proxy support tls (#16706)

Signed-off-by: Nxiyichan <2863768433@qq.com>

configs/cert/ca.key

+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwuH3vwsOYCgW/+S9Z+qH2Ly0AU7Z2Igct4K+oOTC/jXJNTdy
+4mYLxGu5ptfXoo8T3oEB/LtAGYXxDj+NSCQjXnU0mHb3pyKbw7p/jCOdnTZ0ZyJf
+IAXYRHyej8hlnSPjwJLEA/Ue9OE8SA/k5sjyCgP7pbvFJt6ZL5ZN1/Tx86O5BNH7
+3kD2rW6R0XO2KwiH3acyf292GF7R0uBbQQOMF/bFv7IkinIIjc3MT/Iaj3MoBczs
+d6FArdtS2kvRNSYuK9LNTNnlcIRSsYaqXykSOIyxTSAPbyZbnB+4UuUVNqftmvTQ
+TqoGJGq1Sg9MSFrXKB6GoysKmZ5JQZDDPJ4SYQIDAQABAoIBACv96nkbu9EE+7wk
+HIV6sdPBNTkeXZq9jw3126ZiPYo5BgSXUb29n2ZlkvEQxEKT3b5ajOJKOrwIOlQn
+EHN6hOlrt8W7BUibTWIvlV9DIu88PaaSYbrO1vUO1JRMfnOsiFsORmVGTgilV4BE
+5j0am1ibcZEGBAk0MoxFd6kKSBvhMiCw0i4jZ/LAvgfzH3Bv/ZvbPfPHCs2OOwtY
+1X86dTCcDbWcDrjTMnVdEPN8/SvW4JXf5EdVL35xiSrVSZxcZGks8oid+P6JSFdG
+uBnxSTt9q5V3Ya421/I1CG9VYIrJdpNAmog3Jbi+HZTmBaNX6Wf5GOKgKjIt5J6U
+qqaicOECgYEA94xfP/LiuEKuusB9CkGW/9Yep8fV8T3cjYBz7Fc+WGOuqaBnvIv4
+PBO16uz6Nze1x58z25Qatrm4pp9aTov/bRkKVaW6Ua/R0KcUbVjV/aN5cgjjLrIL
+0wYpufFFbGzSK4vzbRWOQbdZhgYSVk97VyXYCPrzr3s6S+JozA3+vqUCgYEAyYlJ
+QgLf4t/aXxDxj14MwBA9ccgFhb43OZnBCWetYk22/Yi2afxvbbV0jo791E7p6ReC
+SnTSYv2ijvHpTOttRfGALM1Js9xYRKKr1oCkWxEP8NLgutlniPLDqWBP0cMe7oSw
+X14Kmj1yz1j3wp+6oP4uzb8KLW3rbx8/EBPrlA0CgYBdWbgJm4RXy/2sOy5sEbPp
+oktJJhjNsnBbhBczButh1aVmHjFAbuAbd6tgfiEVdZK9RpH9ueohAgRaATnC6RRX
+hdvZ1Hdgmpbawkb3vUplLaJ8mFFjqIzA9VAC6LMvYhIXjd0sQ7aznXrLCbschTiT
+8pd3O3ttr2CagTTXzmdEaQKBgCfwqTAH2c7ghipo9TZwcR5vGX4/IbkLpW4o5nSy
+s03UEPvV6DDA8mRPnbXS6ML2kKy9F/khhcBQe7LQhmfUEGfYIIrAdGbMuEGB64Qr
+ImdZzkrvv9HH3Bjr45Lhn2/2t16VtU5xGLDQlLw66X8MoLPfK+9ieOXf7tSq4JiT
+GhDRAoGBAK9xYpqb070deaKk/EBZhbp8baz1/x/RmKd38GRvf4LbOJ1jd1ufFWih
+cMOjz8iO3CAU2BnvUqD72cTALVxjyv9PdIg7i84s56hZ9fjxF+fFK1zv5TO5snsL
+ocwYTD5n0FvzgpwJFnGMnfiPc0h1RnwRJrWrDZS/M6+89ptNWQla
+-----END RSA PRIVATE KEY-----

configs/cert/ca.pem

+-----BEGIN CERTIFICATE-----
+MIIDpzCCAo+gAwIBAgIUXZen56S+MZE8UTb09jyM6szs/ukwDQYJKoZIhvcNAQEL
+BQAwYzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdaMQswCQYDVQQHDAJHWjESMBAG
+A1UECgwJcm9uZXRoaW5nMRIwEAYDVQQLDAlyb25ldGhpbmcxEjAQBgNVBAMMCWxv
+Y2FsaG9zdDAeFw0yMjA1MDEwODU3MzRaFw0zMjA0MjgwODU3MzRaMGMxCzAJBgNV
+BAYTAkNOMQswCQYDVQQIDAJHWjELMAkGA1UEBwwCR1oxEjAQBgNVBAoMCXJvbmV0
+aGluZzESMBAGA1UECwwJcm9uZXRoaW5nMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC4fe/Cw5gKBb/5L1n6ofYvLQB
+TtnYiBy3gr6g5ML+Nck1N3LiZgvEa7mm19eijxPegQH8u0AZhfEOP41IJCNedTSY
+dvenIpvDun+MI52dNnRnIl8gBdhEfJ6PyGWdI+PAksQD9R704TxID+TmyPIKA/ul
+u8Um3pkvlk3X9PHzo7kE0fveQPatbpHRc7YrCIfdpzJ/b3YYXtHS4FtBA4wX9sW/
+siSKcgiNzcxP8hqPcygFzOx3oUCt21LaS9E1Ji4r0s1M2eVwhFKxhqpfKRI4jLFN
+IA9vJlucH7hS5RU2p+2a9NBOqgYkarVKD0xIWtcoHoajKwqZnklBkMM8nhJhAgMB
+AAGjUzBRMB0GA1UdDgQWBBT8tV8mSqY4ujxUPTNNue7ty9ad8DAfBgNVHSMEGDAW
+gBT8tV8mSqY4ujxUPTNNue7ty9ad8DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQCbaK5wizgoH3AS0AYgHRHbvVaLXEgihcmdsFGqszmkOS50dpcm
+bqs0wS0g7Ibgpv8bS9tn9gXhdTR04F08PrbbALBF0I1zIbT5F6rp2w7P78gWZDa7
+iPYCTYA1WRZEEVJD4eyFC4cM8uG0wVCbKuOFUJaUPONbdJ1S26xtBSJHy0g8JeNK
+3N70/xYa0AFk4D9EoX39oiCOnj1QWN2M0IjUJHUcu1Bm50dxDcpiaoWR6sCFJU4r
+gMlFpeZ9Sg6zh4sUs2X0YYusEp3ATz+0E0iRChEM0213yvBR3HwaJKSegBocflCZ
+SKrjAyIpRkscR0JKWUPICf+rr0B0mPeEYfgK
+-----END CERTIFICATE-----

configs/cert/ca.srl

+342790CE3BD09229C9C14810E2AB86D28A4700BF

configs/cert/client.csr

+-----BEGIN CERTIFICATE REQUEST-----
+MIIC7jCCAdYCAQAwSTELMAkGA1UEBhMCQ04xEjAQBgNVBAoMCXJvbmV0aGluZzES
+MBAGA1UECwwJcm9uZXRoaW5nMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwQ/qyS53J8XdpM26LcFGdtTMzjfzPoNtw
+nSdfqrMi2iMZeMwDPRkHoeHE9lyHYPssDbFuLNJPLibcBCfd5SeELLlyG3GDP+W0
+inUs3kE0voXbH4LmSOCKLnzw0GfblINWMB7aqgpHPtRTcdWHcPo+KJA66ZbD5cNI
+w77aBxcsDJa40GunzxVOKtGQopypjrj6mkpauVzT9DwhylYvMR+VL12pjozGCvST
+NSgJfP7DX2UwHTMEBbxiTNQ7F8w4X5d2xuS2HepLy0/+uWo1e7jDGAWN27Alr176
+6n2os3WClL06U6mmlT7HE2TvunhiBNjWnWafENaeH9W5rmVNDCmLAgMBAAGgYDBe
+BgkqhkiG9w0BCQ4xUTBPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMDUGA1UdEQQu
+MCyCCWxvY2FsaG9zdIIOKi5yb25ldGhpbmcuY26CDyoucm9uZXRoaW5nLmNvbTAN
+BgkqhkiG9w0BAQsFAAOCAQEAS+OhS9i+Cjy4VM+gXknoaOWHqI73eSq/ODzUe4M4
+7lg314CPbWHTrSP0yw2NZ9s/Nw7l8It3DMaXgAioAXOTlcRnH0JOmWuj53nTHnHY
+DVgnP0JLIcOeAiGfCV9rU4FR/eegE/bpHa4K1zz1l1S+Pk8227SnhqtjXvSm+TZr
+LwvsxpuMRQcj0vKtatPMhI1KhucNAYh3Aps/Lx0sGB18UnL12gMp9s82LQ2urRtF
+WrVFVtMG9o+59fPNB7Lxf1efMCc3LUxR3AaYGUaZWqgFeXrFmKj+VTGCQFPEAQxn
+ZwSHi5NA0ikYfgb9LxHc7nbgehHUPv5ztIq/lMPSad6xtw==
+-----END CERTIFICATE REQUEST-----

configs/cert/client.key

+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwQ/qyS53J8Xdp
+M26LcFGdtTMzjfzPoNtwnSdfqrMi2iMZeMwDPRkHoeHE9lyHYPssDbFuLNJPLibc
+BCfd5SeELLlyG3GDP+W0inUs3kE0voXbH4LmSOCKLnzw0GfblINWMB7aqgpHPtRT
+cdWHcPo+KJA66ZbD5cNIw77aBxcsDJa40GunzxVOKtGQopypjrj6mkpauVzT9Dwh
+ylYvMR+VL12pjozGCvSTNSgJfP7DX2UwHTMEBbxiTNQ7F8w4X5d2xuS2HepLy0/+
+uWo1e7jDGAWN27Alr1766n2os3WClL06U6mmlT7HE2TvunhiBNjWnWafENaeH9W5
+rmVNDCmLAgMBAAECggEBAJLcUOh08EbtlRxl6djsAFRyQPLXfqhP0gYGKmQfCZok
+PdJfPzwDj/M4Aa/lxDpXp26RCiBN3/xw65etLrpGz6Hk0a4tB2rftjeylOaJV7Lm
+ewiTPLE6TztSeG78dUwSdUs+VLbDrkSmKKpN0idDDnzztxgev6sAqLDbxwxJlBjy
+EeERzCG4JCc4aZlFtz1oWgFGXr3lxxxXbfzdhY/M87IkenGNZges0iSRbcFsGq8z
+oVaFV9KkVZ6lxLCMXIIfen9E6g/nq01mnTXM+LHd9Laqj0q6wpULCi5X/v/igS5I
+1fsUT8V+s+LjpWMBu6Bd0uY2tr3Li4Fn46p+HvVe6cECgYEA3eqSfUowlEs3WLBl
+acfb6/Vo9GeRnJpmLeTdXAO3NeOX4qLISQFQEUopG2qOrXSo4t40o8xX0iMe6uIQ
+7BVFJgdE12kdx0cQGqFACIxAiM6VbeqfKt4i8EB1ld/8fXusdH71b/ZkudbQ8gUx
+S3HNsid7Y7qIgXlQ3zZel8+juakCgYEAy1Z8R6bnyF7W0D09SkVfpuMsMoFIi6ZP
+w+rrk/8E85S2Ag8LnbQtJICiMgBYWQSu5IoGMoBw6N0j9OhaSOsbNYZjwmC9UqWH
+8ZbPrAqt3q0B76i9f7+K75gIyXEhVQBtlKUw53wGd9dgUkq5o+YZxK4ABqji+r+2
+d1rj49PLkhMCgYANQpL2QZSdh9EKz59/rp2Jf+SBlh6xSNiKLX68nMw5wBu3QxrM
+ofNy1QeXx8o2ux3MUJK8pt0ohUi3qEJymOLE3vJSHMnWunxP2wrEd/zzL8TmCHry
+SMu1p2RfTD7+EIHBhESOKB7kq91YWM8VPvuXhZxt3RuDAQjADbOhRpr14QKBgGIy
+2D46SsGnm5JhoNHXgwQzvcp+SSy4GtmBAFgu1pNUBDomTfPRaeOxA6OmKwSCkHvq
+dGe7Q8wR0CWceM2yTSeiSVc8JPJe4rI3pP9vAN0DLGYzVaD2PgDLqaKvMeu9Ey6w
+QFfqu6zwpKHZWKHgpB0p8vVEZqm2IEav7FLAnBVlAoGBAI1KJJ0Z18lOQDqpZtH/
+tYYmCMlYLOkHOVJ5/Fi+UjLLwCk2yyXw3Tr5PqxNaI1va4wp5lt/VZqRZibFm9hW
+ecsBuCDVZFPcu5UUHNrwXxb3wwidjsjJso0PVxw7FI7d7rlTqRYm5dntjlxBHhtd
+IPkBc4ceeMp14AaItE9f1HE5
+-----END PRIVATE KEY-----

configs/cert/client.pem

+-----BEGIN CERTIFICATE-----
+MIIDizCCAnOgAwIBAgIUNCeQzjvQkinJwUgQ4quG0opHAL8wDQYJKoZIhvcNAQEL
+BQAwYzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdaMQswCQYDVQQHDAJHWjESMBAG
+A1UECgwJcm9uZXRoaW5nMRIwEAYDVQQLDAlyb25ldGhpbmcxEjAQBgNVBAMMCWxv
+Y2FsaG9zdDAeFw0yMjA1MDEwODU3MzRaFw0zMjA0MjgwODU3MzRaMEkxCzAJBgNV
+BAYTAkNOMRIwEAYDVQQKDAlyb25ldGhpbmcxEjAQBgNVBAsMCXJvbmV0aGluZzES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAsEP6skudyfF3aTNui3BRnbUzM438z6DbcJ0nX6qzItojGXjMAz0ZB6HhxPZc
+h2D7LA2xbizSTy4m3AQn3eUnhCy5chtxgz/ltIp1LN5BNL6F2x+C5kjgii588NBn
+25SDVjAe2qoKRz7UU3HVh3D6PiiQOumWw+XDSMO+2gcXLAyWuNBrp88VTirRkKKc
+qY64+ppKWrlc0/Q8IcpWLzEflS9dqY6Mxgr0kzUoCXz+w19lMB0zBAW8YkzUOxfM
+OF+Xdsbkth3qS8tP/rlqNXu4wxgFjduwJa9e+up9qLN1gpS9OlOpppU+xxNk77p4
+YgTY1p1mnxDWnh/Vua5lTQwpiwIDAQABo1EwTzAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIF4DA1BgNVHREELjAsgglsb2NhbGhvc3SCDioucm9uZXRoaW5nLmNugg8qLnJv
+bmV0aGluZy5jb20wDQYJKoZIhvcNAQELBQADggEBAHBmcrQBtOcY776CHfRnHkWG
+2JX595eY9cTEi+xB3n3q6Uo9GkGpGkg0T9U67dj68aB5ETm9+F8augS/5e2vbyJ/
+GfwtwbmJFkM4SVrSYpHLYQc72j6kG4oLauz8C3IZxirX4nAxGDEnHbpLrS2HIZ+l
+/G5YQeaYStxmleOD4CwrOOIUdRATMTaQgRu6pUJhuhC9Fm1v+ueg6b24RB9V+jvU
+FOFiR29PPRyyAm3UBEv4yyVSoW6RgD+5QpD/HTGbXumT1xASKDeLY7HBVU9FXxN+
+wojcbIyFkXNo3C+5P7zN7S1zJV6Fp4TeOJpIeQn8ARf7XFQYREVesf9QC7yHxPk=
+-----END CERTIFICATE-----

configs/cert/server.csr

+-----BEGIN CERTIFICATE REQUEST-----
+MIIC7jCCAdYCAQAwSTELMAkGA1UEBhMCQ04xEjAQBgNVBAoMCXJvbmV0aGluZzES
+MBAGA1UECwwJcm9uZXRoaW5nMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyI7d/ni5FxZxdMclJtjMIL2Kjx24XTHGc
+cgSR7uyZg4AWY0OweuL/3jTlQ23Nylqcx9pJyTVx/84zmPMdkPIO8rdaxKjq4e3G
+fDdPx/wXA2h6dFkY9Q/Hv61icY0BJyc+Qw6J1dl/ZgoTCf9VAP3/eeay/4JsD5ho
+ctyq8ZeftqoNvpSPolrwTo7uP0TStviM0LSTvomXz7dGQdlObjl82pfJSZcq1YzL
+U6BjE0jT1jTKjgaBMTwqpO2NP6+6D+dC/dHBY8/3fJz0IcdHlmifXSPQI1n8LJvZ
+mLRIGdrKiNbya0vwyTK9+kMWkmAo8LmbuSCC6FQ3X3eURQ81UuhjAgMBAAGgYDBe
+BgkqhkiG9w0BCQ4xUTBPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMDUGA1UdEQQu
+MCyCCWxvY2FsaG9zdIIOKi5yb25ldGhpbmcuY26CDyoucm9uZXRoaW5nLmNvbTAN
+BgkqhkiG9w0BAQsFAAOCAQEAVKT51H3hzO5PRvHxek2QrvfetuAowCRxbh4Zg0gJ
+fxDVrZshabNmycEQ/GZX+tT6KMgB9es2TfM6lk8JXkhRcaxnE9FT5aIBcQDqFoKo
+nOjdG62wG5vRomK/V2xLBJzjRQYcWkm+KPuOxaEZEFTrhEjRFi1X7MlqXwRyZueq
+YnOvisR2v4dbShbV5qd+jBgtcHVlsSApSQLYoplL/cje85a9DhkaLityYH1PCRhs
+Gx5LToV6Photjk3ujmJBaxIHlV1nVQmTfejka5cwh66Jm8JrW7oytvwFxosKFEmP
+frd+UIbTf9iIRvyUHdJB2bEDHv8g32AmlDsUspEXQ0L9hA==
+-----END CERTIFICATE REQUEST-----

configs/cert/server.key

+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCyI7d/ni5FxZxd
+MclJtjMIL2Kjx24XTHGccgSR7uyZg4AWY0OweuL/3jTlQ23Nylqcx9pJyTVx/84z
+mPMdkPIO8rdaxKjq4e3GfDdPx/wXA2h6dFkY9Q/Hv61icY0BJyc+Qw6J1dl/ZgoT
+Cf9VAP3/eeay/4JsD5hoctyq8ZeftqoNvpSPolrwTo7uP0TStviM0LSTvomXz7dG
+QdlObjl82pfJSZcq1YzLU6BjE0jT1jTKjgaBMTwqpO2NP6+6D+dC/dHBY8/3fJz0
+IcdHlmifXSPQI1n8LJvZmLRIGdrKiNbya0vwyTK9+kMWkmAo8LmbuSCC6FQ3X3eU
+RQ81UuhjAgMBAAECggEAeKD9EnswBGlTgDxFfRfXKNTFq/hRUY+fY3xGIfgz2aSV
+qRNg8/HTI8b59MIbaf58K6yd4ddRzLeXj5MkFkJf18V+agXACQYi+ISHBAx9ZawW
+JM4Cw4a3P+FJbN9Nx5kW1u+bubTJSp7zdX8QmyRH26dVlKK3U6uf3iLh0RQ2Q5zR
+CcZADOfrw7xMN/jydF36m0mVAuOnpRHGmfeSudZkhBRecpjgCQl4zCcsBKJFYpNc
+7oK9ecy68mFuzZ2sSlroI5WZLsAUdC66u92ZMf6jVVHojCNANtKhptTsJzg7npDF
+5WPCftFT4wFCywqzk2Zr0PoJ0tTQwtCT87DLjdOvCQKBgQDn3t1vCUVhdSgnhkEy
+0cBlWwvVnUMxI0lFzoQPllR17Uht7KpeZY/zfNHXpK4ZAZokJF1PEGLRHciXGG18
+Xbj7ATfH3jUjcCumZaoEj353Q8JGcFgYZ2voEQ4SS6NN+ntxZBqMBWbek9lykDfc
+0nw8WXFGciH1YKykwCvXpDEEhwKBgQDErW7MechCRpHgg6JWV19q4fR+cRByTLPs
+h0xId8f/zeN/CiIuI8eq9d5TvhOKF+ENdb4bsyGbaaOTHhbLWUxkfKASXXeUrKGw
+GjsR59QquFCVqPZ0U3oz6RWFWEQ1lqXVD1pU8feLSsneAQj4yJ6Lz36G2Zh2HGQ6
+qmZG5tnQRQKBgHgEMVWB1Pmm7IvYv/KQAyfzQmLlLZxHiWuqg0yWIU2Q7kaHk3+c
+zi/X0b3urXagD6rZb7q23o8i/WrH6BPRZyf072xypcqcCtvsD16g73LIDczr5Y1s
+KrxJ56CsqfB40GBW0i7btO1MVecoouGXyVpraWhvNwiNa48zMP5DLGQNAoGABP/r
+qyMFZjnpB24ROGSsNklcL8KsClvMzxx5YfY5jVUsjVQynj2mm7/4UOSqFn6Y6ACw
+PoAFQLAkyl6fcbfpazyHzS+3FH529cUU71WXXSamVcefzEE7AArS0zr1MO+Nc6ca
+QsKL6mySSSR5l+lxrlgt/TuW1pnOKneedfr0WokCgYAwQv9dKgUXx0kvjYjPKsYg
+Eb0pwfGBO4mN441fvRrSAwai/n52mrzFWrQC8uwX+4rCU2sSFkoxASMMgdjM+7y2
+5P6byf/PZqVqXBMH8xEFGHzllauJSQnXOl1rRRd43GPcMotHwdfm8lkuMpqjqplN
+1F9Xby2SJ9GH6R9ibB51UA==
+-----END PRIVATE KEY-----

configs/cert/server.pem

+-----BEGIN CERTIFICATE-----
+MIIDizCCAnOgAwIBAgIUNCeQzjvQkinJwUgQ4quG0opHAL4wDQYJKoZIhvcNAQEL
+BQAwYzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdaMQswCQYDVQQHDAJHWjESMBAG
+A1UECgwJcm9uZXRoaW5nMRIwEAYDVQQLDAlyb25ldGhpbmcxEjAQBgNVBAMMCWxv
+Y2FsaG9zdDAeFw0yMjA1MDEwODU3MzRaFw0zMjA0MjgwODU3MzRaMEkxCzAJBgNV
+BAYTAkNOMRIwEAYDVQQKDAlyb25ldGhpbmcxEjAQBgNVBAsMCXJvbmV0aGluZzES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAsiO3f54uRcWcXTHJSbYzCC9io8duF0xxnHIEke7smYOAFmNDsHri/9405UNt
+zcpanMfaSck1cf/OM5jzHZDyDvK3WsSo6uHtxnw3T8f8FwNoenRZGPUPx7+tYnGN
+AScnPkMOidXZf2YKEwn/VQD9/3nmsv+CbA+YaHLcqvGXn7aqDb6Uj6Ja8E6O7j9E
+0rb4jNC0k76Jl8+3RkHZTm45fNqXyUmXKtWMy1OgYxNI09Y0yo4GgTE8KqTtjT+v
+ug/nQv3RwWPP93yc9CHHR5Zon10j0CNZ/Cyb2Zi0SBnayojW8mtL8MkyvfpDFpJg
+KPC5m7kgguhUN193lEUPNVLoYwIDAQABo1EwTzAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIF4DA1BgNVHREELjAsgglsb2NhbGhvc3SCDioucm9uZXRoaW5nLmNugg8qLnJv
+bmV0aGluZy5jb20wDQYJKoZIhvcNAQELBQADggEBAG18ss3sNJjLXMv9Wm+dBvMQ
+ekGFunZ3unN641RxGpUWjbUj963woXx8eiL6lJFKiU52aXrFR4+6BZ0tbRsLz4e4
+pmCdOz4mClmNSk6mSSz7W8tnhz+h1jqUzp5whAh1Gj5QdauTzgcLFxBw3PWTt8tp
+4xGIuZwAWyB9MHXMkBtsdiP/oUEoVXYC2SA+o7dWr0d9w0K6BA00TZR+OHscfpGS
+k0aD1Cu8fxiccnY7jcBMz/2vVg3LzoeUqL7TZbpan/jzO5FAMVoi21UFwEQbBYMb
+yUbPei060JQ/u7H6CR9OCCHKsDvtpIfgpeAmjcuFSCF+Q3cHTAstHrlZWaOCNO4=
+-----END CERTIFICATE-----

configs/milvus.yaml

@@ -110,7 +110,7 @@ rootCoord:
 # Related configuration of proxy, used to validate client requests and reduce the returned results.
 proxy:
   port: 19530
-
+  internalPort: 19529
   http:
     enabled: true # Whether to enable the http server
     debug_mode: false # Whether to enable http server debug mode
@@ -234,6 +234,13 @@ grpc:
     keepAliveTime:    10000
     keepAliveTimeout: 3000
 
+# Configure the proxy tls enable.
+tls:
+  serverPemPath: configs/cert/server.pem
+  serverKeyPath: configs/cert/server.key
+  caPemPath: configs/cert/ca.pem
+
+
 common:
   # Channel name generation rule: ${namePrefix}-${ChannelIdx}
   chanNamePrefix:
@@ -277,3 +284,4 @@ common:
 
   security:
     authorizationEnabled: false
+    tlsEnabled: false

internal/distributed/proxy/service.go

@@ -18,14 +18,19 @@ package grpcproxy
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"strconv"
 	"sync"
 	"time"
 
+	"google.golang.org/grpc/credentials"
+
 	grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
 
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
@@ -72,11 +77,12 @@ var (
 
 // Server is the Proxy Server
 type Server struct {
-	ctx        context.Context
-	wg         sync.WaitGroup
-	proxy      types.ProxyComponent
-	grpcServer *grpc.Server
-	httpServer *http.Server
+	ctx                context.Context
+	wg                 sync.WaitGroup
+	proxy              types.ProxyComponent
+	grpcInternalServer *grpc.Server
+	grpcExternalServer *grpc.Server
+	httpServer         *http.Server
 	// avoid race
 	httpServerMtx sync.Mutex
 
@@ -139,9 +145,14 @@ func (s *Server) startHTTPServer(port int) {
 	}
 }
 
-func (s *Server) startGrpcLoop(grpcPort int) {
-	defer s.wg.Done()
+func (s *Server) startRPCServer(grpcPort, grpcInternalPort int) {
+	s.wg.Add(2)
+	go s.startInternalGrpc(grpcInternalPort)
+	go s.startExternalGrpc(grpcPort)
+}
 
+func (s *Server) startExternalGrpc(grpcPort int) {
+	defer s.wg.Done()
 	var kaep = keepalive.EnforcementPolicy{
 		MinTime:             5 * time.Second, // If a client pings more than once every 5 seconds, terminate the connection
 		PermitWithoutStream: true,            // Allow pings even when there are no active streams
@@ -163,9 +174,8 @@ func (s *Server) startGrpcLoop(grpcPort int) {
 
 	ctx, cancel := context.WithCancel(s.ctx)
 	defer cancel()
-
 	opts := trace.GetInterceptorOpts()
-	s.grpcServer = grpc.NewServer(
+	grpcOpts := []grpc.ServerOption{
 		grpc.KeepaliveEnforcementPolicy(kaep),
 		grpc.KeepaliveParams(kasp),
 		grpc.MaxRecvMsgSize(Params.ServerMaxRecvSize),
@@ -176,12 +186,39 @@ func (s *Server) startGrpcLoop(grpcPort int) {
 		)),
 		grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(
 			ot.StreamServerInterceptor(opts...),
-			grpc_auth.StreamServerInterceptor(proxy.AuthenticationInterceptor),
-		)),
-	)
-	proxypb.RegisterProxyServer(s.grpcServer, s)
-	milvuspb.RegisterMilvusServiceServer(s.grpcServer, s)
-	grpc_health_v1.RegisterHealthServer(s.grpcServer, s)
+			grpc_auth.StreamServerInterceptor(proxy.AuthenticationInterceptor))),
+	}
+
+	if Params.TLSEnabled {
+		cert, err := tls.LoadX509KeyPair(Params.ServerPemPath, Params.ServerKeyPath)
+		if err != nil {
+			log.Warn("proxy cant load x509 key pair", zap.Error(err))
+			panic(err)
+		}
+
+		certPool := x509.NewCertPool()
+		rootBuf, err := ioutil.ReadFile(Params.CaPemPath)
+		if err != nil {
+			log.Warn("failed read ca pem", zap.Error(err))
+			panic(err)
+		}
+		if !certPool.AppendCertsFromPEM(rootBuf) {
+			log.Warn("fail to append ca to cert")
+			panic("fail to append ca to cert")
+		}
+
+		tlsConf := &tls.Config{
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+			Certificates: []tls.Certificate{cert},
+			ClientCAs:    certPool,
+			MinVersion:   tls.VersionTLS13,
+		}
+		grpcOpts = append(grpcOpts, grpc.Creds(credentials.NewTLS(tlsConf)))
+	}
+	s.grpcExternalServer = grpc.NewServer(grpcOpts...)
+	proxypb.RegisterProxyServer(s.grpcExternalServer, s)
+	milvuspb.RegisterMilvusServiceServer(s.grpcExternalServer, s)
+	grpc_health_v1.RegisterHealthServer(s.grpcExternalServer, s)
 	log.Debug("create Proxy grpc server",
 		zap.Any("enforcement policy", kaep),
 		zap.Any("server parameters", kasp))
@@ -190,12 +227,68 @@ func (s *Server) startGrpcLoop(grpcPort int) {
 	go funcutil.CheckGrpcReady(ctx, s.grpcErrChan)
 
 	log.Debug("Proxy grpc server has been ready, serve grpc requests on listen")
-	if err := s.grpcServer.Serve(lis); err != nil {
+	if err := s.grpcExternalServer.Serve(lis); err != nil {
 		log.Warn("failed to serve on Proxy's listener", zap.Error(err))
 		s.grpcErrChan <- err
 	}
 }
 
+func (s *Server) startInternalGrpc(grpcPort int) {
+	defer s.wg.Done()
+	var kaep = keepalive.EnforcementPolicy{
+		MinTime:             5 * time.Second, // If a client pings more than once every 5 seconds, terminate the connection
+		PermitWithoutStream: true,            // Allow pings even when there are no active streams
+	}
+
+	var kasp = keepalive.ServerParameters{
+		Time:    60 * time.Second, // Ping the client if it is idle for 60 seconds to ensure the connection is still active
+		Timeout: 10 * time.Second, // Wait 10 second for the ping ack before assuming the connection is dead
+	}
+
+	log.Debug("Proxy internal server listen on tcp", zap.Int("port", grpcPort))
+	lis, err := net.Listen("tcp", ":"+strconv.Itoa(grpcPort))
+	if err != nil {
+		log.Warn("Proxy internal server failed to listen on", zap.Error(err), zap.Int("port", grpcPort))
+		s.grpcErrChan <- err
+		return
+	}
+	log.Debug("Proxy internal server already listen on tcp", zap.Int("port", grpcPort))
+
+	ctx, cancel := context.WithCancel(s.ctx)
+	defer cancel()
+
+	opts := trace.GetInterceptorOpts()
+	s.grpcInternalServer = grpc.NewServer(
+		grpc.KeepaliveEnforcementPolicy(kaep),
+		grpc.KeepaliveParams(kasp),
+		grpc.MaxRecvMsgSize(Params.ServerMaxRecvSize),
+		grpc.MaxSendMsgSize(Params.ServerMaxSendSize),
+		grpc.UnaryInterceptor(grpc_middleware.ChainUnaryServer(
+			ot.UnaryServerInterceptor(opts...),
+			grpc_auth.UnaryServerInterceptor(proxy.AuthenticationInterceptor),
+		)),
+		grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(
+			ot.StreamServerInterceptor(opts...),
+			grpc_auth.StreamServerInterceptor(proxy.AuthenticationInterceptor),
+		)),
+	)
+	proxypb.RegisterProxyServer(s.grpcInternalServer, s)
+	milvuspb.RegisterMilvusServiceServer(s.grpcInternalServer, s)
+	grpc_health_v1.RegisterHealthServer(s.grpcInternalServer, s)
+	log.Debug("create Proxy internal grpc server",
+		zap.Any("enforcement policy", kaep),
+		zap.Any("server parameters", kasp))
+
+	log.Debug("waiting for Proxy internal grpc server to be ready")
+	go funcutil.CheckGrpcReady(ctx, s.grpcErrChan)
+
+	log.Debug("Proxy internal grpc server has been ready, serve grpc requests on listen")
+	if err := s.grpcInternalServer.Serve(lis); err != nil {
+		log.Warn("failed to internal serve on Proxy's listener", zap.Error(err))
+		s.grpcErrChan <- err
+	}
+}
+
 // Start start the Proxy Server
 func (s *Server) Run() error {
 	log.Debug("init Proxy server")
@@ -227,8 +320,8 @@ func (s *Server) init() error {
 	}
 
 	proxy.Params.InitOnce()
-	proxy.Params.ProxyCfg.NetworkAddress = Params.GetAddress()
-	log.Debug("init Proxy's parameter table done", zap.String("address", Params.GetAddress()))
+	proxy.Params.ProxyCfg.NetworkAddress = Params.GetInternalAddress()
+	log.Debug("init Proxy's parameter table done", zap.String("internal address", Params.GetInternalAddress()), zap.String("external address", Params.GetAddress()))
 
 	serviceName := fmt.Sprintf("Proxy ip: %s, port: %d", Params.IP, Params.Port)
 	closer := trace.InitTracing(serviceName)
@@ -242,8 +335,7 @@ func (s *Server) init() error {
 	}
 	s.etcdCli = etcdCli
 	s.proxy.SetEtcdClient(s.etcdCli)
-	s.wg.Add(1)
-	go s.startGrpcLoop(Params.Port)
+	s.startRPCServer(Params.Port, Params.InternalPort)
 	log.Debug("waiting for grpc server of Proxy to be started")
 	if err := <-s.grpcErrChan; err != nil {
 		log.Warn("failed to start Proxy's grpc server", zap.Error(err))
@@ -403,7 +495,7 @@ func (s *Server) start() error {
 
 // Stop stop the Proxy Server
 func (s *Server) Stop() error {
-	log.Debug("Proxy stop", zap.String("Address", Params.GetAddress()))
+	log.Debug("Proxy stop", zap.String("internal address", Params.GetInternalAddress()), zap.String("external address", Params.GetInternalAddress()))
 	var err error
 	if s.closer != nil {
 		if err = s.closer.Close(); err != nil {
@@ -426,23 +518,28 @@ func (s *Server) Stop() error {
 			s.httpServer.Shutdown(context.TODO())
 		}
 	}()
+
 	gracefulWg.Add(1)
 	go func() {
 		defer gracefulWg.Done()
-		if s.grpcServer != nil {
-			log.Debug("Graceful stop grpc server...")
-			s.grpcServer.GracefulStop()
+		if s.grpcInternalServer != nil {
+			log.Debug("Graceful stop grpc internal server...")
+			s.grpcInternalServer.GracefulStop()
+		}
+		if s.grpcExternalServer != nil {
+			log.Debug("Graceful stop grpc external server...")
+			s.grpcExternalServer.GracefulStop()
 		}
 	}()
 	gracefulWg.Wait()
 
+	s.wg.Wait()
+
 	err = s.proxy.Stop()
 	if err != nil {
 		return err
 	}
 
-	s.wg.Wait()
-
 	return nil
 }
 

internal/distributed/proxy/service_test.go

@@ -1199,3 +1199,26 @@ func Test_NewServer_HTTPServerDisabled(t *testing.T) {
 	err = server.Stop()
 	assert.Nil(t, err)
 }
+func Test_NewServer_TLS(t *testing.T) {
+	ctx := context.Background()
+	server, err := NewServer(ctx, nil)
+	assert.NotNil(t, server)
+	assert.Nil(t, err)
+
+	server.proxy = &MockProxy{}
+	server.rootCoordClient = &MockRootCoord{}
+	server.indexCoordClient = &MockIndexCoord{}
+	server.queryCoordClient = &MockQueryCoord{}
+	server.dataCoordClient = &MockDataCoord{}
+
+	Params.TLSEnabled = true
+	Params.ServerPemPath = "../../../configs/cert/server.pem"
+	Params.ServerKeyPath = "../../../configs/cert/server.key"
+	Params.CaPemPath = "../../../configs/cert/ca.pem"
+
+	err = server.Run()
+	assert.Nil(t, err)
+	assert.Nil(t, server.httpServer)
+	err = server.Stop()
+	assert.Nil(t, err)
+}

internal/util/paramtable/grpc_param.go

@@ -42,6 +42,9 @@ const (
 	DefaultDialTimeout      = 5000 * time.Millisecond
 	DefaultKeepAliveTime    = 10000 * time.Millisecond
 	DefaultKeepAliveTimeout = 3000 * time.Millisecond
+
+	ProxyInternalPort = 19529
+	ProxyExternalPort = 19530
 )
 
 ///////////////////////////////////////////////////////////////////////////////
@@ -49,10 +52,15 @@ const (
 type grpcConfig struct {
 	ServiceParam
 
-	once   sync.Once
-	Domain string
-	IP     string
-	Port   int
+	once          sync.Once
+	Domain        string
+	IP            string
+	TLSEnabled    bool
+	Port          int
+	InternalPort  int
+	ServerPemPath string
+	ServerKeyPath string
+	CaPemPath     string
 }
 
 func (p *grpcConfig) init(domain string) {
@@ -62,6 +70,7 @@ func (p *grpcConfig) init(domain string) {
 	p.LoadFromEnv()
 	p.LoadFromArgs()
 	p.initPort()
+	p.initTLSPath()
 }
 
 // LoadFromEnv is used to initialize configuration items from env.
@@ -75,7 +84,15 @@ func (p *grpcConfig) LoadFromArgs() {
 }
 
 func (p *grpcConfig) initPort() {
-	p.Port = p.ParseInt(p.Domain + ".port")
+	p.Port = p.ParseIntWithDefault(p.Domain+".port", ProxyExternalPort)
+	p.InternalPort = p.ParseIntWithDefault(p.Domain+".internalPort", ProxyInternalPort)
+}
+
+func (p *grpcConfig) initTLSPath() {
+	p.TLSEnabled = p.ParseBool("common.security.tlsEnabled", false)
+	p.ServerPemPath = p.Get("tls.serverPemPath")
+	p.ServerKeyPath = p.Get("tls.serverKeyPath")
+	p.CaPemPath = p.Get("tls.caPemPath")
 }
 
 // GetAddress return grpc address
@@ -83,6 +100,10 @@ func (p *grpcConfig) GetAddress() string {
 	return p.IP + ":" + strconv.Itoa(p.Port)
 }
 
+func (p *grpcConfig) GetInternalAddress() string {
+	return p.IP + ":" + strconv.Itoa(p.InternalPort)
+}
+
 // GrpcServerConfig is configuration for grpc server.
 type GrpcServerConfig struct {
 	grpcConfig