From d7fa2988c4fc34998e4e974dae3e3b9678023a80 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Wed, 22 Jul 2020 14:21:06 +0200 Subject: Revert "Temporarily disable proxy-protocol for port 4443 in jdisc" This reverts commit a9e5c8b38d4b37862e38a43239720ccdf56470d2. --- .../container/http/ssl/HostedSslConnectorFactory.java | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) (limited to 'config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java') diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 2fd88e112da..bcc2c9a3d6a 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -20,7 +20,6 @@ public class HostedSslConnectorFactory extends ConnectorFactory { private static final List INSECURE_WHITELISTED_PATHS = List.of("/status.html"); private static final String DEFAULT_HOSTED_TRUSTSTORE = "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem"; - private final boolean enableProxyProtocol; private final boolean enforceClientAuth; /** @@ -28,29 +27,28 @@ public class HostedSslConnectorFactory extends ConnectorFactory { */ // TODO Enforce client authentication public static HostedSslConnectorFactory withProvidedCertificate( - String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enableProxyProtocol) { - return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null), false, enableProxyProtocol); + String serverName, EndpointCertificateSecrets endpointCertificateSecrets) { + return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null), false); } /** * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application. */ public static HostedSslConnectorFactory withProvidedCertificateAndTruststore( - String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates, boolean enableProxyProtocol) { - return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates), true, enableProxyProtocol); + String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) { + return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates), true); } /** * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration). */ - public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName, boolean enableProxyProtocol) { - return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, enableProxyProtocol); + public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) { + return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true); } - private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth, boolean enableProxyProtocol) { + private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth) { super("tls4443", 4443, sslProviderComponent); this.enforceClientAuth = enforceClientAuth; - this.enableProxyProtocol = enableProxyProtocol; } private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider( @@ -71,7 +69,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory { .tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder() .pathWhitelist(INSECURE_WHITELISTED_PATHS) .enable(enforceClientAuth)) - .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(enableProxyProtocol).mixedMode(true)) + .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(true)) .idleTimeout(Duration.ofMinutes(3).toSeconds()) .maxConnectionLife(Duration.ofMinutes(10).toSeconds()); } -- cgit v1.2.3