diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-03-09 16:15:33 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-03-09 16:15:33 +0100 |
commit | ce7bc88040b656b8e23c30a0413d01bff5872a54 (patch) | |
tree | 0e983c8d16bfc4817005ed0ca995f942974d99e0 | |
parent | e15ef1f1b26ba0c7c844f2f0835416165bf5703d (diff) |
Wire in feature flag for enabling proxy protocol in 4443 hosted connector
5 files changed, 35 insertions, 11 deletions
diff --git a/config-model-api/abi-spec.json b/config-model-api/abi-spec.json index cb979722a77..8556fd4a40b 100644 --- a/config-model-api/abi-spec.json +++ b/config-model-api/abi-spec.json @@ -881,7 +881,8 @@ "public abstract double defaultTermwiseLimit()", "public abstract boolean useBucketSpaceMetric()", "public boolean useNewAthenzFilter()", - "public boolean usePhraseSegmenting()" + "public boolean usePhraseSegmenting()", + "public java.lang.String proxyProtocol()" ], "fields": [] }, diff --git a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java index 9aad6361b9a..87068182025 100644 --- a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java +++ b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java @@ -61,6 +61,7 @@ public interface ModelContext { boolean useBucketSpaceMetric(); default boolean useNewAthenzFilter() { return false; } default boolean usePhraseSegmenting() { return false; } + default String proxyProtocol() { return "https-only"; } } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 0ad9bd9e883..f61618c789b 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -20,13 +20,14 @@ public class HostedSslConnectorFactory extends ConnectorFactory { private static final String DEFAULT_HOSTED_TRUSTSTORE = "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem"; private final boolean enforceClientAuth; + private final String proxyProtocol; /** * Create connector factory that uses a certificate provided by the config-model / configserver and default hosted Vespa truststore. */ // TODO Enforce client authentication - public static HostedSslConnectorFactory withProvidedCertificate(String serverName, EndpointCertificateSecrets endpointCertificateSecrets) { - return new HostedSslConnectorFactory( + public static HostedSslConnectorFactory withProvidedCertificate(String proxyProtocol, String serverName, EndpointCertificateSecrets endpointCertificateSecrets) { + return new HostedSslConnectorFactory(proxyProtocol, createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null), false); } @@ -34,20 +35,21 @@ public class HostedSslConnectorFactory extends ConnectorFactory { * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application. */ public static HostedSslConnectorFactory withProvidedCertificateAndTruststore( - String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) { - return new HostedSslConnectorFactory( + String proxyProtocol, String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) { + return new HostedSslConnectorFactory(proxyProtocol, createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates), true); } /** * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration). */ - public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) { - return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true); + public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String proxyProtocol, String serverName) { + return new HostedSslConnectorFactory(proxyProtocol, new DefaultSslProvider(serverName), true); } - private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth) { + private HostedSslConnectorFactory(String proxyProtocol, SimpleComponent sslProviderComponent, boolean enforceClientAuth) { super("tls4443", 4443, sslProviderComponent); + this.proxyProtocol = proxyProtocol; this.enforceClientAuth = enforceClientAuth; } @@ -68,6 +70,21 @@ public class HostedSslConnectorFactory extends ConnectorFactory { connectorBuilder.tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder() .pathWhitelist(INSECURE_WHITELISTED_PATHS) .enable(enforceClientAuth)); + connectorBuilder.proxyProtocol(configureProxyProtocol()); + } + + private ConnectorConfig.ProxyProtocol.Builder configureProxyProtocol() { + ConnectorConfig.ProxyProtocol.Builder proxyProtocolBuilder = new ConnectorConfig.ProxyProtocol.Builder(); + switch (proxyProtocol) { + case "https-only": + return proxyProtocolBuilder.enabled(false).mixedMode(false); + case "https+proxy-protocol": + return proxyProtocolBuilder.enabled(true).mixedMode(true); + case "proxy-protocol-only": + return proxyProtocolBuilder.enabled(true).mixedMode(false); + default: + throw new IllegalArgumentException("Unknown proxy-protocol settings: " + proxyProtocol); + } } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 747f8801137..c840a8b93cd 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -326,6 +326,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { JettyHttpServer server = cluster.getHttp().getHttpServer(); String serverName = server.getComponentId().getName(); + String proxyProtocol = deployState.getProperties().proxyProtocol(); // If the deployment contains certificate/private key reference, setup TLS port if (deployState.endpointCertificateSecrets().isPresent()) { boolean authorizeClient = deployState.zone().system().isPublic(); @@ -334,11 +335,11 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { } EndpointCertificateSecrets endpointCertificateSecrets = deployState.endpointCertificateSecrets().get(); HostedSslConnectorFactory connectorFactory = authorizeClient - ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, endpointCertificateSecrets, deployState.tlsClientAuthority().get()) - : HostedSslConnectorFactory.withProvidedCertificate(serverName, endpointCertificateSecrets); + ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(proxyProtocol, serverName, endpointCertificateSecrets, deployState.tlsClientAuthority().get()) + : HostedSslConnectorFactory.withProvidedCertificate(proxyProtocol, serverName, endpointCertificateSecrets); server.addConnector(connectorFactory); } else { - server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName)); + server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(proxyProtocol, serverName)); } } diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java index a15b570a55d..03821c8a85d 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java @@ -136,6 +136,7 @@ public class ModelContextImpl implements ModelContext { private final boolean useBucketSpaceMetric; private final boolean useNewAthenzFilter; private final boolean usePhraseSegmenting; + private final String proxyProtocol; public Properties(ApplicationId applicationId, boolean multitenantFromConfig, @@ -172,6 +173,7 @@ public class ModelContextImpl implements ModelContext { .with(FetchVector.Dimension.APPLICATION_ID, applicationId.serializedForm()).value(); this.usePhraseSegmenting = Flags.PHRASE_SEGMENTING.bindTo(flagSource) .with(FetchVector.Dimension.APPLICATION_ID, applicationId.serializedForm()).value(); + this.proxyProtocol = Flags.PROXY_PROTOCOL.bindTo(flagSource).value(); } @Override @@ -232,6 +234,8 @@ public class ModelContextImpl implements ModelContext { @Override public boolean usePhraseSegmenting() { return usePhraseSegmenting; } + @Override + public String proxyProtocol() { return proxyProtocol; } } } |