This is an automated email from the ASF dual-hosted git repository.
yqm pushed a commit to branch 35.0.0
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/35.0.0 by this push:
new 1e6e3d5a695 Allow configuration to disable SNI Host checking
(defaulted to enabled) (#18623)
1e6e3d5a695 is described below
commit 1e6e3d5a69524ffc9524a2d120ce124d2bfa7b57
Author: Lucas Capistrant <[email protected]>
AuthorDate: Fri Oct 10 18:57:59 2025 -0500
Allow configuration to disable SNI Host checking (defaulted to enabled)
(#18623)
* all operator to ignore SNI host checking if they must
* document new config
* Add SNI to dictionary
---
docs/configuration/index.md | 1 +
.../druid/server/initialization/ServerConfig.java | 19 ++++++++++++++++---
.../initialization/jetty/CliIndexerServerModule.java | 3 ++-
.../initialization/jetty/JettyServerModule.java | 8 +++++++-
.../apache/druid/initialization/ServerConfigTest.java | 5 ++++-
website/.spelling | 1 +
6 files changed, 31 insertions(+), 6 deletions(-)
diff --git a/docs/configuration/index.md b/docs/configuration/index.md
index 3198f6529f4..55be9754b0d 100644
--- a/docs/configuration/index.md
+++ b/docs/configuration/index.md
@@ -1505,6 +1505,7 @@ Druid uses Jetty to serve HTTP requests.
|`druid.server.http.allowedHttpMethods`|List of HTTP methods that should be
allowed in addition to the ones required by Druid APIs. Druid APIs require GET,
PUT, POST, and DELETE, which are always allowed. This option is not useful
unless you have installed an extension that needs these additional HTTP methods
or that adds functionality related to CORS. None of Druid's bundled extensions
require these methods.|`[]`|
|`druid.server.http.contentSecurityPolicy`|Content-Security-Policy header
value to set on each non-POST response. Setting this property to an empty
string, or omitting it, both result in the default `frame-ancestors: none`
being set.|`frame-ancestors 'none'`|
|`druid.server.http.uriCompliance`|Jetty `UriCompliance` mode for Druid's
embedded Jetty servers. To modify, override this config with the string
representation of any `UriCompliance` mode that [Jetty
supports](https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/http/UriCompliance.html).|LEGACY|
+|`druid.server.http.enforceStrictSNIHostChecking`| If enabled, the Jetty
server will enforce strict SNI host checking. This means that if a client
connects to the server using TLS but does not provide an SNI hostname, or
provides an SNI hostname that does not match the server's configured hostname,
a request will get a 400 response. Setting this to false is not recommended in
production.|true|
#### Indexer processing resources
diff --git
a/server/src/main/java/org/apache/druid/server/initialization/ServerConfig.java
b/server/src/main/java/org/apache/druid/server/initialization/ServerConfig.java
index 45a2df48dfa..a7206ca9cf7 100644
---
a/server/src/main/java/org/apache/druid/server/initialization/ServerConfig.java
+++
b/server/src/main/java/org/apache/druid/server/initialization/ServerConfig.java
@@ -84,7 +84,8 @@ public class ServerConfig
@NotNull ErrorResponseTransformStrategy errorResponseTransformStrategy,
@Nullable String contentSecurityPolicy,
boolean enableHSTS,
- @Nullable UriCompliance uriCompliance
+ @Nullable UriCompliance uriCompliance,
+ boolean enforceStrictSNIHostChecking
)
{
this.numThreads = numThreads;
@@ -109,6 +110,7 @@ public class ServerConfig
this.contentSecurityPolicy = contentSecurityPolicy;
this.enableHSTS = enableHSTS;
this.uriCompliance = uriCompliance != null ? uriCompliance :
UriCompliance.LEGACY;
+ this.enforceStrictSNIHostChecking = enforceStrictSNIHostChecking;
}
public ServerConfig()
@@ -212,6 +214,9 @@ public class ServerConfig
@JsonProperty
private boolean showDetailedJettyErrors = true;
+ @JsonProperty
+ private boolean enforceStrictSNIHostChecking = true;
+
public int getNumThreads()
{
return numThreads;
@@ -328,6 +333,11 @@ public class ServerConfig
return uriCompliance;
}
+ public boolean isEnforceStrictSNIHostChecking()
+ {
+ return enforceStrictSNIHostChecking;
+ }
+
@Override
public boolean equals(Object o)
{
@@ -360,7 +370,8 @@ public class ServerConfig
Objects.equals(contentSecurityPolicy,
that.getContentSecurityPolicy()) &&
enableHSTS == that.enableHSTS &&
enableQueryRequestsQueuing == that.enableQueryRequestsQueuing &&
- Objects.equals(uriCompliance, that.uriCompliance);
+ Objects.equals(uriCompliance, that.uriCompliance) &&
+ enforceStrictSNIHostChecking == that.enforceStrictSNIHostChecking;
}
@Override
@@ -389,7 +400,8 @@ public class ServerConfig
contentSecurityPolicy,
enableHSTS,
enableQueryRequestsQueuing,
- uriCompliance
+ uriCompliance,
+ enforceStrictSNIHostChecking
);
}
@@ -420,6 +432,7 @@ public class ServerConfig
", enableHSTS=" + enableHSTS +
", enableQueryRequestsQueuing=" + enableQueryRequestsQueuing +
", uriCompliance=" + uriCompliance +
+ ", enforceStrictSNIHostChecking=" + enforceStrictSNIHostChecking +
'}';
}
diff --git
a/server/src/main/java/org/apache/druid/server/initialization/jetty/CliIndexerServerModule.java
b/server/src/main/java/org/apache/druid/server/initialization/jetty/CliIndexerServerModule.java
index 4782211da49..76fd422b32a 100644
---
a/server/src/main/java/org/apache/druid/server/initialization/jetty/CliIndexerServerModule.java
+++
b/server/src/main/java/org/apache/druid/server/initialization/jetty/CliIndexerServerModule.java
@@ -167,7 +167,8 @@ public class CliIndexerServerModule implements Module
oldConfig.getErrorResponseTransformStrategy(),
oldConfig.getContentSecurityPolicy(),
oldConfig.isEnableHSTS(),
- oldConfig.getUriCompliance()
+ oldConfig.getUriCompliance(),
+ oldConfig.isEnforceStrictSNIHostChecking()
);
}
}
diff --git
a/server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java
b/server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java
index 28d02166ee9..5d8ee33bf96 100644
---
a/server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java
+++
b/server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java
@@ -315,7 +315,13 @@ public class JettyServerModule extends JerseyServletModule
}
httpsConfiguration.setSecureScheme("https");
httpsConfiguration.setSecurePort(node.getTlsPort());
- httpsConfiguration.addCustomizer(new SecureRequestCustomizer());
+
+ // see https://github.com/jetty/jetty.project/pull/5398
+ // This new strict enforcement can break some clients. Allow turning it
off via config if necessary
+ final SecureRequestCustomizer secureRequestCustomizer = new
SecureRequestCustomizer();
+
secureRequestCustomizer.setSniHostCheck(config.isEnforceStrictSNIHostChecking());
+
+ httpsConfiguration.addCustomizer(secureRequestCustomizer);
httpsConfiguration.setRequestHeaderSize(config.getMaxRequestHeaderSize());
httpsConfiguration.setSendServerVersion(false);
final ServerConnector connector = new ServerConnector(
diff --git
a/server/src/test/java/org/apache/druid/initialization/ServerConfigTest.java
b/server/src/test/java/org/apache/druid/initialization/ServerConfigTest.java
index 913c7f6109a..a6947be39d5 100644
--- a/server/src/test/java/org/apache/druid/initialization/ServerConfigTest.java
+++ b/server/src/test/java/org/apache/druid/initialization/ServerConfigTest.java
@@ -45,6 +45,7 @@ public class ServerConfigTest
Assert.assertFalse(defaultConfig2.isEnableForwardedRequestCustomizer());
Assert.assertFalse(defaultConfig2.isEnableHSTS());
Assert.assertEquals(UriCompliance.LEGACY,
defaultConfig.getUriCompliance());
+ Assert.assertEquals(true, defaultConfig.isEnforceStrictSNIHostChecking());
ServerConfig modifiedConfig = new ServerConfig(
999,
@@ -68,7 +69,8 @@ public class ServerConfigTest
new AllowedRegexErrorResponseTransformStrategy(ImmutableList.of(".*")),
"my-cool-policy",
true,
- UriCompliance.RFC3986
+ UriCompliance.RFC3986,
+ false
);
String modifiedConfigJson =
OBJECT_MAPPER.writeValueAsString(modifiedConfig);
ServerConfig modifiedConfig2 = OBJECT_MAPPER.readValue(modifiedConfigJson,
ServerConfig.class);
@@ -83,6 +85,7 @@ public class ServerConfigTest
Assert.assertEquals("my-cool-policy",
modifiedConfig2.getContentSecurityPolicy());
Assert.assertTrue(modifiedConfig2.isEnableHSTS());
Assert.assertEquals(UriCompliance.RFC3986,
modifiedConfig2.getUriCompliance());
+ Assert.assertFalse(modifiedConfig2.isEnforceStrictSNIHostChecking());
}
@Test
diff --git a/website/.spelling b/website/.spelling
index 82711ff8442..7aefe34bcba 100644
--- a/website/.spelling
+++ b/website/.spelling
@@ -227,6 +227,7 @@ S3
SAS
SDK
SIGAR
+SNI
SPNEGO
Splunk
SqlInputSource
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
