diff --git a/docs/configuration/index.md b/docs/configuration/index.md index 3198f6529f49..55be9754b0d3 100644 --- a/docs/configuration/index.md +++ b/docs/configuration/index.md @@ -1505,6 +1505,7 @@ Druid uses Jetty to serve HTTP requests. |`druid.server.http.allowedHttpMethods`|List of HTTP methods that should be allowed in addition to the ones required by Druid APIs. Druid APIs require GET, PUT, POST, and DELETE, which are always allowed. This option is not useful unless you have installed an extension that needs these additional HTTP methods or that adds functionality related to CORS. None of Druid's bundled extensions require these methods.|`[]`| |`druid.server.http.contentSecurityPolicy`|Content-Security-Policy header value to set on each non-POST response. Setting this property to an empty string, or omitting it, both result in the default `frame-ancestors: none` being set.|`frame-ancestors 'none'`| |`druid.server.http.uriCompliance`|Jetty `UriCompliance` mode for Druid's embedded Jetty servers. To modify, override this config with the string representation of any `UriCompliance` mode that [Jetty supports](https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/http/UriCompliance.html).|LEGACY| +|`druid.server.http.enforceStrictSNIHostChecking`| If enabled, the Jetty server will enforce strict SNI host checking. This means that if a client connects to the server using TLS but does not provide an SNI hostname, or provides an SNI hostname that does not match the server's configured hostname, a request will get a 400 response. Setting this to false is not recommended in production.|true| #### Indexer processing resources diff --git a/server/src/main/java/org/apache/druid/server/initialization/ServerConfig.java b/server/src/main/java/org/apache/druid/server/initialization/ServerConfig.java index 45a2df48dfa0..a7206ca9cf7e 100644 --- a/server/src/main/java/org/apache/druid/server/initialization/ServerConfig.java +++ b/server/src/main/java/org/apache/druid/server/initialization/ServerConfig.java @@ -84,7 +84,8 @@ public ServerConfig( @NotNull ErrorResponseTransformStrategy errorResponseTransformStrategy, @Nullable String contentSecurityPolicy, boolean enableHSTS, - @Nullable UriCompliance uriCompliance + @Nullable UriCompliance uriCompliance, + boolean enforceStrictSNIHostChecking ) { this.numThreads = numThreads; @@ -109,6 +110,7 @@ public ServerConfig( this.contentSecurityPolicy = contentSecurityPolicy; this.enableHSTS = enableHSTS; this.uriCompliance = uriCompliance != null ? uriCompliance : UriCompliance.LEGACY; + this.enforceStrictSNIHostChecking = enforceStrictSNIHostChecking; } public ServerConfig() @@ -212,6 +214,9 @@ public ServerConfig(boolean enableQueryRequestsQueuing) @JsonProperty private boolean showDetailedJettyErrors = true; + @JsonProperty + private boolean enforceStrictSNIHostChecking = true; + public int getNumThreads() { return numThreads; @@ -328,6 +333,11 @@ public UriCompliance getUriCompliance() return uriCompliance; } + public boolean isEnforceStrictSNIHostChecking() + { + return enforceStrictSNIHostChecking; + } + @Override public boolean equals(Object o) { @@ -360,7 +370,8 @@ public boolean equals(Object o) Objects.equals(contentSecurityPolicy, that.getContentSecurityPolicy()) && enableHSTS == that.enableHSTS && enableQueryRequestsQueuing == that.enableQueryRequestsQueuing && - Objects.equals(uriCompliance, that.uriCompliance); + Objects.equals(uriCompliance, that.uriCompliance) && + enforceStrictSNIHostChecking == that.enforceStrictSNIHostChecking; } @Override @@ -389,7 +400,8 @@ public int hashCode() contentSecurityPolicy, enableHSTS, enableQueryRequestsQueuing, - uriCompliance + uriCompliance, + enforceStrictSNIHostChecking ); } @@ -420,6 +432,7 @@ public String toString() ", enableHSTS=" + enableHSTS + ", enableQueryRequestsQueuing=" + enableQueryRequestsQueuing + ", uriCompliance=" + uriCompliance + + ", enforceStrictSNIHostChecking=" + enforceStrictSNIHostChecking + '}'; } diff --git a/server/src/main/java/org/apache/druid/server/initialization/jetty/CliIndexerServerModule.java b/server/src/main/java/org/apache/druid/server/initialization/jetty/CliIndexerServerModule.java index 4782211da492..76fd422b32ad 100644 --- a/server/src/main/java/org/apache/druid/server/initialization/jetty/CliIndexerServerModule.java +++ b/server/src/main/java/org/apache/druid/server/initialization/jetty/CliIndexerServerModule.java @@ -167,7 +167,8 @@ public ServerConfig makeAdjustedServerConfig(ServerConfig oldConfig) oldConfig.getErrorResponseTransformStrategy(), oldConfig.getContentSecurityPolicy(), oldConfig.isEnableHSTS(), - oldConfig.getUriCompliance() + oldConfig.getUriCompliance(), + oldConfig.isEnforceStrictSNIHostChecking() ); } } diff --git a/server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java b/server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java index b2e767a8b974..22b044e17a21 100644 --- a/server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java +++ b/server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java @@ -314,7 +314,13 @@ static Server makeAndInitializeServer( } httpsConfiguration.setSecureScheme("https"); httpsConfiguration.setSecurePort(node.getTlsPort()); - httpsConfiguration.addCustomizer(new SecureRequestCustomizer()); + + // see https://github.com/jetty/jetty.project/pull/5398 + // This new strict enforcement can break some clients. Allow turning it off via config if necessary + final SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer(); + secureRequestCustomizer.setSniHostCheck(config.isEnforceStrictSNIHostChecking()); + + httpsConfiguration.addCustomizer(secureRequestCustomizer); httpsConfiguration.setRequestHeaderSize(config.getMaxRequestHeaderSize()); httpsConfiguration.setSendServerVersion(false); final ServerConnector connector = new ServerConnector( diff --git a/server/src/test/java/org/apache/druid/initialization/ServerConfigTest.java b/server/src/test/java/org/apache/druid/initialization/ServerConfigTest.java index 913c7f6109af..a6947be39d5e 100644 --- a/server/src/test/java/org/apache/druid/initialization/ServerConfigTest.java +++ b/server/src/test/java/org/apache/druid/initialization/ServerConfigTest.java @@ -45,6 +45,7 @@ public void testSerde() throws Exception Assert.assertFalse(defaultConfig2.isEnableForwardedRequestCustomizer()); Assert.assertFalse(defaultConfig2.isEnableHSTS()); Assert.assertEquals(UriCompliance.LEGACY, defaultConfig.getUriCompliance()); + Assert.assertEquals(true, defaultConfig.isEnforceStrictSNIHostChecking()); ServerConfig modifiedConfig = new ServerConfig( 999, @@ -68,7 +69,8 @@ public void testSerde() throws Exception new AllowedRegexErrorResponseTransformStrategy(ImmutableList.of(".*")), "my-cool-policy", true, - UriCompliance.RFC3986 + UriCompliance.RFC3986, + false ); String modifiedConfigJson = OBJECT_MAPPER.writeValueAsString(modifiedConfig); ServerConfig modifiedConfig2 = OBJECT_MAPPER.readValue(modifiedConfigJson, ServerConfig.class); @@ -83,6 +85,7 @@ public void testSerde() throws Exception Assert.assertEquals("my-cool-policy", modifiedConfig2.getContentSecurityPolicy()); Assert.assertTrue(modifiedConfig2.isEnableHSTS()); Assert.assertEquals(UriCompliance.RFC3986, modifiedConfig2.getUriCompliance()); + Assert.assertFalse(modifiedConfig2.isEnforceStrictSNIHostChecking()); } @Test diff --git a/website/.spelling b/website/.spelling index 767ef4249aba..bdb19d6d017e 100644 --- a/website/.spelling +++ b/website/.spelling @@ -227,6 +227,7 @@ S3 SAS SDK SIGAR +SNI SPNEGO Splunk SqlInputSource