[client-v2] SNI configuration options #2467
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR introduces configurable SSL SNI mapping to the ClickHouse Java client, allowing users to specify host/IP-to-SNI mappings when creating HTTPS connections. It also adds accompanying integration tests, sample Nginx configurations, and new certificate assets to validate the feature.
- Added
ssl_sni_mappingproperty and parsing logic inClientConfigProperties - Extended HTTP client factories (
HttpAPIClientHelperandApacheHttpConnectionImpl) to apply SNI based on mappings - Added integration tests using Testcontainers and sample Nginx configs/certs
Reviewed Changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| client-v2/src/test/resources/nginx.conf | Sample Nginx config defining two SSL servers for SNI tests |
| client-v2/src/test/resources/certs/node2.key | Private key for node2 test server |
| client-v2/src/test/resources/certs/node2.crt | Certificate for node2 test server |
| client-v2/src/test/resources/certs/node1.key | Private key for node1 test server |
| client-v2/src/test/resources/certs/node1.crt | Certificate for node1 test server |
| client-v2/src/test/resources/certs/README.md | Instructions for generating self-signed certs |
| client-v2/src/test/java/com/clickhouse/client/internal/SmallTests.java | New test printing config properties (needs assertions) |
| client-v2/src/test/java/com/clickhouse/client/NetworkTests.java | Integration test scaffolding for SNI (incomplete) |
| client-v2/src/main/java/com/clickhouse/client/api/internal/HttpAPIClientHelper.java | Added CustomSSLConnectionFactory for SNI mapping |
| client-v2/src/main/java/com/clickhouse/client/api/ClientConfigProperties.java | Introduced SSL_SNI_MAPPING enum and toKeyValuePairs parser |
| client-v2/src/main/java/com/clickhouse/client/api/Client.java | Added builder method appCompressedData(boolean) |
| client-v2/pom.xml | Bumped in-test logging by adding slf4j-simple dependency |
| clickhouse-http-client/src/test/resources/nginx.conf | Duplicate sample Nginx config for HTTP client module |
| clickhouse-http-client/src/test/resources/certs/node2.key | Duplicate node2 private key in HTTP client module |
| clickhouse-http-client/src/test/resources/certs/node2.crt | Duplicate node2 certificate in HTTP client module |
| clickhouse-http-client/src/test/resources/certs/node1.key | Duplicate node1 private key in HTTP client module |
| clickhouse-http-client/src/test/resources/certs/node1.crt | Duplicate node1 certificate in HTTP client module |
| clickhouse-http-client/src/test/java/com/clickhouse/client/http/NetworkTests.java | HTTP client integration tests for SNI |
| clickhouse-http-client/src/main/java/com/clickhouse/client/http/ApacheHttpConnectionImpl.java | Extended SSLSocketFactory to apply SNI mapping |
| clickhouse-client/src/main/java/com/clickhouse/client/config/ClickHouseClientOption.java | Added SSL_SNI_MAPPING enum option |
Comments suppressed due to low confidence (6)
client-v2/src/test/java/com/clickhouse/client/internal/SmallTests.java:52
- This test method prints values but has no assertions. Consider adding assertions to verify the output or remove the test if it is only for manual inspection.
System.out.println("<br/> <br/> Default: `none` <br/> Enum: `none` <br/> Key: `none` " client-v2/src/test/java/com/clickhouse/client/NetworkTests.java:67
- The
testSNImethod currently only prints the container address and lacks assertions. It should include assertions to validate actual SNI behavior or be removed.
public void testSNI() { client-v2/src/main/java/com/clickhouse/client/api/Client.java:600
- The Javadoc for
appCompressedDatahas an empty@returntag. Please provide a description, e.g.,@return this builder instance.
* @return clickhouse-client/src/main/java/com/clickhouse/client/config/ClickHouseClientOption.java:460
- The key
ssl_sni_maphere is inconsistent withssl_sni_mappinginClientConfigProperties. Consider unifying the property name across modules.
SSL_SNI_MAPPING("ssl_sni_map", "", "Comma separated key-value pairs of IP address/host to SNI mapping. Special mapping _default_ - for default SNI when no match found. Without default mapping only matched targets will have SNI parameter.") client-v2/src/main/java/com/clickhouse/client/api/ClientConfigProperties.java:227
- Add unit tests for
toKeyValuePairsto verify parsing of edge cases (escaped commas, missing values, whitespace handling).
public static Map<String, String> toKeyValuePairs(String str) { clickhouse-http-client/src/test/java/com/clickhouse/client/http/NetworkTests.java:1
- [nitpick] There is duplicated
NetworkTestslogic in bothclient-v2andclickhouse-http-clientmodules. Consider consolidating shared test helpers to avoid repetition.
package com.clickhouse.client.http; client-v2/src/main/java/com/clickhouse/client/api/internal/HttpAPIClientHelper.java Outdated Show resolved Hide resolved
client-v2/src/main/java/com/clickhouse/client/api/internal/HttpAPIClientHelper.java Outdated Show resolved Hide resolved
| <dependency> | ||
| <groupId>org.slf4j</groupId> | ||
| <artifactId>slf4j-simple</artifactId> | ||
| <version>2.0.16</version> |
There was a problem hiding this comment.
The slf4j-simple dependency is added without a <scope>test</scope>. If it's only needed for tests, scope it to test to avoid polluting production classpaths.
Suggested change
| <version>2.0.16</version> | |
| <version>2.0.16</version> | |
| <scope>test</scope> |
clickhouse-http-client/src/main/java/com/clickhouse/client/http/ApacheHttpConnectionImpl.java Outdated Show resolved Hide resolved
![windsurf-bot[bot]](https://avatars.githubusercontent.com/in/1066231?s=60&v=4){kind=small}
There was a problem hiding this comment.
Other comments (3)
- client-v2/src/test/java/com/clickhouse/client/internal/SmallTests.java (50-63) This test method appears to be generating documentation or debug output rather than validating functionality. Consider either:
- Adding assertions to make this a proper test
- Moving this to a separate utility class if it's meant for documentation generation
- Adding a comment explaining the purpose of this test method
- client-v2/src/test/java/com/clickhouse/client/ClientTests.java (209-209) The test assertions have been updated to account for the new SNI configuration property, but there's no test case that actually verifies the SNI mapping functionality. Consider adding a test that demonstrates how to configure the SNI mapping and validates that it works correctly when connecting to a server.
- client-v2/src/test/java/com/clickhouse/client/internal/SmallTests.java (52-62) Consider removing the unnecessary blank lines in the println statements to improve code readability.
System.out.println("<br/> <br/> Default: `none` <br/> Enum: `none` <br/> Key: `none` "); for (ClientConfigProperties p : ClientConfigProperties.values()) { String defaultValue = p.getDefaultValue() == null ? "-" : "`" + p.getDefaultValue() + "`"; System.out.println("<br/> <br/> Default: " +defaultValue + " <br/> Enum: `ClientConfigProperties." + p.name() + "` <br/> Key: `" + p.getKey() +"` "); }
💡 To request another review, post a new comment with "/windsurf-review".
| if (sslContext != null) { | ||
| String socketSNI = (String)configuration.get(ClientConfigProperties.SSL_SOCKET_SNI.getKey()); | ||
| if (socketSNI != null && !socketSNI.trim().isEmpty()) { | ||
| sslConnectionSocketFactory = new CustomSSLConnectionFactory(socketSNI, sslContext, (hostname, session) -> true); |
There was a problem hiding this comment.
The code is using a hostname verifier that always returns true ((hostname, session) -> true), which bypasses hostname verification entirely. This is a security risk as it makes the connection vulnerable to man-in-the-middle attacks. Consider using a proper hostname verifier or making this configurable.
client-v2/src/main/java/com/clickhouse/client/api/internal/HttpAPIClientHelper.java Show resolved Hide resolved
clickhouse-http-client/src/main/java/com/clickhouse/client/http/ApacheHttpConnectionImpl.java Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Summary
This PR add configuration option to create mapping between host/ip and SNI. The last one will be set each time SSL socket is created to connect to it.
Closes #2434
Checklist
Delete items not relevant to your PR: