use of com.netflix.netty.common.ssl.ServerSslConfig in project zuul by Netflix.
the class SampleServerStartup method chooseAddrsAndChannels.
@Override
protected Map<NamedSocketAddress, ChannelInitializer<?>> chooseAddrsAndChannels(ChannelGroup clientChannels) {
Map<NamedSocketAddress, ChannelInitializer<?>> addrsToChannels = new HashMap<>();
SocketAddress sockAddr;
String metricId;
{
@Deprecated int port = new DynamicIntProperty("zuul.server.port.main", 7001).get();
sockAddr = new SocketAddressProperty("zuul.server.addr.main", "=" + port).getValue();
if (sockAddr instanceof InetSocketAddress) {
metricId = String.valueOf(((InetSocketAddress) sockAddr).getPort());
} else {
// Just pick something. This would likely be a UDS addr or a LocalChannel addr.
metricId = sockAddr.toString();
}
}
SocketAddress pushSockAddr;
{
int pushPort = new DynamicIntProperty("zuul.server.port.http.push", 7008).get();
pushSockAddr = new SocketAddressProperty("zuul.server.addr.http.push", "=" + pushPort).getValue();
}
String mainListenAddressName = "main";
ServerSslConfig sslConfig;
ChannelConfig channelConfig = defaultChannelConfig(mainListenAddressName);
ChannelConfig channelDependencies = defaultChannelDependencies(mainListenAddressName);
/* These settings may need to be tweaked depending if you're running behind an ELB HTTP listener, TCP listener,
* or directly on the internet.
*/
switch(SERVER_TYPE) {
/* The below settings can be used when running behind an ELB HTTP listener that terminates SSL for you
* and passes XFF headers.
*/
case HTTP:
channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.ALWAYS);
channelConfig.set(CommonChannelConfigKeys.preferProxyProtocolForClientIp, false);
channelConfig.set(CommonChannelConfigKeys.isSSlFromIntermediary, false);
channelConfig.set(CommonChannelConfigKeys.withProxyProtocol, false);
addrsToChannels.put(new NamedSocketAddress("http", sockAddr), new ZuulServerChannelInitializer(metricId, channelConfig, channelDependencies, clientChannels));
logAddrConfigured(sockAddr);
break;
/* The below settings can be used when running behind an ELB TCP listener with proxy protocol, terminating
* SSL in Zuul.
*/
case HTTP2:
sslConfig = ServerSslConfig.withDefaultCiphers(loadFromResources("server.cert"), loadFromResources("server.key"), WWW_PROTOCOLS);
channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.NEVER);
channelConfig.set(CommonChannelConfigKeys.preferProxyProtocolForClientIp, true);
channelConfig.set(CommonChannelConfigKeys.isSSlFromIntermediary, false);
channelConfig.set(CommonChannelConfigKeys.serverSslConfig, sslConfig);
channelConfig.set(CommonChannelConfigKeys.sslContextFactory, new BaseSslContextFactory(registry, sslConfig));
addHttp2DefaultConfig(channelConfig, mainListenAddressName);
addrsToChannels.put(new NamedSocketAddress("http2", sockAddr), new Http2SslChannelInitializer(metricId, channelConfig, channelDependencies, clientChannels));
logAddrConfigured(sockAddr, sslConfig);
break;
/* The below settings can be used when running behind an ELB TCP listener with proxy protocol, terminating
* SSL in Zuul.
*
* Can be tested using certs in resources directory:
* curl https://localhost:7001/test -vk --cert src/main/resources/ssl/client.cert:zuul123 --key src/main/resources/ssl/client.key
*/
case HTTP_MUTUAL_TLS:
sslConfig = new ServerSslConfig(WWW_PROTOCOLS, ServerSslConfig.getDefaultCiphers(), loadFromResources("server.cert"), loadFromResources("server.key"), ClientAuth.REQUIRE, loadFromResources("truststore.jks"), loadFromResources("truststore.key"), false);
channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.NEVER);
channelConfig.set(CommonChannelConfigKeys.preferProxyProtocolForClientIp, true);
channelConfig.set(CommonChannelConfigKeys.isSSlFromIntermediary, false);
channelConfig.set(CommonChannelConfigKeys.withProxyProtocol, true);
channelConfig.set(CommonChannelConfigKeys.serverSslConfig, sslConfig);
channelConfig.set(CommonChannelConfigKeys.sslContextFactory, new BaseSslContextFactory(registry, sslConfig));
addrsToChannels.put(new NamedSocketAddress("http_mtls", sockAddr), new Http1MutualSslChannelInitializer(metricId, channelConfig, channelDependencies, clientChannels));
logAddrConfigured(sockAddr, sslConfig);
break;
/* Settings to be used when running behind an ELB TCP listener with proxy protocol as a Push notification
* server using WebSockets */
case WEBSOCKET:
channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.NEVER);
channelConfig.set(CommonChannelConfigKeys.preferProxyProtocolForClientIp, true);
channelConfig.set(CommonChannelConfigKeys.isSSlFromIntermediary, false);
channelConfig.set(CommonChannelConfigKeys.withProxyProtocol, true);
channelDependencies.set(ZuulDependencyKeys.pushConnectionRegistry, pushConnectionRegistry);
addrsToChannels.put(new NamedSocketAddress("websocket", sockAddr), new SampleWebSocketPushChannelInitializer(metricId, channelConfig, channelDependencies, clientChannels));
logAddrConfigured(sockAddr);
// port to accept push message from the backend, should be accessible on internal network only.
addrsToChannels.put(new NamedSocketAddress("http.push", pushSockAddr), pushSenderInitializer);
logAddrConfigured(pushSockAddr);
break;
/* Settings to be used when running behind an ELB TCP listener with proxy protocol as a Push notification
* server using Server Sent Events (SSE) */
case SSE:
channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.NEVER);
channelConfig.set(CommonChannelConfigKeys.preferProxyProtocolForClientIp, true);
channelConfig.set(CommonChannelConfigKeys.isSSlFromIntermediary, false);
channelConfig.set(CommonChannelConfigKeys.withProxyProtocol, true);
channelDependencies.set(ZuulDependencyKeys.pushConnectionRegistry, pushConnectionRegistry);
addrsToChannels.put(new NamedSocketAddress("sse", sockAddr), new SampleSSEPushChannelInitializer(metricId, channelConfig, channelDependencies, clientChannels));
logAddrConfigured(sockAddr);
// port to accept push message from the backend, should be accessible on internal network only.
addrsToChannels.put(new NamedSocketAddress("http.push", pushSockAddr), pushSenderInitializer);
logAddrConfigured(pushSockAddr);
break;
}
return Collections.unmodifiableMap(addrsToChannels);
}
Aggregations