761a08e4ac
This branch changes the proxy's accept logic so that the proxy will no longer attempt to terminate TLS on ports which are configured to skip protocol detection. This means that a Linkerd deployment with `--tls optional` will no longer break server-speaks-first protocols like MySQL (although that traffic will not be encrypted). Since it's necessary to get the connection's original destination to determine if it's on a port which should skip protocol detection, I've moved the SO_ORIGINAL_DST call down the stack from `Server` to `BoundPort`. However, to avoid making an additional unnecessary syscall, the original destination is propagated to the server, along with the information about whether or not protocol detection is enabled. This is the approach described in https://github.com/linkerd/linkerd2/issues/1270#issuecomment-406124236. I've also written a new integration test for server-speaks-first protocols with TLS enabled. This test is essentially the same as the existing `transparency::tcp_server_first` test, but with TLS enabled for the test proxy. I've confirmed that this fails against master. Furthermore, I've validated this change by deploying the `booksapp` demo with MySQL with TLS enabled, which [previously didn't work](https://github.com/linkerd/linkerd2/issues/1648#issuecomment-432867702). Closes linkerd/linkerd2#1270 Signed-off-by: Eliza Weisman <eliza@buoyant.io> |
||
|---|---|---|
| .. | ||
| client.rs | ||
| controller.rs | ||
| mod.rs | ||
| proxy.rs | ||
| server.rs | ||
| tap.rs | ||
| tcp.rs | ||