diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-10-06 09:58:49 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-10-06 09:59:36 +0200 |
commit | a1f7601cd6257dceae6b986a3aa64d16d2d8516f (patch) | |
tree | dc3b23df41a5ba30451149bcc47c880fc4e55828 /container-core/src/main/java | |
parent | 62ac14f904d43604b0f0522d4dd65232f6e915b5 (diff) |
Restrict server names accepted per connector
Diffstat (limited to 'container-core/src/main/java')
3 files changed, 50 insertions, 42 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java index bf278981b69..e59e95a59a7 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java @@ -9,7 +9,6 @@ import com.yahoo.jdisc.http.ssl.impl.DefaultConnectorSsl; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TransportSecurityUtils; import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory; -import org.eclipse.jetty.http.HttpCompliance; import org.eclipse.jetty.http2.server.AbstractHTTP2ServerConnectionFactory; import org.eclipse.jetty.http2.server.HTTP2CServerConnectionFactory; import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory; @@ -82,16 +81,9 @@ public class ConnectorFactory { public ServerConnector createConnector(final Metric metric, final Server server, JettyConnectionLogger connectionLogger, ConnectionMetricAggregator connectionMetricAggregator) { - ServerConnector connector = new JDiscServerConnector( + return new JDiscServerConnector( connectorConfig, metric, server, connectionLogger, connectionMetricAggregator, createConnectionFactories(metric).toArray(ConnectionFactory[]::new)); - connector.setPort(connectorConfig.listenPort()); - connector.setName(connectorConfig.name()); - connector.setAcceptQueueSize(connectorConfig.acceptQueueSize()); - connector.setReuseAddress(connectorConfig.reuseAddress()); - connector.setIdleTimeout(toMillis(connectorConfig.idleTimeout())); - connector.addBean(HttpCompliance.RFC7230); - return connector; } private List<ConnectionFactory> createConnectionFactories(Metric metric) { diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java index 79cdb8f67cf..4b297fd5a44 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java @@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.server.jetty; import com.yahoo.jdisc.Metric; import com.yahoo.jdisc.http.ConnectorConfig; +import org.eclipse.jetty.http.HttpCompliance; import org.eclipse.jetty.io.ConnectionStatistics; import org.eclipse.jetty.server.ConnectionFactory; import org.eclipse.jetty.server.Server; @@ -50,8 +51,16 @@ class JDiscServerConnector extends ServerConnector { } addBean(connectionLogger); addBean(connectionMetricAggregator); + setPort(config.listenPort()); + setName(config.name()); + setAcceptQueueSize(config.acceptQueueSize()); + setReuseAddress(config.reuseAddress()); + setIdleTimeout(toMillis(config.idleTimeout())); + addBean(HttpCompliance.RFC7230); } + private static long toMillis(double seconds) { return (long)(seconds * 1000); } + @Override protected void configure(final Socket socket) { super.configure(socket); diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java index 96c5bac335b..d2811847995 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java @@ -14,7 +14,6 @@ import org.eclipse.jetty.http.HttpField; import org.eclipse.jetty.jmx.ConnectorServer; import org.eclipse.jetty.jmx.MBeanContainer; import org.eclipse.jetty.server.Connector; -import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.SslConnectionFactory; @@ -139,43 +138,51 @@ public class JettyHttpServer extends AbstractServerProvider { private HandlerCollection getHandlerCollection(ServerConfig serverConfig, List<JDiscServerConnector> connectors, ServletHolder jdiscServlet) { - ServletContextHandler servletContextHandler = createServletContextHandler(); - servletContextHandler.addServlet(jdiscServlet, "/*"); - - List<ConnectorConfig> connectorConfigs = connectors.stream().map(JDiscServerConnector::connectorConfig).collect(toList()); - var secureRedirectHandler = new SecuredRedirectHandler(connectorConfigs); - secureRedirectHandler.setHandler(servletContextHandler); - - var proxyHandler = new HealthCheckProxyHandler(connectors); - proxyHandler.setHandler(secureRedirectHandler); - - var authEnforcer = new TlsClientAuthenticationEnforcer(connectorConfigs); - authEnforcer.setHandler(proxyHandler); - - GzipHandler gzipHandler = newGzipHandler(serverConfig); - gzipHandler.setHandler(authEnforcer); + HandlerCollection connectorSpecificHandlers = new HandlerCollection(); + for (JDiscServerConnector connector : connectors) { + ServletContextHandler servletContextHandler = createServletContextHandler(connector); + servletContextHandler.addServlet(jdiscServlet, "/*"); + + List<ConnectorConfig> connectorConfigs = connectors.stream().map(JDiscServerConnector::connectorConfig).collect(toList()); + var secureRedirectHandler = new SecuredRedirectHandler(connectorConfigs); + secureRedirectHandler.setHandler(servletContextHandler); + + var proxyHandler = new HealthCheckProxyHandler(connectors); + proxyHandler.setHandler(secureRedirectHandler); + + var authEnforcer = new TlsClientAuthenticationEnforcer(connectorConfigs); + authEnforcer.setHandler(proxyHandler); + + GzipHandler gzipHandler = newGzipHandler(serverConfig); + gzipHandler.setHandler(authEnforcer); + + HttpResponseStatisticsCollector statisticsCollector = + new HttpResponseStatisticsCollector(serverConfig.metric().monitoringHandlerPaths(), + serverConfig.metric().searchHandlerPaths()); + statisticsCollector.setHandler(gzipHandler); + for (String agent : serverConfig.metric().ignoredUserAgents()) { + statisticsCollector.ignoreUserAgent(agent); + } + StatisticsHandler statisticsHandler = newStatisticsHandler(); + statisticsHandler.setHandler(statisticsCollector); - HttpResponseStatisticsCollector statisticsCollector = - new HttpResponseStatisticsCollector(serverConfig.metric().monitoringHandlerPaths(), - serverConfig.metric().searchHandlerPaths()); - statisticsCollector.setHandler(gzipHandler); - for (String agent : serverConfig.metric().ignoredUserAgents()) { - statisticsCollector.ignoreUserAgent(agent); + connectorSpecificHandlers.addHandler(statisticsHandler); } - StatisticsHandler statisticsHandler = newStatisticsHandler(); - statisticsHandler.setHandler(statisticsCollector); - - HandlerCollection handlerCollection = new HandlerCollection(); - handlerCollection.setHandlers(new Handler[] { statisticsHandler }); - return handlerCollection; + return connectorSpecificHandlers; } - private ServletContextHandler createServletContextHandler() { - ServletContextHandler servletContextHandler = new ServletContextHandler(ServletContextHandler.NO_SECURITY | ServletContextHandler.NO_SESSIONS); - servletContextHandler.setContextPath("/"); - servletContextHandler.setDisplayName(getDisplayName(listenedPorts)); - return servletContextHandler; + private ServletContextHandler createServletContextHandler(JDiscServerConnector connector) { + var ctx = new ServletContextHandler(ServletContextHandler.NO_SECURITY | ServletContextHandler.NO_SESSIONS); + ctx.setContextPath("/"); + ctx.setDisplayName(getDisplayName(listenedPorts)); + List<String> allowedServerNames = connector.connectorConfig().serverName().allowed(); + if (allowedServerNames.isEmpty()) { + ctx.setVirtualHosts(new String[]{"@%s".formatted(connector.getName())}); + } else { + ctx.setVirtualHosts(allowedServerNames.toArray(new String[0])); + } + return ctx; } private static String getDisplayName(List<Integer> ports) { |