yetanalytics · kelvinqian00 · Oct 16, 2024 · Oct 16, 2024
diff --git a/deps.edn b/deps.edn
@@ -27,15 +27,13 @@
   com.zaxxer/HikariCP                      {:mvn/version "5.0.0"
                                             :exclusions  [org.slf4j/slf4j-api]}
   ;; Pedestal and Jetty webserver deps
-  io.pedestal/pedestal.jetty               {:mvn/version "0.6.3"}
-  org.eclipse.jetty/jetty-server           {:mvn/version "9.4.56.v20240826"}
-  org.eclipse.jetty/jetty-servlet          {:mvn/version "9.4.56.v20240826"}
-  org.eclipse.jetty/jetty-alpn-server      {:mvn/version "9.4.56.v20240826"}
-  org.eclipse.jetty.http2/http2-server     {:mvn/version "9.4.56.v20240826"}
-  org.eclipse.jetty/jetty-alpn-java-server {:mvn/version "9.4.56.v20240826"}
-  org.eclipse.jetty.websocket/websocket-api     {:mvn/version "9.4.56.v20240826"}
-  org.eclipse.jetty.websocket/websocket-servlet {:mvn/version "9.4.56.v20240826"}
-  org.eclipse.jetty.websocket/websocket-server  {:mvn/version "9.4.56.v20240826"}
+  io.pedestal/pedestal.error               {:mvn/version "0.7.1"}
+  io.pedestal/pedestal.jetty               {:mvn/version "0.7.1"}
+  org.eclipse.jetty/jetty-server           {:mvn/version "11.0.20"}
+  org.eclipse.jetty/jetty-servlet          {:mvn/version "11.0.20"}
+  org.eclipse.jetty/jetty-alpn-server      {:mvn/version "11.0.20"}
+  org.eclipse.jetty.http2/http2-server     {:mvn/version "11.0.20"}
+  org.eclipse.jetty/jetty-alpn-java-server {:mvn/version "11.0.20"}
   ;; Security deps
   buddy/buddy-core    {:mvn/version "1.11.418"
                        :exclusions [org.bouncycastle/bcprov-jdk18on

diff --git a/doc/env_vars.md b/doc/env_vars.md
@@ -118,11 +118,12 @@ _NOTE:_ `LRSQL_STMT_RETRY_LIMIT` and `LRSQL_STMT_RETRY_BUDGET` are used to mitig
 
 | Env Var                           | Config                   | Description                                                                                                                                                                                                                                            | Default   |
 | --------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------- |
-| `LRSQL_ENABLE_HTTP`               | `enableHttp`             | Whether HTTP is enabled or not (as opposed to HTTPS, which is always enabled).                                                                                                                                                                         | `true`    |
-| `LRSQL_ENABLE_HTTP2`              | `enableHttp2`            | Whether HTTP/2 is supported or not.                                                                                                                                                                                                                    | `true`    |
-| `LRSQL_HTTP_HOST`                 | `httpHost`               | The host that the webserver will run on.                                                                                                                                                                                                               | `0.0.0.0` |
-| `LRSQL_HTTP_PORT`                 | `httpPort`               | The HTTP port that the webserver will be open on.                                                                                                                                                                                                      | `8080`    |
-| `LRSQL_SSL_PORT`                  | `sslPort`                | The HTTPS port that the webserver will be open on.                                                                                                                                                                                                     | `8443`    |
+| `LRSQL_ENABLE_HTTP`               | `enableHttp`             | Whether HTTP is enabled or not (as opposed to HTTPS, which is always enabled). | `true`    |
+| `LRSQL_ENABLE_HTTP2`              | `enableHttp2`            | Whether HTTP/2 is supported or not.                                            | `true`    |
+| `LRSQL_CHECK_SNI`                 | `enableSni`              | Whether to enable [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication). | `false`   |
+| `LRSQL_HTTP_HOST`                 | `httpHost`               | The host that the webserver will run on.                                       | `0.0.0.0` |
+| `LRSQL_HTTP_PORT`                 | `httpPort`               | The HTTP port that the webserver will be open on.                              | `8080`    |
+| `LRSQL_SSL_PORT`                  | `sslPort`                | The HTTPS port that the webserver will be open on.                             | `8443`    |
 | `LRSQL_URL_PREFIX`                | `urlPrefix`              | The prefix of the webserver URL path, e.g. the prefix in `http://0.0.0.0:8080/xapi` is `/xapi`. Used when constructing the `more` value for multi-statement queries. *(Note: Only applies to LRS xapi endpoints, not admin/ui endpoints)*              | `/xapi`   |
 | `LRSQL_PROXY_PATH`                | `proxyPath`              | This path modification is exclusively for use with a proxy, such as apache or nginx or a load balancer, where a path is added to prefix the entire application (such as `https://www.mysystem.com/mylrs/xapi/statements`). This does not actually change the routes of the application, it informs the admin frontend where to look for the server endpoints based on the proxied setup, and thus must be used in conjunction with a third party proxy. If used, the value must start with a leading `/` but not end with one (e.g. `/mylrs` is valid, as is `/mylrs/b` but `/mylrs/` is not). Use with caution. | Not Set |
 

diff --git a/resources/lrsql/config/prod/default/webserver.edn b/resources/lrsql/config/prod/default/webserver.edn
@@ -22,6 +22,7 @@
  :sec-head-content          #or [#env LRSQL_SEC_HEAD_CONTENT nil]
  :enable-http               #boolean #or [#env LRSQL_ENABLE_HTTP true]
  :enable-http2              #boolean #or [#env LRSQL_ENABLE_HTTP2 true]
+ :enable-sni                #boolean #or [#env LRSQL_CHECK_SNI false]
  :http-host                 #or [#env LRSQL_HTTP_HOST "0.0.0.0"]
  :http-port                 #long #or [#env LRSQL_HTTP_PORT 8080]
  :allow-all-origins         #boolean #or [#env LRSQL_ALLOW_ALL_ORIGINS false]

diff --git a/resources/lrsql/config/test/default/webserver.edn b/resources/lrsql/config/test/default/webserver.edn
@@ -13,6 +13,7 @@
  :jwt-common-secret         nil
  :enable-http               true
  :enable-http2              true
+ :enable-sni                false
  :ssl-port                  8443
  :http-host                 "0.0.0.0"
  :http-port                 8080

diff --git a/src/main/lrsql/system/webserver.clj b/src/main/lrsql/system/webserver.clj
@@ -20,6 +20,7 @@
   (let [;; Destructure webserver config
         {:keys [enable-http
                 enable-http2
+                enable-sni
                 http-host
                 http-port
                 ssl-port
@@ -141,12 +142,13 @@
                          (or allow-all-origins
                              (some #(= origin %) allowed-list)))}
      ::http/container-options
-     {:h2c?         (and enable-http enable-http2)
-      :h2?          enable-http2
-      :ssl?         true
-      :ssl-port     ssl-port
-      :keystore     keystore
-      :key-password key-password}}))
+     {:h2c?          (and enable-http enable-http2)
+      :h2?           enable-http2
+      :ssl?          true
+      :insecure-ssl? (not enable-sni)
+      :ssl-port      ssl-port
+      :keystore      keystore
+      :key-password  key-password}}))
 
 (defrecord Webserver [service
                       server