diff options
Diffstat (limited to 'jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java')
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java | 20 |
1 files changed, 5 insertions, 15 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java index ef166bae999..94c08212706 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java @@ -18,6 +18,7 @@ import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.ssl.SslContextFactory; +import java.nio.channels.ServerSocketChannel; import java.util.List; /** @@ -41,25 +42,19 @@ public class ConnectorFactory { // e.g. due to TLS configuration through environment variables. private static void runtimeConnectorConfigValidation(ConnectorConfig config) { validateProxyProtocolConfiguration(config); - validateSecureRedirectConfig(config); } private static void validateProxyProtocolConfiguration(ConnectorConfig config) { ConnectorConfig.ProxyProtocol proxyProtocolConfig = config.proxyProtocol(); if (proxyProtocolConfig.enabled()) { + boolean sslEnabled = config.ssl().enabled() || TransportSecurityUtils.isTransportSecurityEnabled(); boolean tlsMixedModeEnabled = TransportSecurityUtils.getInsecureMixedMode() != MixedMode.DISABLED; - if (!isSslEffectivelyEnabled(config) || tlsMixedModeEnabled) { + if (!sslEnabled || tlsMixedModeEnabled) { throw new IllegalArgumentException("Proxy protocol can only be enabled if connector is effectively HTTPS only"); } } } - private static void validateSecureRedirectConfig(ConnectorConfig config) { - if (config.secureRedirect().enabled() && isSslEffectivelyEnabled(config)) { - throw new IllegalArgumentException("Secure redirect can only be enabled on connectors without HTTPS"); - } - } - public ConnectorConfig getConnectorConfig() { return connectorConfig; } @@ -77,7 +72,7 @@ public class ConnectorFactory { private List<ConnectionFactory> createConnectionFactories(Metric metric) { HttpConnectionFactory httpFactory = newHttpConnectionFactory(); - if (!isSslEffectivelyEnabled(connectorConfig)) { + if (connectorConfig.healthCheckProxy().enable() || connectorConfig.secureRedirect().enabled()) { return List.of(httpFactory); } else if (connectorConfig.ssl().enabled()) { return connectionFactoriesForHttps(metric, httpFactory); @@ -119,7 +114,7 @@ public class ConnectorFactory { httpConfig.setOutputBufferSize(connectorConfig.outputBufferSize()); httpConfig.setRequestHeaderSize(connectorConfig.requestHeaderSize()); httpConfig.setResponseHeaderSize(connectorConfig.responseHeaderSize()); - if (isSslEffectivelyEnabled(connectorConfig)) { + if (connectorConfig.ssl().enabled() || TransportSecurityUtils.isTransportSecurityEnabled()) { // TODO Cleanup once mixed mode is gone httpConfig.addCustomizer(new SecureRequestCustomizer()); } return new HttpConnectionFactory(httpConfig); @@ -132,9 +127,4 @@ public class ConnectorFactory { return connectionFactory; } - private static boolean isSslEffectivelyEnabled(ConnectorConfig config) { - return config.ssl().enabled() - || (config.implicitTlsEnabled() && TransportSecurityUtils.isTransportSecurityEnabled()); - } - } |