Wire in feature flag for enabling proxy protocol in 4443 hosted connector

5 files changed, 35 insertions, 11 deletions

diff --git a/config-model-api/abi-spec.json b/config-model-api/abi-spec.json
index cb979722a77..8556fd4a40b 100644
--- a/config-model-api/abi-spec.json
+++ b/config-model-api/abi-spec.json
@@ -881,7 +881,8 @@
       "public abstract double defaultTermwiseLimit()",
       "public abstract boolean useBucketSpaceMetric()",
       "public boolean useNewAthenzFilter()",
-      "public boolean usePhraseSegmenting()"
+      "public boolean usePhraseSegmenting()",
+      "public java.lang.String proxyProtocol()"
     ],
     "fields": []
   },
diff --git a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
index 9aad6361b9a..87068182025 100644
--- a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
+++ b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
@@ -61,6 +61,7 @@ public interface ModelContext {
         boolean useBucketSpaceMetric();
         default boolean useNewAthenzFilter() { return false; }
         default boolean usePhraseSegmenting() { return false; }
+        default String proxyProtocol() { return "https-only"; }
     }
 
 }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index 0ad9bd9e883..f61618c789b 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -20,13 +20,14 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
     private static final String DEFAULT_HOSTED_TRUSTSTORE = "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem";
 
     private final boolean enforceClientAuth;
+    private final String proxyProtocol;
 
     /**
      * Create connector factory that uses a certificate provided by the config-model / configserver and default hosted Vespa truststore.
      */
     // TODO Enforce client authentication
-    public static HostedSslConnectorFactory withProvidedCertificate(String serverName, EndpointCertificateSecrets endpointCertificateSecrets) {
-        return new HostedSslConnectorFactory(
+    public static HostedSslConnectorFactory withProvidedCertificate(String proxyProtocol, String serverName, EndpointCertificateSecrets endpointCertificateSecrets) {
+        return new HostedSslConnectorFactory(proxyProtocol,
                 createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null), false);
     }
 
@@ -34,20 +35,21 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
      * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application.
      */
     public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(
-            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) {
-        return new HostedSslConnectorFactory(
+            String proxyProtocol, String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) {
+        return new HostedSslConnectorFactory(proxyProtocol,
                 createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates), true);
     }
 
     /**
      * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration).
      */
-    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) {
-        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true);
+    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String proxyProtocol, String serverName) {
+        return new HostedSslConnectorFactory(proxyProtocol, new DefaultSslProvider(serverName), true);
     }
 
-    private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth) {
+    private HostedSslConnectorFactory(String proxyProtocol, SimpleComponent sslProviderComponent, boolean enforceClientAuth) {
         super("tls4443", 4443, sslProviderComponent);
+        this.proxyProtocol = proxyProtocol;
         this.enforceClientAuth = enforceClientAuth;
     }
 
@@ -68,6 +70,21 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
         connectorBuilder.tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder()
                                                        .pathWhitelist(INSECURE_WHITELISTED_PATHS)
                                                        .enable(enforceClientAuth));
+        connectorBuilder.proxyProtocol(configureProxyProtocol());
+    }
+
+    private ConnectorConfig.ProxyProtocol.Builder configureProxyProtocol() {
+        ConnectorConfig.ProxyProtocol.Builder proxyProtocolBuilder = new ConnectorConfig.ProxyProtocol.Builder();
+        switch (proxyProtocol) {
+            case "https-only":
+                return proxyProtocolBuilder.enabled(false).mixedMode(false);
+            case "https+proxy-protocol":
+                return proxyProtocolBuilder.enabled(true).mixedMode(true);
+            case "proxy-protocol-only":
+                return proxyProtocolBuilder.enabled(true).mixedMode(false);
+            default:
+                throw new IllegalArgumentException("Unknown proxy-protocol settings: " + proxyProtocol);
+        }
     }
 
 }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 747f8801137..c840a8b93cd 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -326,6 +326,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         JettyHttpServer server = cluster.getHttp().getHttpServer();
         String serverName = server.getComponentId().getName();
 
+        String proxyProtocol = deployState.getProperties().proxyProtocol();
         // If the deployment contains certificate/private key reference, setup TLS port
         if (deployState.endpointCertificateSecrets().isPresent()) {
             boolean authorizeClient = deployState.zone().system().isPublic();
@@ -334,11 +335,11 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
             }
             EndpointCertificateSecrets endpointCertificateSecrets = deployState.endpointCertificateSecrets().get();
             HostedSslConnectorFactory connectorFactory = authorizeClient
-                    ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, endpointCertificateSecrets, deployState.tlsClientAuthority().get())
-                    : HostedSslConnectorFactory.withProvidedCertificate(serverName, endpointCertificateSecrets);
+                    ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(proxyProtocol, serverName, endpointCertificateSecrets, deployState.tlsClientAuthority().get())
+                    : HostedSslConnectorFactory.withProvidedCertificate(proxyProtocol, serverName, endpointCertificateSecrets);
             server.addConnector(connectorFactory);
         } else {
-            server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName));
+            server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(proxyProtocol, serverName));
         }
     }
 
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
index a15b570a55d..03821c8a85d 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
@@ -136,6 +136,7 @@ public class ModelContextImpl implements ModelContext {
         private final boolean useBucketSpaceMetric;
         private final boolean useNewAthenzFilter;
         private final boolean usePhraseSegmenting;
+        private final String proxyProtocol;
 
         public Properties(ApplicationId applicationId,
                           boolean multitenantFromConfig,
@@ -172,6 +173,7 @@ public class ModelContextImpl implements ModelContext {
                     .with(FetchVector.Dimension.APPLICATION_ID, applicationId.serializedForm()).value();
             this.usePhraseSegmenting = Flags.PHRASE_SEGMENTING.bindTo(flagSource)
                     .with(FetchVector.Dimension.APPLICATION_ID, applicationId.serializedForm()).value();
+            this.proxyProtocol = Flags.PROXY_PROTOCOL.bindTo(flagSource).value();
         }
 
         @Override
@@ -232,6 +234,8 @@ public class ModelContextImpl implements ModelContext {
         @Override
         public boolean usePhraseSegmenting() { return usePhraseSegmenting; }
 
+        @Override
+        public String proxyProtocol() { return proxyProtocol; }
     }
 
 }