| // ======================================================================== |
| // Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd. |
| // ======================================================================== |
| // All rights reserved. This program and the accompanying materials |
| // are made available under the terms of the Eclipse Public License v1.0 |
| // and Apache License v2.0 which accompanies this distribution. |
| // |
| // The Eclipse Public License is available at |
| // http://www.eclipse.org/legal/epl-v10.html |
| // |
| // The Apache License v2.0 is available at |
| // http://www.opensource.org/licenses/apache2.0.php |
| // |
| // You may elect to redistribute this code under either of these licenses. |
| // ======================================================================== |
| |
| [[jetty-home-and-jetty-base]] |
| === Using the $\{jetty.home} and $\{jetty.base} Concepts to Configure |
| Security |
| |
| Jetty 9.1 introduced `${jetty.base}` and `${jetty.home}`. |
| |
| * `${jetty.home}` is the directory location for the jetty distribution (the binaries). |
| * `${jetty.base}` is the directory location for your customizations to the distribution. |
| |
| This separation: |
| |
| * Allows you to manage multiple Jetty installations. |
| * Makes it simple to retain your current configuration when you upgrade your Jetty distribution. |
| |
| For more information, see xref:startup-base-and-home[]. |
| |
| Further, Jetty 9.1 parameterized all of the standard configuration XMLs. |
| For SSL, parameters are now properties in the `start.ini` or `start.d\ssl.ini`, reducing to eliminating the need to edit XML files. |
| |
| Instead of explicitly listing all the libraries, properties, and XML files for a feature, Jetty 9.1 introduced a new module system. |
| A module is defined in a `modules/*.mod` file, including the libraries, dependencies, XML, and template INI files for a Jetty feature. |
| Thus you can use a single `--module=name` command line option as the equivalent of specifying many `--lib=location, feature.xml, name=value` arguments for a feature and all its dependencies. |
| Modules use their dependencies to control the ordering of libraries and XML files. |
| For more information, see xref:startup-modules[]. |
| |
| [[configuring-security-jetty91]] |
| ==== Configuring SSL in with modules |
| |
| This page describes how to configure SSL in Jetty with modules. |
| It provides an example of using the `${jetty.home}` and `${jetty.base}` to maximum effect. |
| It also includes a detailed explanation of how modules work. |
| |
| This example assumes you have the jetty-distribution unpacked in `/home/user/jetty-distribution-{VERSION}`. |
| It also assumes you are using `start.ini` to configure your server features. |
| |
| 1. Create a base directory anywhere. |
| + |
| [source, screen, subs="{sub-order}"] |
| .... |
| [/home/user]$ mkdir my-base |
| [/home/user]$ cd my-base |
| .... |
| 2. Add the modules for SSL, HTTP, and webapp deployment. |
| Adding modules in this way will append the associated module properties to the `${jetty.base}/start.ini` file. |
| + |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base]$ java -jar /home/user/jetty-distribution-{VERSION}/start.jar --add-to-start=http,https,deploy |
| |
| ssl initialised in ${jetty.base}/start.ini (appended) |
| ssl enabled in ${jetty.base}/start.ini |
| DOWNLOAD: https://github.com/eclipse/jetty.project/raw/master/jetty-server/src/main/config/etc/keystore to etc/keystore |
| server initialised in ${jetty.base}/start.ini (appended) |
| server enabled in ${jetty.base}/start.ini |
| http initialised in ${jetty.base}/start.ini (appended) |
| http enabled in ${jetty.base}/start.ini |
| server enabled in ${jetty.base}/start.ini |
| deploy initialised in ${jetty.base}/start.ini (appended) |
| deploy enabled in ${jetty.base}/start.ini |
| MKDIR: ${jetty.base}/webapps |
| server enabled in ${jetty.base}/start.ini |
| .... |
| 3. Look at your directory. |
| + |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base]$ ls -la |
| total 20 |
| drwxrwxr-x 4 user group 4096 Oct 8 06:55 ./ |
| drwxr-xr-x 103 user group 4096 Oct 8 06:53 ../ |
| drwxrwxr-x 2 user group 4096 Oct 8 06:55 etc/ |
| -rw-rw-r-- 1 user group 815 Oct 8 06:55 start.ini |
| drwxrwxr-x 2 user group 4096 Oct 8 06:55 webapps/ |
| .... |
| 4. Copy your WAR files into webapps. |
| + |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base]$ ls -la |
| [my-base]$ cp ~/code/project/target/gadget.war webapps/ |
| .... |
| 5. Copy your keystore into place. |
| + |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base]$ cp ~/code/project/keystore etc/keystore |
| .... |
| 6. Edit the `start.ini` to configure your SSL settings. |
| + |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base]$ cat start.ini |
| .... |
| 7. Initialize module ssl. |
| + |
| .... |
| --module=ssl |
| .... |
| 8. Define the port to use for secure redirection. |
| + |
| .... |
| jetty.secure.port=8443 |
| .... |
| 9. Set up a demonstration keystore and truststore. |
| + |
| .... |
| jetty.keystore=etc/keystore |
| jetty.truststore=etc/keystore |
| .... |
| 10. Set the demonstration passwords. |
| + |
| .... |
| jetty.keystore.password=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 |
| jetty.keymanager.password=OBF:1u2u1wml1z7s1z7a1wnl1u2g |
| jetty.truststore.password=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 |
| .... |
| 11. Initialize the module server. |
| + |
| .... |
| --module=server |
| threads.min=10 |
| threads.max=200 |
| threads.timeout=60000 |
| #jetty.host=myhost.com |
| jetty.dump.start=false |
| jetty.dump.stop=false |
| .... |
| 12. Initialize module http. |
| + |
| .... |
| --module=http |
| jetty.http.port=8080 |
| http.timeout=30000 |
| .... |
| 13. Initialize module deploy. |
| + |
| .... |
| --module=deploy |
| .... |
| |
| Look at the configuration you have at this point. |
| |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base]$ java -jar /home/user/jetty-distribution-{VERSION}/start.jar --list-config |
| |
| Java Environment: |
| ----------------- |
| java.home=/usr/lib/jvm/jdk-7u21-x64/jre |
| java.vm.vendor=Oracle Corporation |
| java.vm.version=23.21-b01 |
| java.vm.name=Java HotSpot(TM) 64-Bit Server VM |
| java.vm.info=mixed mode |
| java.runtime.name=Java(TM) SE Runtime Environment |
| java.runtime.version=1.7.0_21-b11 |
| java.io.tmpdir=/tmp |
| |
| Jetty Environment: |
| ----------------- |
| jetty.home=/home/user/jetty-distribution-{VERSION} |
| jetty.base=/home/user/my-base |
| jetty.version={VERSION} |
| |
| JVM Arguments: |
| -------------- |
| (no jvm args specified) |
| |
| System Properties: |
| ------------------ |
| jetty.base = /home/user/my-base |
| jetty.home = /home/user/jetty-distribution-{VERSION} |
| |
| Properties: |
| ----------- |
| http.timeout = 30000 |
| jetty.dump.start = false |
| jetty.dump.stop = false |
| jetty.keymanager.password = OBF:1u2u1wml1z7s1z7a1wnl1u2g |
| jetty.keystore = etc/keystore |
| jetty.keystore.password = OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 |
| jetty.http.port = 8080 |
| jetty.secure.port = 8443 |
| jetty.truststore = etc/keystore |
| jetty.truststore.password = OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 |
| threads.max = 200 |
| threads.min = 10 |
| threads.timeout = 60000 |
| |
| Jetty Server Classpath: |
| ----------------------- |
| Version Information on 11 entries in the classpath. |
| : order presented here is how they would appear on the classpath. |
| changes to the --module=name command line options will be reflected here. |
| 0: 3.1.0 | ${jetty.home}/lib/servlet-api-3.1.jar |
| 1: 3.1.RC0 | ${jetty.home}/lib/jetty-schemas-3.1.jar |
| 2: {VERSION} | ${jetty.home}/lib/jetty-http-{VERSION}.jar |
| 3: {VERSION} | ${jetty.home}/lib/jetty-continuation-{VERSION}.jar |
| 4: {VERSION} | ${jetty.home}/lib/jetty-server-{VERSION}.jar |
| 5: {VERSION} | ${jetty.home}/lib/jetty-xml-{VERSION}.jar |
| 6: {VERSION} | ${jetty.home}/lib/jetty-util-{VERSION}.jar |
| 7: {VERSION} | ${jetty.home}/lib/jetty-io-{VERSION}.jar |
| 8: {VERSION} | ${jetty.home}/lib/jetty-servlet-{VERSION}.jar |
| 9: {VERSION} | ${jetty.home}/lib/jetty-webapp-{VERSION}.jar |
| 10: {VERSION} | ${jetty.home}/lib/jetty-deploy-{VERSION}.jar |
| |
| Jetty Active XMLs: |
| ------------------ |
| ${jetty.home}/etc/jetty.xml |
| ${jetty.home}/etc/jetty-http.xml |
| ${jetty.home}/etc/jetty-ssl.xml |
| ${jetty.home}/etc/jetty-deploy.xml |
| .... |
| |
| Now start Jetty. |
| |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base]$ java -jar /home/user/jetty-distribution-{VERSION}/start.jar |
| 2013-10-08 07:06:55.837:INFO:oejs.Server:main: jetty-{VERSION} |
| 2013-10-08 07:06:55.853:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:/home/user/my-base/webapps/] at interval 1 |
| 2013-10-08 07:06:55.872:INFO:oejs.ServerConnector:main: Started ServerConnector@72974691{HTTP/1.1}{0.0.0.0:8080} |
| .... |
| |
| [[reviewing-ssl-config]] |
| ==== Reviewing the Configuration |
| |
| The following sections review this configuration. |
| |
| [[jetty-base-jetty-home]] |
| ===== $\{jetty.base} and $\{jetty.home} |
| |
| First notice the separation of `${jetty.base}` and `${jetty.home}`. |
| |
| * `${jetty.home}` is where your distribution lies, unchanged, unedited. |
| * `${jetty.base}` is where your customizations are. |
| |
| [[modules]] |
| ===== Modules |
| |
| Notice that you have `--module=<name>` here and there; you have wrapped up the goal of a module (libs, configuration XMLs, and properties) into a single unit, with dependencies on other modules. |
| |
| You can see the list of modules: |
| |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base]$ java -jar /home/user/jetty-distribution-{VERSION}/start.jar --list-modules |
| |
| Jetty All Available Modules: |
| ---------------------------- |
| |
| Module: annotations |
| LIB: lib/jetty-annotations-${jetty.version}.jar |
| LIB: lib/annotations/*.jar |
| XML: etc/jetty-annotations.xml |
| depends: [plus] |
| |
| Module: client |
| LIB: lib/jetty-client-${jetty.version}.jar |
| depends: [] |
| |
| Module: debug |
| XML: etc/jetty-debug.xml |
| depends: [server] |
| |
| Module: deploy |
| LIB: lib/jetty-deploy-${jetty.version}.jar |
| XML: etc/jetty-deploy.xml |
| depends: [webapp] |
| enabled: ${jetty.base}/start.ini |
| |
| Module: ext |
| LIB: lib/ext/*.jar |
| depends: [] |
| |
| Module: http |
| XML: etc/jetty-http.xml |
| depends: [server] |
| enabled: ${jetty.base}/start.ini |
| |
| Module: http2 |
| LIB: lib/http2/*.jar |
| XML: etc/jetty-http2.xml |
| depends: [ssl, alpn] |
| |
| Module: http2c |
| LIB: lib/http2/*.jar |
| XML: etc/jetty-http2c.xml |
| depends: [http] |
| |
| Module: https |
| XML: etc/jetty-https.xml |
| depends: [ssl] |
| |
| Module: ipaccess |
| XML: etc/jetty-ipaccess.xml |
| depends: [server] |
| |
| Module: jaas |
| LIB: lib/jetty-jaas-${jetty.version}.jar |
| XML: etc/jetty-jaas.xml |
| depends: [server] |
| |
| Module: jaspi |
| LIB: lib/jetty-jaspi-${jetty.version}.jar |
| LIB: lib/jaspi/*.jar |
| depends: [security] |
| |
| Module: jmx |
| LIB: lib/jetty-jmx-${jetty.version}.jar |
| XML: etc/jetty-jmx.xml |
| depends: [] |
| |
| Module: jndi |
| LIB: lib/jetty-jndi-${jetty.version}.jar |
| LIB: lib/jndi/*.jar |
| depends: [server] |
| |
| Module: jsp |
| LIB: lib/jsp/*.jar |
| depends: [servlet] |
| |
| Module: jvm |
| depends: [] |
| |
| Module: logging |
| XML: etc/jetty-logging.xml |
| depends: [] |
| |
| Module: lowresources |
| XML: etc/jetty-lowresources.xml |
| depends: [server] |
| |
| Module: monitor |
| LIB: lib/jetty-monitor-${jetty.version}.jar |
| XML: etc/jetty-monitor.xml |
| depends: [client, server] |
| |
| Module: npn |
| depends: [] |
| |
| Module: plus |
| LIB: lib/jetty-plus-${jetty.version}.jar |
| XML: etc/jetty-plus.xml |
| depends: [server, security, jndi] |
| |
| Module: proxy |
| LIB: lib/jetty-proxy-${jetty.version}.jar |
| XML: etc/jetty-proxy.xml |
| depends: [client, server] |
| |
| Module: requestlog |
| XML: etc/jetty-requestlog.xml |
| depends: [server] |
| |
| Module: resources |
| LIB: resources |
| depends: [] |
| |
| Module: rewrite |
| LIB: lib/jetty-rewrite-${jetty.version}.jar |
| XML: etc/jetty-rewrite.xml |
| depends: [server] |
| |
| Module: security |
| LIB: lib/jetty-security-${jetty.version}.jar |
| depends: [server] |
| |
| Module: server |
| LIB: lib/servlet-api-3.1.jar |
| LIB: lib/jetty-schemas-3.1.jar |
| LIB: lib/jetty-http-${jetty.version}.jar |
| LIB: lib/jetty-continuation-${jetty.version}.jar |
| LIB: lib/jetty-server-${jetty.version}.jar |
| LIB: lib/jetty-xml-${jetty.version}.jar |
| LIB: lib/jetty-util-${jetty.version}.jar |
| LIB: lib/jetty-io-${jetty.version}.jar |
| XML: etc/jetty.xml |
| depends: [] |
| enabled: ${jetty.base}/start.ini |
| |
| Module: servlet |
| LIB: lib/jetty-servlet-${jetty.version}.jar |
| depends: [server] |
| |
| Module: servlets |
| LIB: lib/jetty-servlets-${jetty.version}.jar |
| depends: [servlet] |
| |
| Module: setuid |
| LIB: lib/setuid/jetty-setuid-java-1.0.1.jar |
| XML: etc/jetty-setuid.xml |
| depends: [server] |
| |
| Module: ssl |
| XML: etc/jetty-ssl.xml |
| depends: [server] |
| enabled: ${jetty.base}/start.ini |
| |
| Module: stats |
| XML: etc/jetty-stats.xml |
| depends: [server] |
| |
| Module: webapp |
| LIB: lib/jetty-webapp-${jetty.version}.jar |
| depends: [servlet] |
| |
| Module: websocket |
| LIB: lib/websocket/*.jar |
| depends: [annotations] |
| |
| Module: xinetd |
| XML: etc/jetty-xinetd.xml |
| depends: [server] |
| |
| Jetty Active Module Tree: |
| ------------------------- |
| + Module: server [enabled] |
| + Module: http [enabled] |
| + Module: servlet [transitive] |
| + Module: ssl [enabled] |
| + Module: webapp [transitive] |
| + Module: deploy [enabled] |
| .... |
| |
| These are the modules by name, the libraries they bring in, the XML configurations they use, the other modules they depend on (even optional ones), and if the module is in use, where it was enabled. |
| |
| While you can manage the list of active modules yourself, it is much easier to edit the `${jetty.base}/start.ini`. |
| |
| If you want to start using a new module: |
| |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base] $ java -jar ../jetty-distribution-{VERSION}/start.jar --add-to-start=https |
| .... |
| |
| This adds the `--module=` lines and associated properties (the parameterized values mentioned above), to your `start.ini`. |
| |
| ____ |
| [IMPORTANT] |
| Do not edit the modules and XML files in the `${jetty.home}` directory; there is no need to be moving or copying them unless you want to make your own modules or override the behavior of an existing module. |
| ____ |
| |
| Notice that your `${jetty.base}/start.ini` has no references to the XML files. |
| That's because the module system and its graph of dependencies now dictate all of the XML files, and their load order. |
| |
| [[parameterizing]] |
| ===== Parameters |
| |
| Next is parameterizing all of the standard configuration XMLs. |
| In this example all of the SSL parameters are now just properties in the `start.ini`, reducing or eliminating the need to edit XML files. |
| |
| [[override-jetty.home]] |
| ===== Overriding $\{jetty.home} in $\{jetty.base} |
| |
| Finally, you can override anything you see in `${jetty.home}` in `${jetty.base}`, even XML configurations and libraries. |
| |
| For more information on the `start.jar` in 9.1, see xref:start-jar[]. |
| |
| [[summary-configuring-SSL-Jetty]] |
| ==== Summary of Configuring SSL |
| |
| 1. Download and unpack Jetty into `/home/user/jetty-distribution-{VERSION}`. |
| 2. Go to your base directory and just use the distribution, no editing. |
| + |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base]$ java -jar /home/user/jetty-distribution-{VERSION}/start.jar |
| .... |
| * The Jetty distribution provides, out of the box, the XML configuration files, in this case `jetty-http.xml` and `jetty-ssl.xml`. |
| These can be found in the `${jetty.home}/etc/` directory. |
| * We have parameterized all of the configurable values in those XMLs. |
| You can now set the values using simple properties, either on the command line, or within the `${jetty.base}/start.ini`. |
| * When you activate the module for HTTP or HTTPs, Jetty automatically adds the appropriate libraries and XML to start Jetty. |
| Unless you have a highly custom setup (such as listening on two different ports, using SSL on each, each with its own keystore and configuration), there is no need to muck around in XML files. |
| 3. Use modules to configure HTTPS: |
| * http -> server |
| * https -> ssl -> server |
| + |
| You can find the details about the modules in `${jetty.home}/modules/`. |
| For SSL they include `modules/http.mod`, `modules/https.mod`, `modules/ssl.mod`, and `modules/server.mod`. |
| + |
| Ideally, this level of detail is not important to you. |
| What is important is that you want to use HTTPS and want to configure it. |
| You accomplish that by adding the `--module=https` to your `start.ini`. |
| By default, the module system keeps things sane, and transitively includes all dependent modules as well. |
| |
| You can see what the configuration looks like, after all of the modules are resolved, without starting Jetty via: |
| |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base] $ java -jar ../jetty-distribution-{VERSION}/start.jar --list-config |
| .... |
| |
| Just because the JARs exist on disk does not mean that they are in use. |
| The configuration controls what is used. |
| |
| Use the `--list-config` to see the configuration. |
| Notice that only a subset of the JARs from the distribution are in use. |
| The modules you have enabled determine that subset. |
| |
| [source, screen, subs="{sub-order}"] |
| .... |
| [my-base]$ java -jar ~/jetty-distribution-{VERSION}/start.jar --list-config |
| .... |
