Reduce max connection life to 45 seconds

Add feature flag for increasing the value for any application as an emergency precaution.

1 files changed, 12 insertions, 8 deletions

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index b25463b8547..aab417db1e2 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -25,16 +25,17 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
     private final boolean enforceClientAuth;
     private final boolean enforceHandshakeClientAuth;
     private final Collection<String> tlsCiphersOverride;
+    private final Duration maxConnectionLife;
 
     /**
      * Create connector factory that uses a certificate provided by the config-model / configserver and default hosted Vespa truststore.
      */
     public static HostedSslConnectorFactory withProvidedCertificate(
             String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enforceHandshakeClientAuth,
-            Collection<String> tlsCiphersOverride) {
+            Collection<String> tlsCiphersOverride, Duration maxConnectionLife) {
         ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider(
                 serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null, enforceHandshakeClientAuth);
-        return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride);
+        return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride, maxConnectionLife);
     }
 
     /**
@@ -42,25 +43,28 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
      */
     public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(
             String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates,
-            Collection<String> tlsCiphersOverride) {
+            Collection<String> tlsCiphersOverride, Duration maxConnectionLife) {
         ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider(
                 serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates, false);
-        return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride);
+        return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride, maxConnectionLife);
     }
 
     /**
      * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration).
      */
-    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName, Collection<String> tlsCiphersOverride) {
-        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false, tlsCiphersOverride);
+    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(
+            String serverName, Collection<String> tlsCiphersOverride, Duration maxConnectionLife) {
+        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false, tlsCiphersOverride, maxConnectionLife);
     }
 
     private HostedSslConnectorFactory(SslProvider sslProvider, boolean enforceClientAuth,
-                                      boolean enforceHandshakeClientAuth, Collection<String> tlsCiphersOverride) {
+                                      boolean enforceHandshakeClientAuth, Collection<String> tlsCiphersOverride,
+                                      Duration maxConnectionLife) {
         super(new Builder("tls4443", 4443).sslProvider(sslProvider));
         this.enforceClientAuth = enforceClientAuth;
         this.enforceHandshakeClientAuth = enforceHandshakeClientAuth;
         this.tlsCiphersOverride = tlsCiphersOverride;
+        this.maxConnectionLife = maxConnectionLife;
     }
 
     private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider(
@@ -96,6 +100,6 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
         connectorBuilder
                 .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(true))
                 .idleTimeout(Duration.ofSeconds(30).toSeconds())
-                .maxConnectionLife(Duration.ofMinutes(10).toSeconds());
+                .maxConnectionLife(maxConnectionLife.toSeconds());
     }
 }