Temporarily disable proxy-protocol for port 4443 in jdisc

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-04-28 15:48:27 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-04-28 15:48:27 +0200
commit: a9e5c8b38d4b37862e38a43239720ccdf56470d2 (patch)
tree: 0458a71b062d604bc0518850aa3883f5ed054504 /config-model/src/main/java
parent: 4d3c251083a14f21dde71bcce21561c22fa79acd (diff)
2 files changed, 16 insertions, 11 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index bcc2c9a3d6a..2fd88e112da 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -20,6 +20,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
     private static final List<String> INSECURE_WHITELISTED_PATHS = List.of("/status.html");
     private static final String DEFAULT_HOSTED_TRUSTSTORE = "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem";
 
+    private final boolean enableProxyProtocol;
     private final boolean enforceClientAuth;
 
     /**
@@ -27,28 +28,29 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
      */
     // TODO Enforce client authentication
     public static HostedSslConnectorFactory withProvidedCertificate(
-            String serverName, EndpointCertificateSecrets endpointCertificateSecrets) {
-        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null), false);
+            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enableProxyProtocol) {
+        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null), false, enableProxyProtocol);
     }
 
     /**
      * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application.
      */
     public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(
-            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) {
-        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates), true);
+            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates, boolean enableProxyProtocol) {
+        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates), true, enableProxyProtocol);
     }
 
     /**
      * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration).
      */
-    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) {
-        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true);
+    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName, boolean enableProxyProtocol) {
+        return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, enableProxyProtocol);
     }
 
-    private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth) {
+    private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth, boolean enableProxyProtocol) {
         super("tls4443", 4443, sslProviderComponent);
         this.enforceClientAuth = enforceClientAuth;
+        this.enableProxyProtocol = enableProxyProtocol;
     }
 
     private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider(
@@ -69,7 +71,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
                 .tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder()
                         .pathWhitelist(INSECURE_WHITELISTED_PATHS)
                         .enable(enforceClientAuth))
-                .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(true))
+                .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(enableProxyProtocol).mixedMode(true))
                 .idleTimeout(Duration.ofMinutes(3).toSeconds())
                 .maxConnectionLife(Duration.ofMinutes(10).toSeconds());
     }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 2fba8189046..741e5ebffd1 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -336,6 +336,9 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         JettyHttpServer server = cluster.getHttp().getHttpServer().get();
         String serverName = server.getComponentId().getName();
 
+        // Temporarily disable jdisc proxy-protocol in public systems
+        boolean enableProxyProtocol = !deployState.zone().system().isPublic();
+
         // If the deployment contains certificate/private key reference, setup TLS port
         if (deployState.endpointCertificateSecrets().isPresent()) {
             boolean authorizeClient = deployState.zone().system().isPublic();
@@ -344,11 +347,11 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
             }
             EndpointCertificateSecrets endpointCertificateSecrets = deployState.endpointCertificateSecrets().get();
             HostedSslConnectorFactory connectorFactory = authorizeClient
-                    ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, endpointCertificateSecrets, deployState.tlsClientAuthority().get())
-                    : HostedSslConnectorFactory.withProvidedCertificate(serverName, endpointCertificateSecrets);
+                    ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, endpointCertificateSecrets, deployState.tlsClientAuthority().get(), enableProxyProtocol)
+                    : HostedSslConnectorFactory.withProvidedCertificate(serverName, endpointCertificateSecrets, enableProxyProtocol);
             server.addConnector(connectorFactory);
         } else {
-            server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName));
+            server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName, enableProxyProtocol));
         }
     }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-04-28 15:48:27 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-04-28 15:48:27 +0200
commit	a9e5c8b38d4b37862e38a43239720ccdf56470d2 (patch)
tree	0458a71b062d604bc0518850aa3883f5ed054504 /config-model/src/main/java
parent	4d3c251083a14f21dde71bcce21561c22fa79acd (diff)