Clever Cloud is today the main developer of Sōzu, a Reverse Proxy that was developped at Clever Cloud, in Rust, to meet the needs of our infrastructure for performance and hot reloading. Sōzu is used throughout Clever Cloud, paired with HAProxy, to route traffic to our customer’s applications.
What we used to do:
Up until now, our Reverse Proxy Sōzu used to be managed by Clever Cloud by a closed source program that ran on the same machine and assumed two big responsibilities:
- Firstly, listen to a RabbitMQ topic and redirect requests to Sōzu (via its UNIX socket)
- Secondly, watch over a PKI directory (Public Key Infrastructure) to redirect TLS certificates to Sōzu (via its UNIX socket)
Turning open source
While working on a new Prometheus connector for Sōzu, we realized we could open source it. With this realization came the idea of porting the logic of the former Sōzu manager (described above) from its closed source state into new open source repositories.
What we ultimately aim to develop is an entirely open-source ecosystem around our Reverse Proxy Sōzu.
This blog post details what these new open source components are, and summarizes what they do.
Our open-source ecosystem around Sōzu
Sōzu Prometheus connector
Prometheus is a monitoring and alerting software suite.
This simple connector operates alongside Sōzu. It waits for HTTP requests on the /metrics route, queries Sōzu for its metrics, formats the metrics to be Prometheus-compatible, and sends them in the HTTP response.
This means that Prometheus metrics are readily available on the IP address of a Sōzu machine.
Sōzu Pulsar connector
Apache Pulsar is a highly scalable messaging platform. We use it extensively at Clever Cloud because of its distributed aspect and cutting-edge throughput performance.
The Sōzu Pulsar connector subscribes to a Pulsar topic and transmits messages to Sōzu. Sōzu uses these messages to perform hot reloading on the proxy, which is a key feature of our Reverse Proxy.
What it means for us and anyone using the Sōzu ecosystem: this connector enables updating traffic redirection in real time.
Sōzu PKI connector
PKI stands for Public Key Infrastructure, an omnipresent security framework on the Internet, typically used for securing connections with HTTPS (among other things). In the PKI framework, Sōzu functions as a TLS endpoint: it decrypts HTTPS traffic into HTTP traffic.
The Sōzu PKI connector runs alongside Sōzu, watches over a given directory in the file system, reads TLS certificates that were put there by either human or machine, and transmits them to Sōzu.
Then , what this ultimately means is: write a TLS certificate on the machine, Sōzu will have it.
This is a code library used by all above connectors. It pools connections to Sōzu’s UNIX socket and functions entirely asynchronously. All in all, it makes writing new connectors easier.
What’s next
The best thing we wish is for the open-source community to join us in using and improving Sōzu as it goes. Our end-game is to build a web UI to manage a Sōzu instance in the navigator.