From 67fac3f7248f432a9f58a83e3dc6a7343f8ec15e Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Thu, 30 Sep 2021 11:18:42 +0200 Subject: Reduce max connection life to 45 seconds Add feature flag for increasing the value for any application as an emergency precaution. --- .../http/ssl/HostedSslConnectorFactory.java | 20 ++++++++++++-------- .../model/container/xml/ContainerModelBuilder.java | 8 +++++--- 2 files changed, 17 insertions(+), 11 deletions(-) (limited to 'config-model') diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index b25463b8547..aab417db1e2 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -25,16 +25,17 @@ public class HostedSslConnectorFactory extends ConnectorFactory { private final boolean enforceClientAuth; private final boolean enforceHandshakeClientAuth; private final Collection tlsCiphersOverride; + private final Duration maxConnectionLife; /** * Create connector factory that uses a certificate provided by the config-model / configserver and default hosted Vespa truststore. */ public static HostedSslConnectorFactory withProvidedCertificate( String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enforceHandshakeClientAuth, - Collection tlsCiphersOverride) { + Collection tlsCiphersOverride, Duration maxConnectionLife) { ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider( serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null, enforceHandshakeClientAuth); - return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride); + return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride, maxConnectionLife); } /** @@ -42,25 +43,28 @@ public class HostedSslConnectorFactory extends ConnectorFactory { */ public static HostedSslConnectorFactory withProvidedCertificateAndTruststore( String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates, - Collection tlsCiphersOverride) { + Collection tlsCiphersOverride, Duration maxConnectionLife) { ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider( serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates, false); - return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride); + return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride, maxConnectionLife); } /** * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration). */ - public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName, Collection tlsCiphersOverride) { - return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false, tlsCiphersOverride); + public static HostedSslConnectorFactory withDefaultCertificateAndTruststore( + String serverName, Collection tlsCiphersOverride, Duration maxConnectionLife) { + return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false, tlsCiphersOverride, maxConnectionLife); } private HostedSslConnectorFactory(SslProvider sslProvider, boolean enforceClientAuth, - boolean enforceHandshakeClientAuth, Collection tlsCiphersOverride) { + boolean enforceHandshakeClientAuth, Collection tlsCiphersOverride, + Duration maxConnectionLife) { super(new Builder("tls4443", 4443).sslProvider(sslProvider)); this.enforceClientAuth = enforceClientAuth; this.enforceHandshakeClientAuth = enforceHandshakeClientAuth; this.tlsCiphersOverride = tlsCiphersOverride; + this.maxConnectionLife = maxConnectionLife; } private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider( @@ -96,6 +100,6 @@ public class HostedSslConnectorFactory extends ConnectorFactory { connectorBuilder .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(true)) .idleTimeout(Duration.ofSeconds(30).toSeconds()) - .maxConnectionLife(Duration.ofMinutes(10).toSeconds()); + .maxConnectionLife(maxConnectionLife.toSeconds()); } } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index c318180fd56..87d79728fae 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -91,6 +91,7 @@ import org.w3c.dom.Node; import java.net.URI; import java.security.cert.X509Certificate; +import java.time.Duration; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -435,6 +436,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder { // If the deployment contains certificate/private key reference, setup TLS port HostedSslConnectorFactory connectorFactory; Collection tlsCiphersOverride = deployState.getProperties().tlsCiphersOverride(); + Duration maxConnectionLife = Duration.ofSeconds(deployState.featureFlags().maxConnectionLifeInHosted()); if (deployState.endpointCertificateSecrets().isPresent()) { boolean authorizeClient = deployState.zone().system().isPublic(); if (authorizeClient && deployState.tlsClientAuthority().isEmpty()) { @@ -449,11 +451,11 @@ public class ContainerModelBuilder extends ConfigModelBuilder { connectorFactory = authorizeClient ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore( - serverName, endpointCertificateSecrets, getTlsClientAuthorities(deployState), tlsCiphersOverride) + serverName, endpointCertificateSecrets, getTlsClientAuthorities(deployState), tlsCiphersOverride, maxConnectionLife) : HostedSslConnectorFactory.withProvidedCertificate( - serverName, endpointCertificateSecrets, enforceHandshakeClientAuth, tlsCiphersOverride); + serverName, endpointCertificateSecrets, enforceHandshakeClientAuth, tlsCiphersOverride, maxConnectionLife); } else { - connectorFactory = HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName, tlsCiphersOverride); + connectorFactory = HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName, tlsCiphersOverride, maxConnectionLife); } cluster.getHttp().getAccessControl().ifPresent(accessControl -> accessControl.configureHostedConnector(connectorFactory)); server.addConnector(connectorFactory); -- cgit v1.2.3