Restrict server names accepted per connector

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-10-06 09:58:49 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-10-06 09:59:36 +0200
commit: a1f7601cd6257dceae6b986a3aa64d16d2d8516f (patch)
tree: dc3b23df41a5ba30451149bcc47c880fc4e55828 /container-core/src/main/java
parent: 62ac14f904d43604b0f0522d4dd65232f6e915b5 (diff)
3 files changed, 50 insertions, 42 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
index bf278981b69..e59e95a59a7 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
@@ -9,7 +9,6 @@ import com.yahoo.jdisc.http.ssl.impl.DefaultConnectorSsl;
 import com.yahoo.security.tls.MixedMode;
 import com.yahoo.security.tls.TransportSecurityUtils;
 import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
-import org.eclipse.jetty.http.HttpCompliance;
 import org.eclipse.jetty.http2.server.AbstractHTTP2ServerConnectionFactory;
 import org.eclipse.jetty.http2.server.HTTP2CServerConnectionFactory;
 import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory;
@@ -82,16 +81,9 @@ public class ConnectorFactory {
 
     public ServerConnector createConnector(final Metric metric, final Server server, JettyConnectionLogger connectionLogger,
                                            ConnectionMetricAggregator connectionMetricAggregator) {
-        ServerConnector connector = new JDiscServerConnector(
+        return new JDiscServerConnector(
                 connectorConfig, metric, server, connectionLogger, connectionMetricAggregator,
                 createConnectionFactories(metric).toArray(ConnectionFactory[]::new));
-        connector.setPort(connectorConfig.listenPort());
-        connector.setName(connectorConfig.name());
-        connector.setAcceptQueueSize(connectorConfig.acceptQueueSize());
-        connector.setReuseAddress(connectorConfig.reuseAddress());
-        connector.setIdleTimeout(toMillis(connectorConfig.idleTimeout()));
-        connector.addBean(HttpCompliance.RFC7230);
-        return connector;
     }
 
     private List<ConnectionFactory> createConnectionFactories(Metric metric) {
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java
index 79cdb8f67cf..4b297fd5a44 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java
@@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.server.jetty;
 
 import com.yahoo.jdisc.Metric;
 import com.yahoo.jdisc.http.ConnectorConfig;
+import org.eclipse.jetty.http.HttpCompliance;
 import org.eclipse.jetty.io.ConnectionStatistics;
 import org.eclipse.jetty.server.ConnectionFactory;
 import org.eclipse.jetty.server.Server;
@@ -50,8 +51,16 @@ class JDiscServerConnector extends ServerConnector {
         }
         addBean(connectionLogger);
         addBean(connectionMetricAggregator);
+        setPort(config.listenPort());
+        setName(config.name());
+        setAcceptQueueSize(config.acceptQueueSize());
+        setReuseAddress(config.reuseAddress());
+        setIdleTimeout(toMillis(config.idleTimeout()));
+        addBean(HttpCompliance.RFC7230);
     }
 
+    private static long toMillis(double seconds) { return (long)(seconds * 1000); }
+
     @Override
     protected void configure(final Socket socket) {
         super.configure(socket);
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
index 96c5bac335b..d2811847995 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
@@ -14,7 +14,6 @@ import org.eclipse.jetty.http.HttpField;
 import org.eclipse.jetty.jmx.ConnectorServer;
 import org.eclipse.jetty.jmx.MBeanContainer;
 import org.eclipse.jetty.server.Connector;
-import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.SslConnectionFactory;
@@ -139,43 +138,51 @@ public class JettyHttpServer extends AbstractServerProvider {
     private HandlerCollection getHandlerCollection(ServerConfig serverConfig,
                                                    List<JDiscServerConnector> connectors,
                                                    ServletHolder jdiscServlet) {
-        ServletContextHandler servletContextHandler = createServletContextHandler();
-        servletContextHandler.addServlet(jdiscServlet, "/*");
-
-        List<ConnectorConfig> connectorConfigs = connectors.stream().map(JDiscServerConnector::connectorConfig).collect(toList());
-        var secureRedirectHandler = new SecuredRedirectHandler(connectorConfigs);
-        secureRedirectHandler.setHandler(servletContextHandler);
-
-        var proxyHandler = new HealthCheckProxyHandler(connectors);
-        proxyHandler.setHandler(secureRedirectHandler);
-
-        var authEnforcer = new TlsClientAuthenticationEnforcer(connectorConfigs);
-        authEnforcer.setHandler(proxyHandler);
-
-        GzipHandler gzipHandler = newGzipHandler(serverConfig);
-        gzipHandler.setHandler(authEnforcer);
+        HandlerCollection connectorSpecificHandlers = new HandlerCollection();
+        for (JDiscServerConnector connector : connectors) {
+            ServletContextHandler servletContextHandler = createServletContextHandler(connector);
+            servletContextHandler.addServlet(jdiscServlet, "/*");
+
+            List<ConnectorConfig> connectorConfigs = connectors.stream().map(JDiscServerConnector::connectorConfig).collect(toList());
+            var secureRedirectHandler = new SecuredRedirectHandler(connectorConfigs);
+            secureRedirectHandler.setHandler(servletContextHandler);
+
+            var proxyHandler = new HealthCheckProxyHandler(connectors);
+            proxyHandler.setHandler(secureRedirectHandler);
+
+            var authEnforcer = new TlsClientAuthenticationEnforcer(connectorConfigs);
+            authEnforcer.setHandler(proxyHandler);
+
+            GzipHandler gzipHandler = newGzipHandler(serverConfig);
+            gzipHandler.setHandler(authEnforcer);
+
+            HttpResponseStatisticsCollector statisticsCollector =
+                    new HttpResponseStatisticsCollector(serverConfig.metric().monitoringHandlerPaths(),
+                                                        serverConfig.metric().searchHandlerPaths());
+            statisticsCollector.setHandler(gzipHandler);
+            for (String agent : serverConfig.metric().ignoredUserAgents()) {
+                statisticsCollector.ignoreUserAgent(agent);
+            }
+            StatisticsHandler statisticsHandler = newStatisticsHandler();
+            statisticsHandler.setHandler(statisticsCollector);
 
-        HttpResponseStatisticsCollector statisticsCollector =
-                new HttpResponseStatisticsCollector(serverConfig.metric().monitoringHandlerPaths(),
-                                                    serverConfig.metric().searchHandlerPaths());
-        statisticsCollector.setHandler(gzipHandler);
-        for (String agent : serverConfig.metric().ignoredUserAgents()) {
-            statisticsCollector.ignoreUserAgent(agent);
+            connectorSpecificHandlers.addHandler(statisticsHandler);
         }
 
-        StatisticsHandler statisticsHandler = newStatisticsHandler();
-        statisticsHandler.setHandler(statisticsCollector);
-
-        HandlerCollection handlerCollection = new HandlerCollection();
-        handlerCollection.setHandlers(new Handler[] { statisticsHandler });
-        return handlerCollection;
+        return connectorSpecificHandlers;
     }
 
-    private ServletContextHandler createServletContextHandler() {
-        ServletContextHandler servletContextHandler = new ServletContextHandler(ServletContextHandler.NO_SECURITY | ServletContextHandler.NO_SESSIONS);
-        servletContextHandler.setContextPath("/");
-        servletContextHandler.setDisplayName(getDisplayName(listenedPorts));
-        return servletContextHandler;
+    private ServletContextHandler createServletContextHandler(JDiscServerConnector connector) {
+        var ctx = new ServletContextHandler(ServletContextHandler.NO_SECURITY | ServletContextHandler.NO_SESSIONS);
+        ctx.setContextPath("/");
+        ctx.setDisplayName(getDisplayName(listenedPorts));
+        List<String> allowedServerNames = connector.connectorConfig().serverName().allowed();
+        if (allowedServerNames.isEmpty()) {
+            ctx.setVirtualHosts(new String[]{"@%s".formatted(connector.getName())});
+        } else {
+            ctx.setVirtualHosts(allowedServerNames.toArray(new String[0]));
+        }
+        return ctx;
     }
 
     private static String getDisplayName(List<Integer> ports) {
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-10-06 09:58:49 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-10-06 09:59:36 +0200
commit	a1f7601cd6257dceae6b986a3aa64d16d2d8516f (patch)
tree	dc3b23df41a5ba30451149bcc47c880fc4e55828 /container-core/src/main/java
parent	62ac14f904d43604b0f0522d4dd65232f6e915b5 (diff)