       maybe closed without notice.
       Texts surrounded by `<` and `>` are meant to be replaced by you, e.g. <framework name>, <issue number>.
       Put an `x` in the `[ ]` to mark the item as CHECKED. `[x]`
   -->
   
   <!-- ==== 🐛 Remove this line WHEN AND ONLY WHEN you're fixing a bug, follow the checklist 👇 ====
   ### Fix <bug description or the bug issue number or bug issue link>
   - [ ] Add a unit test to verify that the fix works.
   - [ ] Explain briefly why the bug exists and how to fix it.
        ==== 🐛 Remove this line WHEN AND ONLY WHEN you're fixing a bug, follow the checklist 👆 ==== -->
   
   <!-- ==== 📈 Remove this line WHEN AND ONLY WHEN you're improving the performance, follow the checklist 👇 ====
   ### Improve the performance of <class or module or ...>
   - [ ] Add a benchmark for the improvement, refer to [the existing ones](https://github.com/apache/skywalking/blob/master/apm-commons/apm-datacarrier/src/test/java/org/apache/skywalking/apm/commons/datacarrier/LinkedArrayBenchmark.java)
   - [ ] The benchmark result.
   ```text
   <Paste the benchmark results here>
   ```
   - [ ] Links/URLs to the theory proof or discussion articles/blogs. <links/URLs here>
        ==== 📈 Remove this line WHEN AND ONLY WHEN you're improving the performance, follow the checklist 👆 ==== -->
   
   ###  Support disables the verification of server's TLS certificate chain for specific hosts by `SW_STORAGE_ES_SSL_INSECURE_HOSTS` env.
   **NOTE**: You should never use this in production but only for a testing purpose.
   
   - [ ] If this is non-trivial feature, paste the links/URLs to the design doc.
   - [x] Update the documentation to include this new feature.
   - [x] Update the [`CHANGES` log](https://github.com/apache/skywalking/blob/master/CHANGES.md).
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] wu-sheng commented on pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

Posted by GitBox <gi...@apache.org>.

wu-sheng commented on pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215#issuecomment-982537010


   Notice, #8179 got rejected due to skipping the secure checking.
   This is an insecure way for general use.
   Couldn't you explain more?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] JaredTan95 edited a comment on pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

Posted by GitBox <gi...@apache.org>.

JaredTan95 edited a comment on pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215#issuecomment-982545408


   Okay, I missed this https://github.com/apache/skywalking/pull/8179 issue.
   Feedback from some users, in some user cases, they don't bind domain on elasticseach multi-node , when they set up skywalking in their `dev` or `test` environment, the connection between oap and es could not be established.
   So, We could provide this way for ease of debugging and deployment.
   And, we've added notes, don't use it in production, and this feature don't skip any validation by default.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] JaredTan95 commented on pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

Posted by GitBox <gi...@apache.org>.

JaredTan95 commented on pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215#issuecomment-983192410


   > No TLS verification should be fine, but don't need through us, actually. They could put a Nginx/Envoy in the front of ElasticSearch server, then OAP server could access HTTP endpoint without TLS. This is more comfortable for SkyWalking about that, we are not violating TLS which has explicitly activated in configurations. Is this working for you?
   
   The proxy way may be a working way, but it may cause a little change for deployment architecture. No matter, I closed it temporarily. 
   
   And continue to see the community feedback


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] JaredTan95 commented on pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

Posted by GitBox <gi...@apache.org>.

JaredTan95 commented on pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215#issuecomment-982545408


   Okay, I missed this https://github.com/apache/skywalking/pull/8179 issue.
   Feedback from some customers, in some user cases, they don't bind domain on elasticseach multi-node , when they set up skywalking in their `dev` or `test` environment, the connection between oap and es could not be established.
   So, We could provide this way for ease of debugging and deployment.
   And, we've added instructions, don't use it in production, and this feature don't skip any validation by default.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] JaredTan95 edited a comment on pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

Posted by GitBox <gi...@apache.org>.

JaredTan95 edited a comment on pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215#issuecomment-983192410


   > No TLS verification should be fine, but don't need through us, actually. They could put a Nginx/Envoy in the front of ElasticSearch server, then OAP server could access HTTP endpoint without TLS. This is more comfortable for SkyWalking about that, we are not violating TLS which has explicitly activated in configurations. Is this working for you?
   
   The proxy way may be a working way, but it may cause a little change for deployment architecture. I closed it temporarily. 
   
   And continue to see the community feedback


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] JaredTan95 commented on pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

Posted by GitBox <gi...@apache.org>.

JaredTan95 commented on pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215#issuecomment-983576582


   related discusson https://github.com/apache/skywalking/discussions/8154


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] JaredTan95 edited a comment on pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

Posted by GitBox <gi...@apache.org>.

JaredTan95 edited a comment on pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215#issuecomment-982545408


   Okay, I missed this https://github.com/apache/skywalking/pull/8179 issue.
   Feedback from some users, in some user cases, they don't bind domain on elasticseach multi-node , when they set up skywalking in their `dev` or `test` environment, the connection between oap and es could not be established.
   So, We could provide this way for ease of debugging and deployment.
   And, we've added instructions, don't use it in production, and this feature don't skip any validation by default.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] wu-sheng commented on pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

Posted by GitBox <gi...@apache.org>.

wu-sheng commented on pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215#issuecomment-982549308


   No TLS verification should be fine, but don't need through us, actually. They could put a Nginx/Envoy in the front of ElasticSearch server, then OAP server could access HTTP endpoint without TLS.
   This is more comfortable for SkyWalking about that, we are not violating TLS which has explicitly activated in configurations.
   Is this working for you?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] wu-sheng commented on pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

Posted by GitBox <gi...@apache.org>.

wu-sheng commented on pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215#issuecomment-983195283


   > > No TLS verification should be fine, but don't need through us, actually. They could put a Nginx/Envoy in the front of ElasticSearch server, then OAP server could access HTTP endpoint without TLS. This is more comfortable for SkyWalking about that, we are not violating TLS which has explicitly activated in configurations. Is this working for you?
   > 
   > The proxy way may be a working way, but it may cause a little change for deployment architecture. I closed it temporarily.
   > 
   > And continue to see the community feedback
   
   Let's see, I put more thoughts behind this at here, https://twitter.com/wusheng1108/status/1465833723115409410
   If others follow this thread, it should be worth to take a look.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] JaredTan95 closed pull request #8215: Support disables the verification of server's TLS certificate chain for specific hosts

Posted by GitBox <gi...@apache.org>.

JaredTan95 closed pull request #8215:
URL: https://github.com/apache/skywalking/pull/8215


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org