diff --git a/deps.edn b/deps.edn index 545acc8fa..69a37642b 100644 --- a/deps.edn +++ b/deps.edn @@ -27,15 +27,13 @@ com.zaxxer/HikariCP {:mvn/version "5.0.0" :exclusions [org.slf4j/slf4j-api]} ;; Pedestal and Jetty webserver deps - io.pedestal/pedestal.jetty {:mvn/version "0.6.3"} - org.eclipse.jetty/jetty-server {:mvn/version "9.4.56.v20240826"} - org.eclipse.jetty/jetty-servlet {:mvn/version "9.4.56.v20240826"} - org.eclipse.jetty/jetty-alpn-server {:mvn/version "9.4.56.v20240826"} - org.eclipse.jetty.http2/http2-server {:mvn/version "9.4.56.v20240826"} - org.eclipse.jetty/jetty-alpn-java-server {:mvn/version "9.4.56.v20240826"} - org.eclipse.jetty.websocket/websocket-api {:mvn/version "9.4.56.v20240826"} - org.eclipse.jetty.websocket/websocket-servlet {:mvn/version "9.4.56.v20240826"} - org.eclipse.jetty.websocket/websocket-server {:mvn/version "9.4.56.v20240826"} + io.pedestal/pedestal.error {:mvn/version "0.7.1"} + io.pedestal/pedestal.jetty {:mvn/version "0.7.1"} + org.eclipse.jetty/jetty-server {:mvn/version "11.0.20"} + org.eclipse.jetty/jetty-servlet {:mvn/version "11.0.20"} + org.eclipse.jetty/jetty-alpn-server {:mvn/version "11.0.20"} + org.eclipse.jetty.http2/http2-server {:mvn/version "11.0.20"} + org.eclipse.jetty/jetty-alpn-java-server {:mvn/version "11.0.20"} ;; Security deps buddy/buddy-core {:mvn/version "1.11.418" :exclusions [org.bouncycastle/bcprov-jdk18on diff --git a/doc/env_vars.md b/doc/env_vars.md index 9973c859c..fb4650fc9 100644 --- a/doc/env_vars.md +++ b/doc/env_vars.md @@ -118,11 +118,12 @@ _NOTE:_ `LRSQL_STMT_RETRY_LIMIT` and `LRSQL_STMT_RETRY_BUDGET` are used to mitig | Env Var | Config | Description | Default | | --------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------- | -| `LRSQL_ENABLE_HTTP` | `enableHttp` | Whether HTTP is enabled or not (as opposed to HTTPS, which is always enabled). | `true` | -| `LRSQL_ENABLE_HTTP2` | `enableHttp2` | Whether HTTP/2 is supported or not. | `true` | -| `LRSQL_HTTP_HOST` | `httpHost` | The host that the webserver will run on. | `0.0.0.0` | -| `LRSQL_HTTP_PORT` | `httpPort` | The HTTP port that the webserver will be open on. | `8080` | -| `LRSQL_SSL_PORT` | `sslPort` | The HTTPS port that the webserver will be open on. | `8443` | +| `LRSQL_ENABLE_HTTP` | `enableHttp` | Whether HTTP is enabled or not (as opposed to HTTPS, which is always enabled). | `true` | +| `LRSQL_ENABLE_HTTP2` | `enableHttp2` | Whether HTTP/2 is supported or not. | `true` | +| `LRSQL_CHECK_SNI` | `enableSni` | Whether to enable [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication). | `false` | +| `LRSQL_HTTP_HOST` | `httpHost` | The host that the webserver will run on. | `0.0.0.0` | +| `LRSQL_HTTP_PORT` | `httpPort` | The HTTP port that the webserver will be open on. | `8080` | +| `LRSQL_SSL_PORT` | `sslPort` | The HTTPS port that the webserver will be open on. | `8443` | | `LRSQL_URL_PREFIX` | `urlPrefix` | The prefix of the webserver URL path, e.g. the prefix in `http://0.0.0.0:8080/xapi` is `/xapi`. Used when constructing the `more` value for multi-statement queries. *(Note: Only applies to LRS xapi endpoints, not admin/ui endpoints)* | `/xapi` | | `LRSQL_PROXY_PATH` | `proxyPath` | This path modification is exclusively for use with a proxy, such as apache or nginx or a load balancer, where a path is added to prefix the entire application (such as `https://www.mysystem.com/mylrs/xapi/statements`). This does not actually change the routes of the application, it informs the admin frontend where to look for the server endpoints based on the proxied setup, and thus must be used in conjunction with a third party proxy. If used, the value must start with a leading `/` but not end with one (e.g. `/mylrs` is valid, as is `/mylrs/b` but `/mylrs/` is not). Use with caution. | Not Set | diff --git a/resources/lrsql/config/prod/default/webserver.edn b/resources/lrsql/config/prod/default/webserver.edn index 6b6e4eb7f..b5775c658 100644 --- a/resources/lrsql/config/prod/default/webserver.edn +++ b/resources/lrsql/config/prod/default/webserver.edn @@ -22,6 +22,7 @@ :sec-head-content #or [#env LRSQL_SEC_HEAD_CONTENT nil] :enable-http #boolean #or [#env LRSQL_ENABLE_HTTP true] :enable-http2 #boolean #or [#env LRSQL_ENABLE_HTTP2 true] + :enable-sni #boolean #or [#env LRSQL_CHECK_SNI false] :http-host #or [#env LRSQL_HTTP_HOST "0.0.0.0"] :http-port #long #or [#env LRSQL_HTTP_PORT 8080] :allow-all-origins #boolean #or [#env LRSQL_ALLOW_ALL_ORIGINS false] diff --git a/resources/lrsql/config/test/default/webserver.edn b/resources/lrsql/config/test/default/webserver.edn index 8f8badccd..e83f1d88a 100644 --- a/resources/lrsql/config/test/default/webserver.edn +++ b/resources/lrsql/config/test/default/webserver.edn @@ -13,6 +13,7 @@ :jwt-common-secret nil :enable-http true :enable-http2 true + :enable-sni false :ssl-port 8443 :http-host "0.0.0.0" :http-port 8080 diff --git a/src/main/lrsql/system/webserver.clj b/src/main/lrsql/system/webserver.clj index 6996acd97..50c8af1aa 100644 --- a/src/main/lrsql/system/webserver.clj +++ b/src/main/lrsql/system/webserver.clj @@ -20,6 +20,7 @@ (let [;; Destructure webserver config {:keys [enable-http enable-http2 + enable-sni http-host http-port ssl-port @@ -141,12 +142,13 @@ (or allow-all-origins (some #(= origin %) allowed-list)))} ::http/container-options - {:h2c? (and enable-http enable-http2) - :h2? enable-http2 - :ssl? true - :ssl-port ssl-port - :keystore keystore - :key-password key-password}})) + {:h2c? (and enable-http enable-http2) + :h2? enable-http2 + :ssl? true + :insecure-ssl? (not enable-sni) + :ssl-port ssl-port + :keystore keystore + :key-password key-password}})) (defrecord Webserver [service server