From d7fa2988c4fc34998e4e974dae3e3b9678023a80 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Wed, 22 Jul 2020 14:21:06 +0200 Subject: Revert "Temporarily disable proxy-protocol for port 4443 in jdisc" This reverts commit a9e5c8b38d4b37862e38a43239720ccdf56470d2. --- .../http/ssl/HostedSslConnectorFactory.java | 18 +++++------ .../model/container/xml/ContainerModelBuilder.java | 9 ++---- .../container/xml/ContainerModelBuilderTest.java | 35 ---------------------- 3 files changed, 11 insertions(+), 51 deletions(-) (limited to 'config-model') diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 2fd88e112da..bcc2c9a3d6a 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -20,7 +20,6 @@ public class HostedSslConnectorFactory extends ConnectorFactory { private static final List INSECURE_WHITELISTED_PATHS = List.of("/status.html"); private static final String DEFAULT_HOSTED_TRUSTSTORE = "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem"; - private final boolean enableProxyProtocol; private final boolean enforceClientAuth; /** @@ -28,29 +27,28 @@ public class HostedSslConnectorFactory extends ConnectorFactory { */ // TODO Enforce client authentication public static HostedSslConnectorFactory withProvidedCertificate( - String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enableProxyProtocol) { - return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null), false, enableProxyProtocol); + String serverName, EndpointCertificateSecrets endpointCertificateSecrets) { + return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null), false); } /** * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application. */ public static HostedSslConnectorFactory withProvidedCertificateAndTruststore( - String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates, boolean enableProxyProtocol) { - return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates), true, enableProxyProtocol); + String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) { + return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates), true); } /** * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration). */ - public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName, boolean enableProxyProtocol) { - return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, enableProxyProtocol); + public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) { + return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true); } - private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth, boolean enableProxyProtocol) { + private HostedSslConnectorFactory(SimpleComponent sslProviderComponent, boolean enforceClientAuth) { super("tls4443", 4443, sslProviderComponent); this.enforceClientAuth = enforceClientAuth; - this.enableProxyProtocol = enableProxyProtocol; } private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider( @@ -71,7 +69,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory { .tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder() .pathWhitelist(INSECURE_WHITELISTED_PATHS) .enable(enforceClientAuth)) - .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(enableProxyProtocol).mixedMode(true)) + .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(true)) .idleTimeout(Duration.ofMinutes(3).toSeconds()) .maxConnectionLife(Duration.ofMinutes(10).toSeconds()); } diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 41e092c7ea5..9050d921b4b 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -327,9 +327,6 @@ public class ContainerModelBuilder extends ConfigModelBuilder { JettyHttpServer server = cluster.getHttp().getHttpServer().get(); String serverName = server.getComponentId().getName(); - // Temporarily disable jdisc proxy-protocol in public systems - boolean enableProxyProtocol = !deployState.zone().system().isPublic(); - // If the deployment contains certificate/private key reference, setup TLS port if (deployState.endpointCertificateSecrets().isPresent()) { boolean authorizeClient = deployState.zone().system().isPublic(); @@ -338,11 +335,11 @@ public class ContainerModelBuilder extends ConfigModelBuilder { } EndpointCertificateSecrets endpointCertificateSecrets = deployState.endpointCertificateSecrets().get(); HostedSslConnectorFactory connectorFactory = authorizeClient - ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, endpointCertificateSecrets, deployState.tlsClientAuthority().get(), enableProxyProtocol) - : HostedSslConnectorFactory.withProvidedCertificate(serverName, endpointCertificateSecrets, enableProxyProtocol); + ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(serverName, endpointCertificateSecrets, deployState.tlsClientAuthority().get()) + : HostedSslConnectorFactory.withProvidedCertificate(serverName, endpointCertificateSecrets); server.addConnector(connectorFactory); } else { - server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName, enableProxyProtocol)); + server.addConnector(HostedSslConnectorFactory.withDefaultCertificateAndTruststore(serverName)); } } diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java index fdd7ae57f0f..2a1ea981e4f 100644 --- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java +++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilderTest.java @@ -832,41 +832,6 @@ public class ContainerModelBuilderTest extends ContainerModelBuilderTestBase { connectorConfig.ssl().caCertificateFile(), equalTo("/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem")); assertThat(connectorConfig.ssl().caCertificate(), isEmptyString()); } - @Test - - public void jdisc_proxy_protocol_disabled_in_public_systems() { - Element clusterElem = DomBuilderTest.parse( - "", - nodesXml, - "" ); - - var applicationPackage = new MockApplicationPackage.Builder() - .withRoot(applicationFolder.getRoot()) - .build(); - - applicationPackage.getFile(Path.fromString("security")).createDirectory(); - applicationPackage.getFile(Path.fromString("security/clients.pem")).writeFile(new StringReader("I am a very nice certificate")); - - Zone zone = new Zone(SystemName.Public, Environment.prod, RegionName.defaultName()); - DeployState state = new DeployState.Builder() - .zone(zone) - .applicationPackage(applicationPackage) - .properties(new TestProperties() - .setHostedVespa(true) - .setZone(zone) - .setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))) - .build(); - createModel(root, state, null, clusterElem); - ApplicationContainer container = (ApplicationContainer)root.getProducer("container/container.0"); - ConnectorFactory tlsPort = container.getHttp().getHttpServer().get().getConnectorFactories().stream() - .filter(connectorFactory -> connectorFactory.getListenPort() == 4443) - .findFirst() - .orElseThrow(); - ConnectorConfig.Builder builder = new ConnectorConfig.Builder(); - tlsPort.getConfig(builder); - ConnectorConfig connectorConfig = new ConnectorConfig(builder); - assertFalse(connectorConfig.proxyProtocol().enabled()); - } private Element generateContainerElementWithRenderer(String rendererId) { -- cgit v1.2.3