diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-10-06 09:58:49 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-10-06 09:59:36 +0200 |
commit | a1f7601cd6257dceae6b986a3aa64d16d2d8516f (patch) | |
tree | dc3b23df41a5ba30451149bcc47c880fc4e55828 /container-core/src | |
parent | 62ac14f904d43604b0f0522d4dd65232f6e915b5 (diff) |
Restrict server names accepted per connector
Diffstat (limited to 'container-core/src')
5 files changed, 70 insertions, 44 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java index bf278981b69..e59e95a59a7 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java @@ -9,7 +9,6 @@ import com.yahoo.jdisc.http.ssl.impl.DefaultConnectorSsl; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TransportSecurityUtils; import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory; -import org.eclipse.jetty.http.HttpCompliance; import org.eclipse.jetty.http2.server.AbstractHTTP2ServerConnectionFactory; import org.eclipse.jetty.http2.server.HTTP2CServerConnectionFactory; import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory; @@ -82,16 +81,9 @@ public class ConnectorFactory { public ServerConnector createConnector(final Metric metric, final Server server, JettyConnectionLogger connectionLogger, ConnectionMetricAggregator connectionMetricAggregator) { - ServerConnector connector = new JDiscServerConnector( + return new JDiscServerConnector( connectorConfig, metric, server, connectionLogger, connectionMetricAggregator, createConnectionFactories(metric).toArray(ConnectionFactory[]::new)); - connector.setPort(connectorConfig.listenPort()); - connector.setName(connectorConfig.name()); - connector.setAcceptQueueSize(connectorConfig.acceptQueueSize()); - connector.setReuseAddress(connectorConfig.reuseAddress()); - connector.setIdleTimeout(toMillis(connectorConfig.idleTimeout())); - connector.addBean(HttpCompliance.RFC7230); - return connector; } private List<ConnectionFactory> createConnectionFactories(Metric metric) { diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java index 79cdb8f67cf..4b297fd5a44 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java @@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.server.jetty; import com.yahoo.jdisc.Metric; import com.yahoo.jdisc.http.ConnectorConfig; +import org.eclipse.jetty.http.HttpCompliance; import org.eclipse.jetty.io.ConnectionStatistics; import org.eclipse.jetty.server.ConnectionFactory; import org.eclipse.jetty.server.Server; @@ -50,8 +51,16 @@ class JDiscServerConnector extends ServerConnector { } addBean(connectionLogger); addBean(connectionMetricAggregator); + setPort(config.listenPort()); + setName(config.name()); + setAcceptQueueSize(config.acceptQueueSize()); + setReuseAddress(config.reuseAddress()); + setIdleTimeout(toMillis(config.idleTimeout())); + addBean(HttpCompliance.RFC7230); } + private static long toMillis(double seconds) { return (long)(seconds * 1000); } + @Override protected void configure(final Socket socket) { super.configure(socket); diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java index 96c5bac335b..d2811847995 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java @@ -14,7 +14,6 @@ import org.eclipse.jetty.http.HttpField; import org.eclipse.jetty.jmx.ConnectorServer; import org.eclipse.jetty.jmx.MBeanContainer; import org.eclipse.jetty.server.Connector; -import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.SslConnectionFactory; @@ -139,43 +138,51 @@ public class JettyHttpServer extends AbstractServerProvider { private HandlerCollection getHandlerCollection(ServerConfig serverConfig, List<JDiscServerConnector> connectors, ServletHolder jdiscServlet) { - ServletContextHandler servletContextHandler = createServletContextHandler(); - servletContextHandler.addServlet(jdiscServlet, "/*"); - - List<ConnectorConfig> connectorConfigs = connectors.stream().map(JDiscServerConnector::connectorConfig).collect(toList()); - var secureRedirectHandler = new SecuredRedirectHandler(connectorConfigs); - secureRedirectHandler.setHandler(servletContextHandler); - - var proxyHandler = new HealthCheckProxyHandler(connectors); - proxyHandler.setHandler(secureRedirectHandler); - - var authEnforcer = new TlsClientAuthenticationEnforcer(connectorConfigs); - authEnforcer.setHandler(proxyHandler); - - GzipHandler gzipHandler = newGzipHandler(serverConfig); - gzipHandler.setHandler(authEnforcer); + HandlerCollection connectorSpecificHandlers = new HandlerCollection(); + for (JDiscServerConnector connector : connectors) { + ServletContextHandler servletContextHandler = createServletContextHandler(connector); + servletContextHandler.addServlet(jdiscServlet, "/*"); + + List<ConnectorConfig> connectorConfigs = connectors.stream().map(JDiscServerConnector::connectorConfig).collect(toList()); + var secureRedirectHandler = new SecuredRedirectHandler(connectorConfigs); + secureRedirectHandler.setHandler(servletContextHandler); + + var proxyHandler = new HealthCheckProxyHandler(connectors); + proxyHandler.setHandler(secureRedirectHandler); + + var authEnforcer = new TlsClientAuthenticationEnforcer(connectorConfigs); + authEnforcer.setHandler(proxyHandler); + + GzipHandler gzipHandler = newGzipHandler(serverConfig); + gzipHandler.setHandler(authEnforcer); + + HttpResponseStatisticsCollector statisticsCollector = + new HttpResponseStatisticsCollector(serverConfig.metric().monitoringHandlerPaths(), + serverConfig.metric().searchHandlerPaths()); + statisticsCollector.setHandler(gzipHandler); + for (String agent : serverConfig.metric().ignoredUserAgents()) { + statisticsCollector.ignoreUserAgent(agent); + } + StatisticsHandler statisticsHandler = newStatisticsHandler(); + statisticsHandler.setHandler(statisticsCollector); - HttpResponseStatisticsCollector statisticsCollector = - new HttpResponseStatisticsCollector(serverConfig.metric().monitoringHandlerPaths(), - serverConfig.metric().searchHandlerPaths()); - statisticsCollector.setHandler(gzipHandler); - for (String agent : serverConfig.metric().ignoredUserAgents()) { - statisticsCollector.ignoreUserAgent(agent); + connectorSpecificHandlers.addHandler(statisticsHandler); } - StatisticsHandler statisticsHandler = newStatisticsHandler(); - statisticsHandler.setHandler(statisticsCollector); - - HandlerCollection handlerCollection = new HandlerCollection(); - handlerCollection.setHandlers(new Handler[] { statisticsHandler }); - return handlerCollection; + return connectorSpecificHandlers; } - private ServletContextHandler createServletContextHandler() { - ServletContextHandler servletContextHandler = new ServletContextHandler(ServletContextHandler.NO_SECURITY | ServletContextHandler.NO_SESSIONS); - servletContextHandler.setContextPath("/"); - servletContextHandler.setDisplayName(getDisplayName(listenedPorts)); - return servletContextHandler; + private ServletContextHandler createServletContextHandler(JDiscServerConnector connector) { + var ctx = new ServletContextHandler(ServletContextHandler.NO_SECURITY | ServletContextHandler.NO_SESSIONS); + ctx.setContextPath("/"); + ctx.setDisplayName(getDisplayName(listenedPorts)); + List<String> allowedServerNames = connector.connectorConfig().serverName().allowed(); + if (allowedServerNames.isEmpty()) { + ctx.setVirtualHosts(new String[]{"@%s".formatted(connector.getName())}); + } else { + ctx.setVirtualHosts(allowedServerNames.toArray(new String[0])); + } + return ctx; } private static String getDisplayName(List<Integer> ports) { diff --git a/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def b/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def index 1f4763d32a7..5e50be05115 100644 --- a/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def +++ b/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def @@ -138,3 +138,5 @@ http2.maxConcurrentStreams int default=4096 # Override the default server name when authority is missing from request. serverName.fallback string default="" +# The list of accepted server names. Empty list to accept any. Elements follows format of 'serverName.default'. +serverName.allowed[] string diff --git a/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java b/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java index 2c5d36bd776..318067ac634 100644 --- a/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java +++ b/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java @@ -743,7 +743,7 @@ public class HttpServerTest { } @Test - void requestThatFallbackServerNameCanBeOverridden() throws Exception { + void fallbackServerNameCanBeOverridden() throws Exception { String fallbackHostname = "myhostname"; JettyTestDriver driver = JettyTestDriver.newConfiguredInstance( new UriRequestHandler(), @@ -752,13 +752,29 @@ public class HttpServerTest { .serverName(new ConnectorConfig.ServerName.Builder().fallback(fallbackHostname))); int listenPort = driver.server().getListenPort(); HttpGet req = new HttpGet("http://localhost:" + listenPort + "/"); - req.addHeader("Host", null); + req.setHeader("Host", null); driver.client().execute(req) .expectStatusCode(is(OK)) .expectContent(containsString("http://" + fallbackHostname + ":" + listenPort + "/")); assertTrue(driver.close()); } + @Test + void acceptedServerNamesCanBeRestricted() throws Exception { + String requiredServerName = "myhostname"; + JettyTestDriver driver = JettyTestDriver.newConfiguredInstance( + new EchoRequestHandler(), + new ServerConfig.Builder(), + new ConnectorConfig.Builder() + .serverName(new ConnectorConfig.ServerName.Builder().allowed(requiredServerName))); + int listenPort = driver.server().getListenPort(); + HttpGet req = new HttpGet("http://localhost:" + listenPort + "/"); + req.setHeader("Host", requiredServerName); + driver.client().execute(req).expectStatusCode(is(OK)); + driver.client().get("/").expectStatusCode(is(NOT_FOUND)); + assertTrue(driver.close()); + } + private static JettyTestDriver createSslWithTlsClientAuthenticationEnforcer(Path certificateFile, Path privateKeyFile) { ConnectorConfig.Builder connectorConfig = new ConnectorConfig.Builder() .tlsClientAuthEnforcer( |