diff options
author | Harald Musum <musum@verizonmedia.com> | 2022-10-06 13:11:54 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-06 13:11:54 +0200 |
commit | 878e46f2d9c59b368b4f88da9dc5920b465eda19 (patch) | |
tree | 78fc20852c57dfce4102f5ad675016067584d8b6 /container-core | |
parent | bbb47ccadb603a84b3a9d4e695aa098ea46a25ad (diff) |
Revert "Restrict server names accepted per connector"
Diffstat (limited to 'container-core')
6 files changed, 46 insertions, 78 deletions
diff --git a/container-core/abi-spec.json b/container-core/abi-spec.json index 7844282b7e9..5985e79b786 100644 --- a/container-core/abi-spec.json +++ b/container-core/abi-spec.json @@ -1236,13 +1236,9 @@ "public void <init>()", "public void <init>(com.yahoo.jdisc.http.ConnectorConfig$ServerName)", "public com.yahoo.jdisc.http.ConnectorConfig$ServerName$Builder fallback(java.lang.String)", - "public com.yahoo.jdisc.http.ConnectorConfig$ServerName$Builder allowed(java.lang.String)", - "public com.yahoo.jdisc.http.ConnectorConfig$ServerName$Builder allowed(java.util.Collection)", "public com.yahoo.jdisc.http.ConnectorConfig$ServerName build()" ], - "fields": [ - "public java.util.List allowed" - ] + "fields": [] }, "com.yahoo.jdisc.http.ConnectorConfig$ServerName": { "superClass": "com.yahoo.config.InnerNode", @@ -1253,9 +1249,7 @@ ], "methods": [ "public void <init>(com.yahoo.jdisc.http.ConnectorConfig$ServerName$Builder)", - "public java.lang.String fallback()", - "public java.util.List allowed()", - "public java.lang.String allowed(int)" + "public java.lang.String fallback()" ], "fields": [] }, diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java index e59e95a59a7..bf278981b69 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java @@ -9,6 +9,7 @@ import com.yahoo.jdisc.http.ssl.impl.DefaultConnectorSsl; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TransportSecurityUtils; import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory; +import org.eclipse.jetty.http.HttpCompliance; import org.eclipse.jetty.http2.server.AbstractHTTP2ServerConnectionFactory; import org.eclipse.jetty.http2.server.HTTP2CServerConnectionFactory; import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory; @@ -81,9 +82,16 @@ public class ConnectorFactory { public ServerConnector createConnector(final Metric metric, final Server server, JettyConnectionLogger connectionLogger, ConnectionMetricAggregator connectionMetricAggregator) { - return new JDiscServerConnector( + ServerConnector connector = new JDiscServerConnector( connectorConfig, metric, server, connectionLogger, connectionMetricAggregator, createConnectionFactories(metric).toArray(ConnectionFactory[]::new)); + connector.setPort(connectorConfig.listenPort()); + connector.setName(connectorConfig.name()); + connector.setAcceptQueueSize(connectorConfig.acceptQueueSize()); + connector.setReuseAddress(connectorConfig.reuseAddress()); + connector.setIdleTimeout(toMillis(connectorConfig.idleTimeout())); + connector.addBean(HttpCompliance.RFC7230); + return connector; } private List<ConnectionFactory> createConnectionFactories(Metric metric) { diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java index 4b297fd5a44..79cdb8f67cf 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JDiscServerConnector.java @@ -3,7 +3,6 @@ package com.yahoo.jdisc.http.server.jetty; import com.yahoo.jdisc.Metric; import com.yahoo.jdisc.http.ConnectorConfig; -import org.eclipse.jetty.http.HttpCompliance; import org.eclipse.jetty.io.ConnectionStatistics; import org.eclipse.jetty.server.ConnectionFactory; import org.eclipse.jetty.server.Server; @@ -51,16 +50,8 @@ class JDiscServerConnector extends ServerConnector { } addBean(connectionLogger); addBean(connectionMetricAggregator); - setPort(config.listenPort()); - setName(config.name()); - setAcceptQueueSize(config.acceptQueueSize()); - setReuseAddress(config.reuseAddress()); - setIdleTimeout(toMillis(config.idleTimeout())); - addBean(HttpCompliance.RFC7230); } - private static long toMillis(double seconds) { return (long)(seconds * 1000); } - @Override protected void configure(final Socket socket) { super.configure(socket); diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java index d2811847995..96c5bac335b 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java @@ -14,6 +14,7 @@ import org.eclipse.jetty.http.HttpField; import org.eclipse.jetty.jmx.ConnectorServer; import org.eclipse.jetty.jmx.MBeanContainer; import org.eclipse.jetty.server.Connector; +import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.SslConnectionFactory; @@ -138,51 +139,43 @@ public class JettyHttpServer extends AbstractServerProvider { private HandlerCollection getHandlerCollection(ServerConfig serverConfig, List<JDiscServerConnector> connectors, ServletHolder jdiscServlet) { - HandlerCollection connectorSpecificHandlers = new HandlerCollection(); - for (JDiscServerConnector connector : connectors) { - ServletContextHandler servletContextHandler = createServletContextHandler(connector); - servletContextHandler.addServlet(jdiscServlet, "/*"); - - List<ConnectorConfig> connectorConfigs = connectors.stream().map(JDiscServerConnector::connectorConfig).collect(toList()); - var secureRedirectHandler = new SecuredRedirectHandler(connectorConfigs); - secureRedirectHandler.setHandler(servletContextHandler); - - var proxyHandler = new HealthCheckProxyHandler(connectors); - proxyHandler.setHandler(secureRedirectHandler); - - var authEnforcer = new TlsClientAuthenticationEnforcer(connectorConfigs); - authEnforcer.setHandler(proxyHandler); - - GzipHandler gzipHandler = newGzipHandler(serverConfig); - gzipHandler.setHandler(authEnforcer); - - HttpResponseStatisticsCollector statisticsCollector = - new HttpResponseStatisticsCollector(serverConfig.metric().monitoringHandlerPaths(), - serverConfig.metric().searchHandlerPaths()); - statisticsCollector.setHandler(gzipHandler); - for (String agent : serverConfig.metric().ignoredUserAgents()) { - statisticsCollector.ignoreUserAgent(agent); - } - StatisticsHandler statisticsHandler = newStatisticsHandler(); - statisticsHandler.setHandler(statisticsCollector); + ServletContextHandler servletContextHandler = createServletContextHandler(); + servletContextHandler.addServlet(jdiscServlet, "/*"); + + List<ConnectorConfig> connectorConfigs = connectors.stream().map(JDiscServerConnector::connectorConfig).collect(toList()); + var secureRedirectHandler = new SecuredRedirectHandler(connectorConfigs); + secureRedirectHandler.setHandler(servletContextHandler); + + var proxyHandler = new HealthCheckProxyHandler(connectors); + proxyHandler.setHandler(secureRedirectHandler); + + var authEnforcer = new TlsClientAuthenticationEnforcer(connectorConfigs); + authEnforcer.setHandler(proxyHandler); - connectorSpecificHandlers.addHandler(statisticsHandler); + GzipHandler gzipHandler = newGzipHandler(serverConfig); + gzipHandler.setHandler(authEnforcer); + + HttpResponseStatisticsCollector statisticsCollector = + new HttpResponseStatisticsCollector(serverConfig.metric().monitoringHandlerPaths(), + serverConfig.metric().searchHandlerPaths()); + statisticsCollector.setHandler(gzipHandler); + for (String agent : serverConfig.metric().ignoredUserAgents()) { + statisticsCollector.ignoreUserAgent(agent); } - return connectorSpecificHandlers; + StatisticsHandler statisticsHandler = newStatisticsHandler(); + statisticsHandler.setHandler(statisticsCollector); + + HandlerCollection handlerCollection = new HandlerCollection(); + handlerCollection.setHandlers(new Handler[] { statisticsHandler }); + return handlerCollection; } - private ServletContextHandler createServletContextHandler(JDiscServerConnector connector) { - var ctx = new ServletContextHandler(ServletContextHandler.NO_SECURITY | ServletContextHandler.NO_SESSIONS); - ctx.setContextPath("/"); - ctx.setDisplayName(getDisplayName(listenedPorts)); - List<String> allowedServerNames = connector.connectorConfig().serverName().allowed(); - if (allowedServerNames.isEmpty()) { - ctx.setVirtualHosts(new String[]{"@%s".formatted(connector.getName())}); - } else { - ctx.setVirtualHosts(allowedServerNames.toArray(new String[0])); - } - return ctx; + private ServletContextHandler createServletContextHandler() { + ServletContextHandler servletContextHandler = new ServletContextHandler(ServletContextHandler.NO_SECURITY | ServletContextHandler.NO_SESSIONS); + servletContextHandler.setContextPath("/"); + servletContextHandler.setDisplayName(getDisplayName(listenedPorts)); + return servletContextHandler; } private static String getDisplayName(List<Integer> ports) { diff --git a/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def b/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def index 5e50be05115..1f4763d32a7 100644 --- a/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def +++ b/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def @@ -138,5 +138,3 @@ http2.maxConcurrentStreams int default=4096 # Override the default server name when authority is missing from request. serverName.fallback string default="" -# The list of accepted server names. Empty list to accept any. Elements follows format of 'serverName.default'. -serverName.allowed[] string diff --git a/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java b/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java index 318067ac634..2c5d36bd776 100644 --- a/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java +++ b/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java @@ -743,7 +743,7 @@ public class HttpServerTest { } @Test - void fallbackServerNameCanBeOverridden() throws Exception { + void requestThatFallbackServerNameCanBeOverridden() throws Exception { String fallbackHostname = "myhostname"; JettyTestDriver driver = JettyTestDriver.newConfiguredInstance( new UriRequestHandler(), @@ -752,29 +752,13 @@ public class HttpServerTest { .serverName(new ConnectorConfig.ServerName.Builder().fallback(fallbackHostname))); int listenPort = driver.server().getListenPort(); HttpGet req = new HttpGet("http://localhost:" + listenPort + "/"); - req.setHeader("Host", null); + req.addHeader("Host", null); driver.client().execute(req) .expectStatusCode(is(OK)) .expectContent(containsString("http://" + fallbackHostname + ":" + listenPort + "/")); assertTrue(driver.close()); } - @Test - void acceptedServerNamesCanBeRestricted() throws Exception { - String requiredServerName = "myhostname"; - JettyTestDriver driver = JettyTestDriver.newConfiguredInstance( - new EchoRequestHandler(), - new ServerConfig.Builder(), - new ConnectorConfig.Builder() - .serverName(new ConnectorConfig.ServerName.Builder().allowed(requiredServerName))); - int listenPort = driver.server().getListenPort(); - HttpGet req = new HttpGet("http://localhost:" + listenPort + "/"); - req.setHeader("Host", requiredServerName); - driver.client().execute(req).expectStatusCode(is(OK)); - driver.client().get("/").expectStatusCode(is(NOT_FOUND)); - assertTrue(driver.close()); - } - private static JettyTestDriver createSslWithTlsClientAuthenticationEnforcer(Path certificateFile, Path privateKeyFile) { ConnectorConfig.Builder connectorConfig = new ConnectorConfig.Builder() .tlsClientAuthEnforcer( |