ClickHouse
diff --git a/‎clickhouse-client/src/main/java/com/clickhouse/client/config/ClickHouseClientOption.java
Lines changed: 9 additions & 1 deletion b/‎clickhouse-client/src/main/java/com/clickhouse/client/config/ClickHouseClientOption.java
Lines changed: 9 additions & 1 deletion
diff --git a/‎clickhouse-http-client/src/main/java/com/clickhouse/client/http/ApacheHttpConnectionImpl.java
Lines changed: 35 additions & 2 deletions b/‎clickhouse-http-client/src/main/java/com/clickhouse/client/http/ApacheHttpConnectionImpl.java
Lines changed: 35 additions & 2 deletions
diff --git a/‎clickhouse-http-client/src/test/java/com/clickhouse/client/http/NetworkTests.java
Lines changed: 269 additions & 0 deletions b/‎clickhouse-http-client/src/test/java/com/clickhouse/client/http/NetworkTests.java
Lines changed: 269 additions & 0 deletions
diff --git a/‎clickhouse-http-client/src/test/resources/certs/node1.crt
Lines changed: 19 additions & 0 deletions b/‎clickhouse-http-client/src/test/resources/certs/node1.crt
Lines changed: 19 additions & 0 deletions
@@ -451,7 +451,15 @@ public enum ClickHouseClientOption implements ClickHouseOption {
      */
     CONNECTION_TTL("connection_ttl", 0L,
             "Connection time to live in milliseconds. 0 or negative number means no limit."),
-    MEASURE_REQUEST_TIME("debug_measure_request_time", false, "Whether to measure request time. If true, the time will be logged in debug mode.");
+    MEASURE_REQUEST_TIME("debug_measure_request_time", false, "Whether to measure request time. If true, the time will be logged in debug mode."),
+
+    /**
+     * Comma separated key-value pairs of IP address/host to SNI mapping.
+     * Special mapping {@code _default_} - for default SNI when no match found. Without default mapping only matched targets will have SNI parameter.
+     */
+    SSL_SNI_MAPPING("ssl_sni_map", "", "Comma separated key-value pairs of IP address/host to SNI mapping. Special mapping _default_ - for default SNI when no match found. Without default mapping only matched targets will have SNI parameter.")
+
+    ;
 
     private final String key;
     private final Serializable defaultValue;
 
@@ -11,6 +11,7 @@
 import com.clickhouse.client.config.ClickHouseProxyType;
 import com.clickhouse.client.config.ClickHouseSslMode;
 import com.clickhouse.client.http.config.ClickHouseHttpOption;
+import com.clickhouse.config.ClickHouseOption;
 import com.clickhouse.data.ClickHouseChecker;
 import com.clickhouse.data.ClickHouseExternalTable;
 import com.clickhouse.data.ClickHouseFormat;
@@ -54,8 +55,11 @@
 import org.apache.hc.core5.util.Timeout;
 import org.apache.hc.core5.util.VersionInfo;
 
+import javax.net.ssl.SNIHostName;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSocket;
 import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -66,10 +70,9 @@
 import java.io.UncheckedIOException;
 import java.net.ConnectException;
 import java.net.HttpURLConnection;
+import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.Socket;
-import java.net.SocketOption;
-import java.net.SocketOptions;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
 import java.util.List;
@@ -394,6 +397,8 @@ public static SocketFactory create(ClickHouseConfig config) {
 
     static class SSLSocketFactory extends SSLConnectionSocketFactory {
         private final ClickHouseConfig config;
+        private final Map<String, String> sniMapping;
+        private final String defaultSNI;
 
         private SSLSocketFactory(ClickHouseConfig config) throws SSLException {
             super(ClickHouseSslContextProvider.getProvider().getSslContext(SSLContext.class, config)
@@ -402,13 +407,41 @@ private SSLSocketFactory(ClickHouseConfig config) throws SSLException {
                             ? new DefaultHostnameVerifier()
                             : (hostname, session) -> true); // NOSONAR
             this.config = config;
+            String sniMappingStr = config.getStrOption(ClickHouseClientOption.SSL_SNI_MAPPING);
+            sniMapping = ClickHouseOption.toKeyValuePairs(sniMappingStr);
+            defaultSNI = sniMapping.get("_default_");
         }
 
         @Override
         public Socket createSocket(HttpContext context) throws IOException {
             return AbstractSocketClient.setSocketOptions(config, new Socket());
         }
 
+        @Override
+        protected void prepareSocket(SSLSocket socket, HttpContext context) throws IOException {
+            super.prepareSocket(socket, context);
+
+            if (!sniMapping.isEmpty()) {
+                InetAddress remote = socket.getInetAddress();
+                if (remote != null) { //  actually should be not null here
+                    String sni = sniMapping.get(remote.getHostAddress());
+                    if (sni == null) {
+                        sni = sniMapping.get(remote.getHostName());
+                        if (sni == null) {
+                            sni = defaultSNI;
+                        }
+                    }
+                    if (sni != null && !sni.isEmpty()) {
+                        SSLParameters sslParams = socket.getSSLParameters();
+                        sslParams.setServerNames(Collections.singletonList(new SNIHostName(sni)));
+                        socket.setSSLParameters(sslParams);
+                    }
+                } else {
+                    log.warn("Failed to apply SNI - remote address is null");
+                }
+            }
+        }
+
         public static SSLSocketFactory create(ClickHouseConfig config) throws SSLException {
             return new SSLSocketFactory(config);
         }
 
@@ -0,0 +1,269 @@
+package com.clickhouse.client.http;
+
+import com.clickhouse.client.AbstractSocketClient;
+import com.clickhouse.client.ClickHouseClient;
+import com.clickhouse.client.ClickHouseConfig;
+import com.clickhouse.client.ClickHouseNode;
+import com.clickhouse.client.ClickHouseNodeSelector;
+import com.clickhouse.client.ClickHouseProtocol;
+import com.clickhouse.client.ClickHouseResponse;
+import com.clickhouse.client.ClickHouseSocketFactory;
+import com.clickhouse.client.ClickHouseSslContextProvider;
+import com.clickhouse.client.config.ClickHouseClientOption;
+import com.clickhouse.client.config.ClickHouseDefaults;
+import com.clickhouse.client.config.ClickHouseSslMode;
+import com.clickhouse.config.ClickHouseOption;
+import com.clickhouse.data.ClickHouseFormat;
+import com.clickhouse.data.ClickHouseRecord;
+import com.clickhouse.data.ClickHouseUtils;
+import org.apache.hc.client5.http.socket.PlainConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.core5.http.protocol.HttpContext;
+import org.apache.hc.core5.ssl.SSLContexts;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.wait.strategy.Wait;
+import org.testcontainers.utility.MountableFile;
+import org.testng.Assert;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+import wiremock.Run;
+
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.io.IOException;
+import java.net.Socket;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.Map;
+
+/**
+ * This tests is only for development and manual testing
+ */
+@Test(groups = {"integration"})
+public class NetworkTests {
+    private static final String NGINX_IMAGE = "nginx:alpine";
+    private static final int NGINX_SSL_PORT = 8443;
+    private static final String NODE1_HOST = "node1.test";
+    private static final String NODE2_HOST = "node2.test";
+
+    private GenericContainer<?> nginxContainer;
+
+    static {
+        System.setProperty("org.slf4j.simpleLogger.defaultLogLevel", "DEBUG");
+    }
+
+    @BeforeClass
+    public void setUp() throws Exception {
+
+        // Create Nginx container with custom configuration
+        nginxContainer = new GenericContainer<>(NGINX_IMAGE)
+                .withCopyFileToContainer(
+                        MountableFile.forClasspathResource("nginx.conf"),
+                        "/etc/nginx/nginx.conf"
+                )
+                .withCopyFileToContainer(
+                        MountableFile.forClasspathResource("certs"),
+                        "/etc/nginx/certs/"
+                )
+                .withExposedPorts(NGINX_SSL_PORT)
+                .waitingFor(Wait.forListeningPort());
+
+        nginxContainer.start();
+    }
+
+    @AfterClass
+    public void tearDown() {
+        if (nginxContainer != null) {
+            nginxContainer.stop();
+        }
+    }
+
+    private String getNginxHost() {
+        return nginxContainer.getHost();
+    }
+
+    private int getNginxPort() {
+        return nginxContainer.getMappedPort(NGINX_SSL_PORT);
+    }
+
+    @Test
+    public void testSNI() {
+        // Test will be implemented here
+        String host = getNginxHost();
+        int port = getNginxPort();
+        System.out.println("Nginx container running at: " + host + ":" + port);
+    }
+
+    @Test(dataProvider = "testSNINodesDP")
+    void testSNINodes(String host) throws Exception {
+        int port = nginxContainer.getMappedPort(NGINX_SSL_PORT);
+        SSLSocket socket = createSniSocket(host, "localhost", port);
+        socket.startHandshake();
+
+        SSLSession session = socket.getSession();
+        X509Certificate cert = (X509Certificate) session.getPeerCertificates()[0];
+        Assert.assertTrue(cert.getSubjectX500Principal().getName().contains("CN=" + host));
+    }
+
+    @DataProvider
+    static Object[][] testSNINodesDP() {
+        return new Object[][]{
+                {NODE1_HOST},
+                {NODE2_HOST}
+        };
+    }
+
+    private SSLSocket createSniSocket(String sniHost, String serverHost, int port) throws Exception {
+        SSLContext context = SSLContext.getInstance("TLS");
+        context.init(null, new TrustManager[]{new X509TrustManager() {
+            public void checkClientTrusted(X509Certificate[] chain, String authType) {
+            }
+
+            public void checkServerTrusted(X509Certificate[] chain, String authType) {
+            }
+
+            public X509Certificate[] getAcceptedIssuers() {
+                return new X509Certificate[0];
+            }
+        }}, null);
+
+        SSLSocketFactory factory = context.getSocketFactory();
+        SSLSocket socket = (SSLSocket) factory.createSocket(serverHost, port);
+
+        SSLParameters sslParams = socket.getSSLParameters();
+        sslParams.setServerNames(Collections.singletonList(new SNIHostName(sniHost)));
+        socket.setSSLParameters(sslParams);
+
+        return socket;
+    }
+
+    @Test(groups = {"integration"})
+    void testClientConfiguration() throws Exception {
+        ClickHouseNode gateway = ClickHouseNode.of("https://" + getNginxHost() + ":" + getNginxPort() + "/?sslmode=none");
+        try (ClickHouseClient client = ClickHouseClient.builder()
+                .option(ClickHouseDefaults.USER, "default")
+                .option(ClickHouseDefaults.PASSWORD, "")
+                .option(ClickHouseClientOption.SSL_MODE, ClickHouseSslMode.NONE)
+                .option(ClickHouseClientOption.COMPRESS, false) ///  we emulate servers so need plain text
+                .option(ClickHouseClientOption.SSL_SNI_MAPPING, "127.0.1.1=nodeX.test,localhost=node2.test")
+                .nodeSelector(ClickHouseNodeSelector.of(ClickHouseProtocol.HTTP))
+                .build()) {
+
+
+
+            try (ClickHouseResponse response = client.read(gateway)
+                    .format(ClickHouseFormat.TabSeparated)
+                    .query("SELECT hostname()").executeAndWait()) {
+//                ClickHouseRecord record = response.firstRecord();
+                String serverHostname = response.firstRecord().getValue(0).asString();
+                Assert.assertEquals(serverHostname, "node2.test");
+            };
+        }
+    }
+
+
+    @Test(groups = {"integration"})
+    void testCustomSSLConnectionFactory() throws Exception {
+        ClickHouseNode gateway = ClickHouseNode.of("https://" + getNginxHost() + ":" + getNginxPort() + "/?sslmode=none");
+        try (ClickHouseClient client = ClickHouseClient.builder()
+                .option(ClickHouseDefaults.USER, "default")
+                .option(ClickHouseDefaults.PASSWORD, "")
+                .option(ClickHouseClientOption.CUSTOM_SOCKET_FACTORY_OPTIONS, "default_sni=node1.sni")
+                .option(ClickHouseClientOption.CUSTOM_SOCKET_FACTORY, SNIAwareSSLSocketFactory.class.getName())
+                .option(ClickHouseClientOption.SSL_MODE, ClickHouseSslMode.NONE)
+                .option(ClickHouseClientOption.COMPRESS, false) ///  we emulate servers so need plain text
+
+                .nodeSelector(ClickHouseNodeSelector.of(ClickHouseProtocol.HTTP))
+                .build()) {
+
+
+
+            try (ClickHouseResponse response = client.read(gateway)
+                    .format(ClickHouseFormat.TabSeparated)
+                    .query("SELECT hostname()").executeAndWait()) {
+//                ClickHouseRecord record = response.firstRecord();
+                String serverHostname = response.firstRecord().getValue(0).asString();
+                Assert.assertEquals(serverHostname, "node2.test");
+            };
+        }
+    }
+
+    public static class SNIAwareSSLSocketFactory implements ClickHouseSocketFactory {
+
+        @Override
+        public <T> T create(ClickHouseConfig config, Class<T> clazz) throws IOException, UnsupportedOperationException {
+            if (config == null || clazz == null) {
+                throw new IllegalArgumentException("Non-null configuration and class are required");
+            } else if (SSLConnectionSocketFactory.class.equals(clazz)) {
+                return clazz.cast(new CustomSSLSocketFactory(config));
+            } else if (PlainConnectionSocketFactory.class.equals(clazz)) {
+                return clazz.cast(new CustomPlainSocketFactory(config));
+            }
+
+            throw new UnsupportedOperationException(ClickHouseUtils.format("Class %s is not supported", clazz));
+        }
+
+        @Override
+        public boolean supports(Class<?> clazz) {
+            return PlainConnectionSocketFactory.class.equals(clazz) || SSLConnectionSocketFactory.class.equals(clazz);
+        }
+    }
+
+    static class CustomPlainSocketFactory extends PlainConnectionSocketFactory {
+        private final ClickHouseConfig config;
+
+        public CustomPlainSocketFactory(ClickHouseConfig config) {
+            this.config = config;
+        }
+
+        @Override
+        public Socket createSocket(final HttpContext context) throws IOException {
+            // Use AbstractSockerClient.setSockerOptions to propagate socket configuration
+            return AbstractSocketClient.setSocketOptions(config, new Socket());
+        }
+    }
+
+    static class CustomSSLSocketFactory extends SSLConnectionSocketFactory {
+        private static final Logger LOG = LoggerFactory.getLogger(CustomSSLSocketFactory.class);
+        private final ClickHouseConfig config;
+
+        private final SNIHostName defaultSNIHostName;
+
+        public CustomSSLSocketFactory(ClickHouseConfig config) throws SSLException {
+            super(ClickHouseSslContextProvider.getProvider().getSslContext(SSLContext.class, config)
+                            .orElse(SSLContexts.createDefault()),
+                    config.getSslMode() == ClickHouseSslMode.STRICT
+                            ? new DefaultHostnameVerifier()
+                            : (hostname, session) -> true); // NOSONAR
+            this.config = config;
+            String configStr = config.getStrOption(ClickHouseClientOption.CUSTOM_SOCKET_FACTORY_OPTIONS);
+            if (configStr != null) {
+                Map<String, String> configMap = ClickHouseOption.toKeyValuePairs(configStr);
+                defaultSNIHostName = new SNIHostName(configMap.get("default_sni"));
+            } else {
+                throw new RuntimeException("Missing configuration for the factory");
+            }
+        }
+
+        @Override
+        protected void prepareSocket(SSLSocket socket, HttpContext context) throws IOException {
+            LOG.debug("Preparing socket: {}", socket);
+            LOG.debug("Remote address: {}", socket.getInetAddress());
+            SSLParameters sslParams = socket.getSSLParameters();
+            sslParams.setServerNames(Collections.singletonList(defaultSNIHostName));
+            socket.setSSLParameters(sslParams);
+        }
+    }
+}
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDIjCCAgqgAwIBAgIUPgsC1txpblBP8ybZlyOE/iwm3GAwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKbm9kZTEudGVzdDAeFw0yNTA2MDYyMTI4NDJaFw0yNjA2
+MDYyMTI4NDJaMBUxEzARBgNVBAMMCm5vZGUxLnRlc3QwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC16EcQY0+5s2sF4WDFcQgExmuIDn3v8gxqklv4BTXV
+1B4MqOFhwKytLiAXHL8wyILZJXfCzSQb+75gnm7nDd/5yCEbuhOGjHZcKWLx0ff7
+MBunje4b3t4LzKMtYmrPGSS540LLpsh+1VhJaHyDQRbK3Uu896K3wm5YC8FArj83
+XAV7UmEOjS4JeTWmFgfXcH04e6tSfZ9TrhyxMWaviFVHk9Lvvj8ajrJQ6nyFNOYL
+hTxSU3hrEixJ/Y8h7PPEfUFjVBixCjh93XbrGFu6bstL0V6MeAFV7u+oE6uaJpzw
+23qgKq8q93niq4MLhv+sfUX5j5mHF4OookY4uxNztVhtAgMBAAGjajBoMB0GA1Ud
+DgQWBBSFVEPrB2BgUiQ2VuyBbpcASR+HujAfBgNVHSMEGDAWgBSFVEPrB2BgUiQ2
+VuyBbpcASR+HujAPBgNVHRMBAf8EBTADAQH/MBUGA1UdEQQOMAyCCm5vZGUxLnRl
+c3QwDQYJKoZIhvcNAQELBQADggEBACDcZV0fYLyWHcY2lRRp+XfCC9pku2QCLKtb
+UYF2sAzMm/ND5U6MFu5BB9EcveFVDDe00DgdkSTC/7LgljhZvTLFxaqmcHO6bz9N
+woh1sljzlxDWymPCFg812lTt+KF6dvRswVYVY8ZkF9mrf0oVTYFNeX29G65/GlWQ
+ykN8VvjtnMZpphJYTaMNzOsAvEWLxSppVYYIhNqjwIifJjiWGptqtmeycQrInJp0
+5KgecVqEffxm1NcZyTlcoDvcm2ayQblpq17rcQ6H5Y1LF9vVffA1UwAgLPQmSNO2
+5hbfGo2ySmRzBv5goYdhR4/KVj+IXL0ASgzp6lHh+UhSLFeTFWY=
+-----END CERTIFICATE-----