To verify that the new server is running, check the default handler on the root path,
which will return a list of all http servers:
$ curl http://localhost:8090/
Adding an http section to services.xmldisables the default http server at port 8080.
Binding to privileged ports (< 1024) is supported.
Note that this only works when running as a standalone container,
and not when running as a Vespa cluster.
Configure the HTTP Server
Configuration settings for the server can be modified by setting values for the
jdisc.http.connector config inside the server element:
Note that it is not allowed to set the listenPort in the http-server config,
as it conflicts with the port that is set in the port attribute in the server element.
For a complete list of configuration fields that can be set, refer to the config definition schema in
jdisc.http.connector.def.
TLS
TLS can be configured using either the ssl
or the ssl-provider element.
<containerversion="1.0"><http><serverid="server-1"port="5000"><ssl><private-key-file>/path/to/private-key.pem</private-key-file><certificate-file>/path/to/certificate.pem</certificate-file><ca-certificates-file>/path/to/ca-certificates.pem</ca-certificates-file><client-authentication>want</client-authentication><cipher-suites>
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
</cipher-suites><protocols>TLSv1.2,TLSv1.3</protocols></ssl></server><serverid="server-2"port="5001"><ssl-providerclass="MySslProvider"bundle="the name in <artifactId> in pom.xml"/></server></http></container>
Refer to the
multinode-HA sample application for an example.
Set up Filter Chains
There are two main types of filters:
request filters
response filters
Request filters run before the handler that processes the request, and response filters run after.
They are used for tasks such as authentication, error checking and modifying headers.
Using Filter Chains
Filter chains are set up by using the request-chain and
response-chain elements inside the
filtering element.
Example setting up two request filter chains, and one response filter chain:
Filters that should be used in more than one chain,
must be defined directly in the filtering element,
as shown with request-filter1 in the example above.
To actually use a filter chain, add one or more URI bindings:
These bindings say that both the request chain and the response chain
should be used when the request URI matches http://*/*.
So both a request filter chain and a response filter chain can be used on a single request.
However, only one request chain will be used if there are multiple request chains
that have a binding that matches a request.
And vice versa for response chains.
Refer to the
javadoc for information about which chain that will be used in such cases.
In order to bind a filter chain to a specific server, add the server port to the binding:
A request must match a filter chain if any filter is configured. A 403 response is returned for non-matching request.
This semantic can be disabled - see strict-mode.
Excluding Filters from an Inherited Chain
Say you have a request filter chain that you are binding to most of your URIs.
Now, you want to run almost the same chain on another URI, but you need to exclude one of the filters.
This is done by adding excludes, which takes a space separated list of filter ids,
to the chain element.
Example where a security filter is excluded from an inherited chain for status.html:
Create an application package
with artifactId filter-bundle.
Create a new file filter-bundle/components/src/main/java/com/yahoo/demo/TestRequestFilter.java:
packagecom.yahoo.demo;importcom.yahoo.jdisc.*;importcom.yahoo.jdisc.handler.*;importcom.yahoo.jdisc.http.*;importcom.yahoo.jdisc.http.filter.RequestFilter;importjava.net.*;importjava.nio.ByteBuffer;publicclassTestRequestFilterextendsAbstractResourceimplementsRequestFilter{@Overridepublicvoidfilter(HttpRequesthttpRequest,ResponseHandlerresponseHandler){if(isLocalAddress(httpRequest.getRemoteAddress())){rejectRequest(httpRequest,responseHandler);}else{httpRequest.context().put("X-NOT-LOCALHOST","true");}}privatebooleanisLocalAddress(SocketAddresssocketAddress){if(socketAddressinstanceofInetSocketAddress){InetAddressaddress=((InetSocketAddress)socketAddress).getAddress();returnaddress.isAnyLocalAddress()||address.isLoopbackAddress();}else{returnfalse;}}privatevoidrejectRequest(HttpRequestrequest,ResponseHandlerresponseHandler){HttpResponseresponse=HttpResponse.newInstance(request,Response.Status.FORBIDDEN);ContentChannelchannel=responseHandler.handleResponse(response);channel.write(ByteBuffer.wrap("Not accessible by localhost.".getBytes()),null);channel.close(null);}}