Search in sources :

Example 1 with ServerSslConfig

use of com.netflix.netty.common.ssl.ServerSslConfig in project zuul by Netflix.

the class SampleServerStartup method chooseAddrsAndChannels.

@Override
protected Map<NamedSocketAddress, ChannelInitializer<?>> chooseAddrsAndChannels(ChannelGroup clientChannels) {
    Map<NamedSocketAddress, ChannelInitializer<?>> addrsToChannels = new HashMap<>();
    SocketAddress sockAddr;
    String metricId;
    {
        @Deprecated int port = new DynamicIntProperty("zuul.server.port.main", 7001).get();
        sockAddr = new SocketAddressProperty("zuul.server.addr.main", "=" + port).getValue();
        if (sockAddr instanceof InetSocketAddress) {
            metricId = String.valueOf(((InetSocketAddress) sockAddr).getPort());
        } else {
            // Just pick something.   This would likely be a UDS addr or a LocalChannel addr.
            metricId = sockAddr.toString();
        }
    }
    SocketAddress pushSockAddr;
    {
        int pushPort = new DynamicIntProperty("zuul.server.port.http.push", 7008).get();
        pushSockAddr = new SocketAddressProperty("zuul.server.addr.http.push", "=" + pushPort).getValue();
    }
    String mainListenAddressName = "main";
    ServerSslConfig sslConfig;
    ChannelConfig channelConfig = defaultChannelConfig(mainListenAddressName);
    ChannelConfig channelDependencies = defaultChannelDependencies(mainListenAddressName);
    /* These settings may need to be tweaked depending if you're running behind an ELB HTTP listener, TCP listener,
         * or directly on the internet.
         */
    switch(SERVER_TYPE) {
        /* The below settings can be used when running behind an ELB HTTP listener that terminates SSL for you
             * and passes XFF headers.
             */
        case HTTP:
            channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.ALWAYS);
            channelConfig.set(CommonChannelConfigKeys.preferProxyProtocolForClientIp, false);
            channelConfig.set(CommonChannelConfigKeys.isSSlFromIntermediary, false);
            channelConfig.set(CommonChannelConfigKeys.withProxyProtocol, false);
            addrsToChannels.put(new NamedSocketAddress("http", sockAddr), new ZuulServerChannelInitializer(metricId, channelConfig, channelDependencies, clientChannels));
            logAddrConfigured(sockAddr);
            break;
        /* The below settings can be used when running behind an ELB TCP listener with proxy protocol, terminating
             * SSL in Zuul.
             */
        case HTTP2:
            sslConfig = ServerSslConfig.withDefaultCiphers(loadFromResources("server.cert"), loadFromResources("server.key"), WWW_PROTOCOLS);
            channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.NEVER);
            channelConfig.set(CommonChannelConfigKeys.preferProxyProtocolForClientIp, true);
            channelConfig.set(CommonChannelConfigKeys.isSSlFromIntermediary, false);
            channelConfig.set(CommonChannelConfigKeys.serverSslConfig, sslConfig);
            channelConfig.set(CommonChannelConfigKeys.sslContextFactory, new BaseSslContextFactory(registry, sslConfig));
            addHttp2DefaultConfig(channelConfig, mainListenAddressName);
            addrsToChannels.put(new NamedSocketAddress("http2", sockAddr), new Http2SslChannelInitializer(metricId, channelConfig, channelDependencies, clientChannels));
            logAddrConfigured(sockAddr, sslConfig);
            break;
        /* The below settings can be used when running behind an ELB TCP listener with proxy protocol, terminating
             * SSL in Zuul.
             *
             * Can be tested using certs in resources directory:
             *  curl https://localhost:7001/test -vk --cert src/main/resources/ssl/client.cert:zuul123 --key src/main/resources/ssl/client.key
             */
        case HTTP_MUTUAL_TLS:
            sslConfig = new ServerSslConfig(WWW_PROTOCOLS, ServerSslConfig.getDefaultCiphers(), loadFromResources("server.cert"), loadFromResources("server.key"), ClientAuth.REQUIRE, loadFromResources("truststore.jks"), loadFromResources("truststore.key"), false);
            channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.NEVER);
            channelConfig.set(CommonChannelConfigKeys.preferProxyProtocolForClientIp, true);
            channelConfig.set(CommonChannelConfigKeys.isSSlFromIntermediary, false);
            channelConfig.set(CommonChannelConfigKeys.withProxyProtocol, true);
            channelConfig.set(CommonChannelConfigKeys.serverSslConfig, sslConfig);
            channelConfig.set(CommonChannelConfigKeys.sslContextFactory, new BaseSslContextFactory(registry, sslConfig));
            addrsToChannels.put(new NamedSocketAddress("http_mtls", sockAddr), new Http1MutualSslChannelInitializer(metricId, channelConfig, channelDependencies, clientChannels));
            logAddrConfigured(sockAddr, sslConfig);
            break;
        /* Settings to be used when running behind an ELB TCP listener with proxy protocol as a Push notification
             * server using WebSockets */
        case WEBSOCKET:
            channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.NEVER);
            channelConfig.set(CommonChannelConfigKeys.preferProxyProtocolForClientIp, true);
            channelConfig.set(CommonChannelConfigKeys.isSSlFromIntermediary, false);
            channelConfig.set(CommonChannelConfigKeys.withProxyProtocol, true);
            channelDependencies.set(ZuulDependencyKeys.pushConnectionRegistry, pushConnectionRegistry);
            addrsToChannels.put(new NamedSocketAddress("websocket", sockAddr), new SampleWebSocketPushChannelInitializer(metricId, channelConfig, channelDependencies, clientChannels));
            logAddrConfigured(sockAddr);
            // port to accept push message from the backend, should be accessible on internal network only.
            addrsToChannels.put(new NamedSocketAddress("http.push", pushSockAddr), pushSenderInitializer);
            logAddrConfigured(pushSockAddr);
            break;
        /* Settings to be used when running behind an ELB TCP listener with proxy protocol as a Push notification
             * server using Server Sent Events (SSE) */
        case SSE:
            channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.NEVER);
            channelConfig.set(CommonChannelConfigKeys.preferProxyProtocolForClientIp, true);
            channelConfig.set(CommonChannelConfigKeys.isSSlFromIntermediary, false);
            channelConfig.set(CommonChannelConfigKeys.withProxyProtocol, true);
            channelDependencies.set(ZuulDependencyKeys.pushConnectionRegistry, pushConnectionRegistry);
            addrsToChannels.put(new NamedSocketAddress("sse", sockAddr), new SampleSSEPushChannelInitializer(metricId, channelConfig, channelDependencies, clientChannels));
            logAddrConfigured(sockAddr);
            // port to accept push message from the backend, should be accessible on internal network only.
            addrsToChannels.put(new NamedSocketAddress("http.push", pushSockAddr), pushSenderInitializer);
            logAddrConfigured(pushSockAddr);
            break;
    }
    return Collections.unmodifiableMap(addrsToChannels);
}
Also used : ServerSslConfig(com.netflix.netty.common.ssl.ServerSslConfig) HashMap(java.util.HashMap) InetSocketAddress(java.net.InetSocketAddress) SampleSSEPushChannelInitializer(com.netflix.zuul.sample.push.SampleSSEPushChannelInitializer) DynamicIntProperty(com.netflix.config.DynamicIntProperty) ChannelConfig(com.netflix.netty.common.channel.config.ChannelConfig) Http2SslChannelInitializer(com.netflix.zuul.netty.server.http2.Http2SslChannelInitializer) BaseSslContextFactory(com.netflix.zuul.netty.ssl.BaseSslContextFactory) SampleWebSocketPushChannelInitializer(com.netflix.zuul.sample.push.SampleWebSocketPushChannelInitializer) ChannelInitializer(io.netty.channel.ChannelInitializer) Http2SslChannelInitializer(com.netflix.zuul.netty.server.http2.Http2SslChannelInitializer) SampleSSEPushChannelInitializer(com.netflix.zuul.sample.push.SampleSSEPushChannelInitializer) SocketAddress(java.net.SocketAddress) InetSocketAddress(java.net.InetSocketAddress) SampleWebSocketPushChannelInitializer(com.netflix.zuul.sample.push.SampleWebSocketPushChannelInitializer)

Aggregations

DynamicIntProperty (com.netflix.config.DynamicIntProperty)1 ChannelConfig (com.netflix.netty.common.channel.config.ChannelConfig)1 ServerSslConfig (com.netflix.netty.common.ssl.ServerSslConfig)1 Http2SslChannelInitializer (com.netflix.zuul.netty.server.http2.Http2SslChannelInitializer)1 BaseSslContextFactory (com.netflix.zuul.netty.ssl.BaseSslContextFactory)1 SampleSSEPushChannelInitializer (com.netflix.zuul.sample.push.SampleSSEPushChannelInitializer)1 SampleWebSocketPushChannelInitializer (com.netflix.zuul.sample.push.SampleWebSocketPushChannelInitializer)1 ChannelInitializer (io.netty.channel.ChannelInitializer)1 InetSocketAddress (java.net.InetSocketAddress)1 SocketAddress (java.net.SocketAddress)1 HashMap (java.util.HashMap)1