Flag to control proxy protocol mixed mode

author: Morten Tokle <mortent@yahooinc.com> 2022-05-09 14:42:06 +0200
committer: Morten Tokle <mortent@yahooinc.com> 2022-05-09 14:42:06 +0200
commit: 9ec88159ecb981d91997a35b059edb28e7802cb4 (patch)
tree: 7137b70ca91500840a3e583cfb830b7cbc5cb2cd /config-model/src/main/java/com/yahoo/vespa/model/container
parent: ba1ec40ccfe7f10ce757263871dd149b0709b8bf (diff)
2 files changed, 16 insertions, 11 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index e3aa5bd517f..f55fb547bb0 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -25,16 +25,17 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
     private final boolean enforceClientAuth;
     private final boolean enforceHandshakeClientAuth;
     private final Collection<String> tlsCiphersOverride;
+    private final boolean enableProxyProtocolMixedMode;
 
     /**
      * Create connector factory that uses a certificate provided by the config-model / configserver and default hosted Vespa truststore.
      */
     public static HostedSslConnectorFactory withProvidedCertificate(
             String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enforceHandshakeClientAuth,
-            Collection<String> tlsCiphersOverride) {
+            Collection<String> tlsCiphersOverride, boolean enableProxyProtocolMixedMode) {
         ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider(
                 serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null, enforceHandshakeClientAuth);
-        return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride);
+        return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride, enableProxyProtocolMixedMode);
     }
 
     /**
@@ -42,25 +43,28 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
      */
     public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(
             String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates,
-            Collection<String> tlsCiphersOverride) {
+            Collection<String> tlsCiphersOverride, boolean enableProxyProtocolMixedMode) {
         ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider(
                 serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates, false);
-        return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride);
+        return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride, enableProxyProtocolMixedMode);
     }
 
     /**
      * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration).
      */
-    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName, Collection<String> tlsCiphersOverride) {
-        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false, tlsCiphersOverride);
+    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName, Collection<String> tlsCiphersOverride,
+                                                                                boolean enableProxyProtocolMixedMode) {
+        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false, tlsCiphersOverride, enableProxyProtocolMixedMode);
     }
 
     private HostedSslConnectorFactory(SslProvider sslProvider, boolean enforceClientAuth,
-                                      boolean enforceHandshakeClientAuth, Collection<String> tlsCiphersOverride) {
+                                      boolean enforceHandshakeClientAuth, Collection<String> tlsCiphersOverride,
+                                      boolean enableProxyProtocolMixedMode) {
         super(new Builder("tls4443", 4443).sslProvider(sslProvider));
         this.enforceClientAuth = enforceClientAuth;
         this.enforceHandshakeClientAuth = enforceHandshakeClientAuth;
         this.tlsCiphersOverride = tlsCiphersOverride;
+        this.enableProxyProtocolMixedMode = enableProxyProtocolMixedMode;
     }
 
     private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider(
@@ -94,7 +98,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
         }
 
         connectorBuilder
-                .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(true))
+                .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(enableProxyProtocolMixedMode))
                 .idleTimeout(Duration.ofSeconds(30).toSeconds())
                 .maxConnectionLife(Duration.ofSeconds(45).toSeconds());
     }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index ff1a4b6cc5f..170e22b6164 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -465,6 +465,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         // If the deployment contains certificate/private key reference, setup TLS port
         HostedSslConnectorFactory connectorFactory;
         Collection<String> tlsCiphersOverride = deployState.getProperties().tlsCiphersOverride();
+        boolean proxyProtocolMixedMode = deployState.getProperties().featureFlags().enableProxyProtocolMixedMode();
         if (deployState.endpointCertificateSecrets().isPresent()) {
             boolean authorizeClient = deployState.zone().system().isPublic();
             if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) {
@@ -480,11 +481,11 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
 
             connectorFactory = authorizeClient
                     ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(
-                            serverName, endpointCertificateSecrets,  getTlsClientAuthorities(deployState), tlsCiphersOverride)
+                            serverName, endpointCertificateSecrets,  getTlsClientAuthorities(deployState), tlsCiphersOverride, proxyProtocolMixedMode)
                     : HostedSslConnectorFactory.withProvidedCertificate(
-                            serverName, endpointCertificateSecrets, enforceHandshakeClientAuth, tlsCiphersOverride);
+                            serverName, endpointCertificateSecrets, enforceHandshakeClientAuth, tlsCiphersOverride, proxyProtocolMixedMode);
         } else {
-            connectorFactory = HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName, tlsCiphersOverride);
+            connectorFactory = HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName, tlsCiphersOverride, proxyProtocolMixedMode);
         }
         cluster.getHttp().getAccessControl().ifPresent(accessControl -> accessControl.configureHostedConnector(connectorFactory));
         server.addConnector(connectorFactory);
author	Morten Tokle <mortent@yahooinc.com>	2022-05-09 14:42:06 +0200
committer	Morten Tokle <mortent@yahooinc.com>	2022-05-09 14:42:06 +0200
commit	9ec88159ecb981d91997a35b059edb28e7802cb4 (patch)
tree	7137b70ca91500840a3e583cfb830b7cbc5cb2cd /config-model/src/main/java/com/yahoo/vespa/model/container
parent	ba1ec40ccfe7f10ce757263871dd149b0709b8bf (diff)