From ac4739427c0959e6f2f022c98cc4ba10e05cf2a4 Mon Sep 17 00:00:00 2001 From: HÃ¥kon Hallingstad Date: Wed, 3 Apr 2024 17:44:28 +0200 Subject: Revert "Revert "Disable proxy protocol on jdisc containers in Azure, #2"" --- .../model/container/http/ssl/HostedSslConnectorFactory.java | 7 ++----- .../yahoo/vespa/model/container/xml/ContainerModelBuilder.java | 4 ++-- .../src/main/java/com/yahoo/config/provision/Zone.java | 10 +++++----- .../configdefinitions/jdisc.http.jdisc.http.connector.def | 2 ++ 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 08b0398a98f..5f824950ecd 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -24,7 +24,6 @@ public class HostedSslConnectorFactory extends ConnectorFactory { private final SslClientAuth clientAuth; private final List tlsCiphersOverride; private final boolean proxyProtocolEnabled; - private final boolean proxyProtocolMixedMode; private final Duration endpointConnectionTtl; private final List remoteAddressHeaders; private final List remotePortHeaders; @@ -37,7 +36,6 @@ public class HostedSslConnectorFactory extends ConnectorFactory { this.clientAuth = builder.clientAuth; this.tlsCiphersOverride = List.copyOf(builder.tlsCiphersOverride); this.proxyProtocolEnabled = builder.proxyProtocolEnabled; - this.proxyProtocolMixedMode = builder.proxyProtocolMixedMode; this.endpointConnectionTtl = builder.endpointConnectionTtl; this.remoteAddressHeaders = List.copyOf(builder.remoteAddressHeaders); this.remotePortHeaders = List.copyOf(builder.remotePortHeaders); @@ -70,7 +68,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory { } connectorBuilder .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder() - .enabled(proxyProtocolEnabled).mixedMode(proxyProtocolMixedMode)) + .enabled(proxyProtocolEnabled)) .idleTimeout(Duration.ofSeconds(30).toSeconds()) .maxConnectionLife(endpointConnectionTtl != null ? endpointConnectionTtl.toSeconds() : 0) .accessLog(new ConnectorConfig.AccessLog.Builder() @@ -89,7 +87,6 @@ public class HostedSslConnectorFactory extends ConnectorFactory { SslClientAuth clientAuth; List tlsCiphersOverride = List.of(); boolean proxyProtocolEnabled; - boolean proxyProtocolMixedMode; Duration endpointConnectionTtl; EndpointCertificateSecrets endpointCertificate; String tlsCaCertificatesPem; @@ -101,7 +98,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory { public Builder clientAuth(SslClientAuth auth) { clientAuth = auth; return this; } public Builder endpointConnectionTtl(Duration ttl) { endpointConnectionTtl = ttl; return this; } public Builder tlsCiphersOverride(Collection ciphers) { tlsCiphersOverride = List.copyOf(ciphers); return this; } - public Builder proxyProtocol(boolean enabled, boolean mixedMode) { proxyProtocolEnabled = enabled; proxyProtocolMixedMode = mixedMode; return this; } + public Builder proxyProtocol(boolean enabled) { proxyProtocolEnabled = enabled; return this; } public Builder endpointCertificate(EndpointCertificateSecrets cert) { this.endpointCertificate = cert; return this; } public Builder tlsCaCertificatesPath(String path) { this.tlsCaCertificatesPath = path; return this; } public Builder tlsCaCertificatesPem(String pem) { this.tlsCaCertificatesPem = pem; return this; } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index c71dbb158b0..eac03531b86 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -598,7 +598,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder { // If the deployment contains certificate/private key reference, setup TLS port var builder = HostedSslConnectorFactory.builder(serverName, getMtlsDataplanePort(state)) - .proxyProtocol(true, state.getProperties().featureFlags().enableProxyProtocolMixedMode()) + .proxyProtocol(state.zone().cloud().useProxyProtocol()) .tlsCiphersOverride(state.getProperties().tlsCiphersOverride()) .endpointConnectionTtl(state.getProperties().endpointConnectionTtl()); var endpointCert = state.endpointCertificateSecrets().orElse(null); @@ -657,7 +657,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder { // Setup dedicated connector var connector = HostedSslConnectorFactory.builder(server.getComponentId().getName()+"-token", tokenPort) .tokenEndpoint(true) - .proxyProtocol(false, false) + .proxyProtocol(false) .endpointCertificate(endpointCert) .remoteAddressHeader("X-Forwarded-For") .remotePortHeader("X-Forwarded-Port") diff --git a/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java b/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java index 5ef42d12dc1..73c6010f514 100644 --- a/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java +++ b/config-provisioning/src/main/java/com/yahoo/config/provision/Zone.java @@ -54,11 +54,6 @@ public class Zone { this.region = region; } - // TODO(mpolden): For compatibility with older config models. Remove when versions < 8.76 are gone - public Cloud getCloud() { - return cloud(); - } - /** Returns the current cloud */ public Cloud cloud() { return cloud; } @@ -102,5 +97,10 @@ public class Zone { return Objects.hash(environment, region); } + // TODO(mpolden): For compatibility with older config models. Remove when versions < 8.327 are gone + @Deprecated(forRemoval = true) + public Cloud getCloud() { + return cloud(); + } } diff --git a/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def b/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def index 95b93617b6f..2906f75a1f5 100644 --- a/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def +++ b/container-core/src/main/resources/configdefinitions/jdisc.http.jdisc.http.connector.def @@ -123,6 +123,8 @@ healthCheckProxy.cacheExpiry double default=1.0 proxyProtocol.enabled bool default=false # Allow https in parallel with proxy protocol +# TODO Vespa 9 Remove +# Unused since 8.327 proxyProtocol.mixedMode bool default=false # Maximum number of request per connection before server marks connections as non-persistent. Set to '0' to disable. -- cgit v1.2.3