Skip to content

Commit

Permalink
make server version and date header configurable
Browse files Browse the repository at this point in the history
  • Loading branch information
@d-t-w
d-t-w committed Dec 9, 2024
1 parent db34471 commit c0ee99d
Show file tree
Hide file tree
Showing 4 changed files with 54 additions and 31 deletions.
12 changes: 12 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,18 @@
# Change Log
All notable changes to this project will be documented in this file. This change log follows the conventions of [keepachangelog.com](http://keepachangelog.com/)

## [1.1.18] - 2024-12-09

Introduce ability configure HSTS (HTTP Strict Transport Security) with new slipway.connector.https settings:

* :sts-max-age
* :sts-include-subdomains?

Also made these http/https settings configurable (default false, previously hard-coded to false):

* :send-server-version?
* :send-date-header?

## [1.1.17] - 2024-09-05

Bump to latest Jetty version (11.0.24 or equivalent)
Expand Down
34 changes: 19 additions & 15 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -310,25 +310,27 @@ Configuration of Jetty auth options.
See examples below for configuration guides to JAAS and HASH authentication.

```clojure
#:slipway.security{:realm "the Jetty authentication realm"
:hash-user-file "the path to a Jetty Hash User File"
:login-service "a Jetty LoginService identifier, 'jaas' and 'hash' supported by default"
:identity-service "a concrete Jetty IdentityService"
:authenticator "a concrete Jetty Authenticator (e.g. FormAuthenticator or BasicAuthenticator)"
#:slipway.security{:realm "the Jetty authentication realm"
:hash-user-file "the path to a Jetty Hash User File"
:login-service "a Jetty LoginService identifier, 'jaas' and 'hash' supported by default"
:identity-service "a concrete Jetty IdentityService"
:authenticator "a concrete Jetty Authenticator (e.g. FormAuthenticator or BasicAuthenticator)"
```

### :slipway.connector.http

Configuration of an HTTP server connector.

```clojure
#:slipway.connector.http{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces."
:port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 80"
:idle-timeout "max idle time for a connection, roughly translates to the Socket.setSoTimeout. Default 200000 ms"
:http-forwarded? "if true, add the ForwardRequestCustomizer. See Jetty Forward HTTP docs"
:proxy-protocol? "if true, add the ProxyConnectionFactory. See Jetty Proxy Protocol docs"
:http-config "a concrete HttpConfiguration object to replace the default config entirely"
:configurator "a fn taking the final connector as argument, allowing further configuration"}
#:slipway.connector.http{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces."
:port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 80"
:idle-timeout "max idle time for a connection, roughly translates to the Socket.setSoTimeout. Default 200000 ms"
:http-forwarded? "if true, add the ForwardRequestCustomizer. See Jetty Forward HTTP docs"
:proxy-protocol? "if true, add the ProxyConnectionFactory. See Jetty Proxy Protocol docs"
:http-config "a concrete HttpConfiguration object to replace the default config entirely"
:configurator "a fn taking the final connector as argument, allowing further configuration"
:send-server-version? "if true, send the Server header in responses"
:send-date-header? "if true, send the Date header in responses"}
````

### :slipway.connector.https
Expand Down Expand Up @@ -358,10 +360,12 @@ Configuration of an HTTPS server connector.
:security-provider "the security provider name"
:client-auth "either :need or :want to set the corresponding need/wantClientAuth field"
:ssl-context "a concrete pre-configured SslContext"
:sni-required? "true if SNI is required, else requests will be rejected with 400 response, default false"
:sni-host-check? "true if the SNI Host name must match when there is an SNI certificate, default false"
:sni-required? "if true SNI is required, else requests will be rejected with 400 response, default false"
:sni-host-check? "if true the SNI Host name must match when there is an SNI certificate, default false"
:sts-max-age "set the Strict-Transport-Security max age in seconds, default -1"
:sts-include-subdomains? "true if a include subdomain property is sent with any Strict-Transport-Security header"}
:sts-include-subdomains? "true if a include subdomain property is sent with any Strict-Transport-Security header"
:send-server-version? "if true, send the Server header in responses"
:send-date-header? "if true, send the Date header in responses"}
```

### :slipway.handler.gzip
Expand Down
24 changes: 14 additions & 10 deletions common/src/slipway/connector/http.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,21 +5,25 @@
HttpConnectionFactory ProxyConnectionFactory Server ServerConnector)))

(defn default-config ^HttpConfiguration
[{::keys [http-forwarded?]}]
[{::keys [http-forwarded? send-server-version? send-date-header?]
:or {send-server-version? false
send-date-header? false}}]
(let [config (doto (HttpConfiguration.)
(.setSendServerVersion false)
(.setSendDateHeader false))]
(.setSendServerVersion send-server-version?)
(.setSendDateHeader send-date-header?))]
(when http-forwarded? (.addCustomizer config (ForwardedRequestCustomizer.)))
config))

(comment
#:slipway.connector.http{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces"
:port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 80"
:idle-timeout "max idle time for a connection, roughly translates to the Socket.setSoTimeout. Default 200000 ms"
:http-forwarded? "if true, add the ForwardRequestCustomizer. See Jetty Forward HTTP docs"
:proxy-protocol? "if true, add the ProxyConnectionFactor. See Jetty Proxy Protocol docs"
:http-config "a concrete HttpConfiguration object to replace the default config entirely"
:configurator "a fn taking the final connector as argument, allowing further configuration"})
#:slipway.connector.http{:host "the network interface this connector binds to as an IP address or a hostname. If null or 0.0.0.0, then bind to all interfaces. Default null/all interfaces"
:port "port this connector listens on. If set to 0 a random port is assigned which may be obtained with getLocalPort(), default 80"
:idle-timeout "max idle time for a connection, roughly translates to the Socket.setSoTimeout. Default 200000 ms"
:http-forwarded? "if true, add the ForwardRequestCustomizer. See Jetty Forward HTTP docs"
:proxy-protocol? "if true, add the ProxyConnectionFactor. See Jetty Proxy Protocol docs"
:http-config "a concrete HttpConfiguration object to replace the default config entirely"
:configurator "a fn taking the final connector as argument, allowing further configuration"
:send-server-version? "if true, send the Server header in responses"
:send-date-header? "if true, send the Date header in responses"})

(defmethod server/connector ::connector
[^Server server {::keys [host port idle-timeout proxy-protocol? http-forwarded? configurator http-config]
Expand Down
15 changes: 9 additions & 6 deletions common/src/slipway/connector/https.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,20 @@
(org.eclipse.jetty.util.ssl SslContextFactory$Server)))

(defn default-config ^HttpConfiguration
[{::keys [port http-forwarded? sni-required? sni-host-check? sts-max-age sts-include-subdomains?]
[{::keys [port http-forwarded? sni-required? sni-host-check? sts-max-age sts-include-subdomains? send-server-version?
send-date-header?]
:or {sni-required? false
sni-host-check? false
sts-max-age -1
sts-include-subdomains? false}}]
sts-include-subdomains? false
send-server-version? false
send-date-header? false}}]
(log/infof "sni required? %s, sni host check? %s, sts-max-age %s, sts-include-subdomains? %s"
sni-required? sni-host-check? sts-max-age sts-include-subdomains?)
(let [config (doto (HttpConfiguration.)
(.setSecurePort port)
(.setSendServerVersion false)
(.setSendDateHeader false)
(.setSendServerVersion send-server-version?)
(.setSendDateHeader send-date-header?)
(.addCustomizer (doto (SecureRequestCustomizer.)
(.setSniRequired sni-required?)
(.setSniHostCheck sni-host-check?)
Expand Down Expand Up @@ -105,8 +108,8 @@
:security-provider "the security provider name"
:client-auth "either :need or :want to set the corresponding need/wantClientAuth field"
:ssl-context "a concrete pre-configured SslContext"
:sni-required? "true if SNI is required, else requests will be rejected with 400 response, default false"
:sni-host-check? "true if the SNI Host name must match when there is an SNI certificate, default false"
:sni-required? "if true SNI is required, else requests will be rejected with 400 response, default false"
:sni-host-check? "if true the SNI Host name must match when there is an SNI certificate, default false"
:sts-max-age "set the Strict-Transport-Security max age in seconds, default -1"
:sts-include-subdomains? "true if a include subdomain property is sent with any Strict-Transport-Security header"})

Expand Down

0 comments on commit c0ee99d

Please sign in to comment.