From da36b72db3dd9c44b62a5236713bfc7c75b59a4c Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@verizonmedia.com>
Date: Thu, 15 Aug 2019 15:04:43 +0200
Subject: Only allow proxying https ports

---
 .../com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java
index 4d7688d09fc..4dfdbd55fab 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.java
@@ -66,7 +66,7 @@ class HealthCheckProxyHandler extends HandlerWrapper {
         SslContextFactory sslContextFactory =
                 Optional.ofNullable(targetConnector.getConnectionFactory(SslConnectionFactory.class))
                         .map(SslConnectionFactory::getSslContextFactory)
-                        .orElse(null);
+                        .orElseThrow(() -> new IllegalArgumentException("Health check proxy can only target https port"));
         return new ProxyTarget(targetPort, sslContextFactory);
     }
 
@@ -120,8 +120,7 @@ class HealthCheckProxyHandler extends HandlerWrapper {
         }
 
         CloseableHttpResponse requestStatusHtml() throws IOException {
-            String scheme = sslContextFactory != null ? "https" : "http";
-            HttpGet request = new HttpGet(scheme + "://localhost:" + port + HEALTH_CHECK_PATH);
+            HttpGet request = new HttpGet("https://localhost:" + port + HEALTH_CHECK_PATH);
             request.setHeader("Connection", "Close");
             return client().execute(request);
         }
@@ -134,7 +133,7 @@ class HealthCheckProxyHandler extends HandlerWrapper {
                         client = HttpClientBuilder.create()
                                 .disableAutomaticRetries()
                                 .setConnectionReuseStrategy(NoConnectionReuseStrategy.INSTANCE)
-                                .setSslcontext(sslContextFactory != null ? sslContextFactory.getSslContext() : null)
+                                .setSslcontext(sslContextFactory.getSslContext())
                                 .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
                                 .setUserTokenHandler(context -> null) // https://stackoverflow.com/a/42112034/1615280
                                 .build();
-- 
cgit v1.2.3