Better support for UNIX Domain sockets #228
Conversation
Motivation: Using a base URL as the socket path only works when the URL object is maintained as long as possible through the stack. Additionally, it doesn't currently provide a way to use TLS over UNIX sockets. Modifications: Added two tests to test out the to-be supported URL schemes, http+unix, and https+unix, which encode the socket path as a %-escaped hostname, as some existing services already do. Result: Some failing tests.
|
Can one of the admins verify this patch? |
3 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
| /// Socket path, resolved from `URL`. | ||
| public let socketPath: String | ||
| /// URI, resolved from `URL`. | ||
| public let uri: String |
There was a problem hiding this comment.
Is it necessary for either of these to be public? In particular, uri is extremely not well distinguished from url, and if we're keeping both in the API we really need to explain how they differ.
There was a problem hiding this comment.
Not at all — continuing on that thought, the host will be empty for socket-based Requests, even though that's where its encoded… Should we merge the implementations to make the socket path available as the host?
| func supports(scheme: String) -> Bool { | ||
| switch self { | ||
| case .host: | ||
| return Kind.hostSchemes.contains(scheme) | ||
| case .unixSocket: | ||
| case .unixSocket(scheme: _): | ||
| return Kind.unixSchemes.contains(scheme) |
There was a problem hiding this comment.
This supports spelling is getting unwieldy here, not least because we're no longer using half of the switch statement. Should this just be a constructor of Kind from String?
There was a problem hiding this comment.
I'm not too sure — we are already constructing Kind from String in https://github.com/swift-server/async-http-client/pull/228/files#diff-67e2f60fc709da32af89dfbfc0c774aaR116-R129, so that method can certainly be fixed up to no longer rely on supports().
My bigger question is that supports() seems like it is being used by some redirect logic here:
It seems like the older version was just making sure that the new scheme matched http/https - while the one currently in the repo will only accept http redirects from http requests, and socket redirects from socket requests. @krzyzanowskim Do you remember more about why you set it up this way?
I propose that if the request is an http request, we keep it as such, but if it is a socket request, we allow it to redirect to any supported scheme, but that is based on my limited understanding of what's going on here 😅
There was a problem hiding this comment.
I propose that if the request is an http request, we keep it as such, but if it is a socket request, we allow it to redirect to any supported scheme, but that is based on my limited understanding of what's going on here 😅
Yeah, that seems a reasonable design choice.
There was a problem hiding this comment.
Would you support refactoring this method to something like this, since it is now only used for redirects?
Call site (which was checking against the old scheme for some reason that escapes me):
This would also simplify the initializer tremendously:
There was a problem hiding this comment.
@krzyzanowskim Do you remember more about why you set it up this way?
Sorry, I don't remember details at the moment. I'm sorry not being helpful here.
There was a problem hiding this comment.
@krzyzanowskim Not a problem! I think the original code may have also had the same issue, so ultimately we just need more tests that capture the underlying problem 😅
|
Very cool! |
|
It's entirely up to you: we'll squash when we merge, so we'll end up with only one commit anyway. |
dimitribouniol
force-pushed
the
http-plus-unix
branch
3 times, most recently
from
014536c to
c6c32eb
Compare
|
I addressed most of the changes - all that's left are the following related but out of scope issues: Should we combine
|
dimitribouniol
force-pushed
the
http-plus-unix
branch
from
c6c32eb to
4263f56
Compare
|
@swift-server-bot test this please |
|
As for the follow-on issues you identified, I'm more than happy for you to address them in follow-up PRs. |
|
It seems there are some minor formatting issues that need to be cleaned up. |
|
@dimitribouniol apologies, there seem to be formatting issues. If you just run |
…for the new schemes Motivation: Before I start adding support for new URL schemes, I consolidated the existing use of unix sockets and https TLS handling. Modifications: Consolidated socket path and uri handling to one place, added an associated type to the unixSocket case, and added a computed requiresTLS property to the Key Scheme. Result: Much cleaner code that is now ready for some new schemes!
Motivation: We can now not only make connections over sockets using the existing unix: baseURL approach, but also by %-escaping the socket path as the URL's hostname, and using the http+unix: or https+unix: schemes for plain HTTP or HTTP over TLS support. Modifications: Added references to the new url schemes where necessary, aand added a missingSocketPath error for when the socket path is not encoded as the hostname. Result: The tests now pass, and connections can be made over non-special URLs, supporting TLS if necessary.
… to socket paths Motivation: Binding HTTPBin to a socket path generates many warnings in the console that are largely inconsequential, but cloud the results. This removes one of them 😅 (I'm not sure how to address the others) Modifications: TCP_NODELAY is now a default option in NIO, so we can leave out the setting completely since it isn't supported when binding to socket paths. Result: One fewer warning in the console 🙃
dimitribouniol
force-pushed
the
http-plus-unix
branch
from
4263f56 to
bada1bb
Compare
|
I've just addressed the formatting issues — I'm creating separate tracking issues for the two points I brought up above for further discussion. |
|
@swift-server-bot test this please |
|
Seems like on linux, the client will throw a @weissi Could you re-trigger the tests please? (unless I'm able to do it using the same command you used?) |
|
@weissi Please hold off on re-testing - I got Docker running locally, and it's still failing 😅 |
…r would result in an SNI error Motivation: Testing on Linux seemed to reveal an `NIOSSLExtraError.invalidSNIHostname` error that was thrown when using `https+unix` URLs, which don't have their hostname filled in. The same NIO failure does not occur on macOS, as it seems that Network.framework does not mind an empty hostname. Modifications: Added an extra check to determine if the host is empty before passing it to a `NIOSSLClientHandler`. Result: testHTTPSPlusUNIX() no longer fails on Linux.
dimitribouniol
force-pushed
the
http-plus-unix
branch
from
84d4064 to
7b7051a
Compare
|
@weissi All tests now pass on my local machine! Please re-test 🙂 |
|
@swift-server-bot test this please |
These changes upgrade the unix domain socket handling to address the following issues:
To maintain backward compatibility, this PR introduces two new URL schemes:
http+unix://, andhttps+unix://. These url schemes, while not universal, are used in a standard way by other services (some - examples), and work by %-encoding the socket path as the url hostname. These are easy to construct using standard swift types:This produces a url that looks something like this:
https+unix://%2Ftmp%2FfilePath.socket/echo-uri, which is fully supported byURL, and can be serialized and deserialized to and from a String easily.When the
https+unix://URL scheme is used, TLS is turned on. It is still up to the user to perform certificate validation under this scheme, but at the very least an encrypted connection over a socket is now possible if the server is configured to only provide such a configuration.I'd also like to think I did a good job keeping things neat and tidy, and inline with the style of the repo, but I'm open to any and all feedback! (This is my first time contributing to any large open source project, so please be kind 😅)
Where to go from here
Some future improvements that can be made:
unix:scheme for the next major version? It's use is a bit unwieldy from a user's point of view (especially as many frameworks like Vapor have client constructors that take in strings as the URLs), and I doubt its currently widely used.