clj-commons
diff --git a/‎src/aleph/http.clj‎
Lines changed: 2 additions & 1 deletion b/‎src/aleph/http.clj‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/aleph/http/server.clj‎
Lines changed: 52 additions & 39 deletions b/‎src/aleph/http/server.clj‎
Lines changed: 52 additions & 39 deletions
diff --git a/‎test/aleph/http_test.clj‎
Lines changed: 25 additions & 1 deletion b/‎test/aleph/http_test.clj‎
Lines changed: 25 additions & 1 deletion
@@ -54,7 +54,7 @@
  | `bootstrap-transform` | A function that takes an `io.netty.bootstrap.ServerBootstrap` object, which represents the server, and modifies it. |
  | `http-versions` | An optional vector of allowable HTTP versions to negotiate via ALPN, in preference order. Defaults to `[:http1]`. |
  | `ssl-context` | An `io.netty.handler.ssl.SslContext` object or a map of SSL context options (see `aleph.netty/ssl-server-context` for more details) if an SSL connection is desired. When passing an `io.netty.handler.ssl.SslContext` object, it must have an ALPN config matching the `http-versions` option (see `aleph.netty/ssl-server-context` and `aleph.netty/application-protocol-config`). If only HTTP/1.1 is desired, ALPN config is optional.
- | `manual-ssl?` | Set to `true` to indicate that SSL is active, but the caller is managing it (this implies `:ssl-context` is nil). For example, this can be used if you want to use configure SNI (perhaps in `:pipeline-transform` ) to select the SSL context based on the client's indicated host name. |
+ | `manual-ssl?` | Set to `true` to indicate that SSL is active, but the caller is managing it (this implies `:ssl-context` is nil). For example, this can be used if you want to use configure SNI (usually via `:initial-pipeline-transform`) to select the SSL context based on the client's indicated host name. |
  | `executor` | A `java.util.concurrent.Executor` which is used to handle individual requests. To avoid this indirection you may specify `:none`, but in this case extreme care must be taken to avoid blocking operations on the handler's thread. |
  | `shutdown-executor?` | If `true`, the executor will be shut down when `.close()` is called on the server, defaults to `true` . |
  | `request-buffer-size` | The maximum body size, in bytes, that the server will allow to accumulate before placing on the body stream, defaults to `16384` . This does *not* represent the maximum size request the server can handle (which is unbounded), and is only a means of maximizing performance. |
@@ -69,6 +69,7 @@
  | `continue-handler` | Optional handler which is invoked when header sends \"Except: 100-continue\" header to test whether the request should be accepted or rejected. Handler should return `true`, `false`, ring responseo to be used as a reject response or deferred that yields one of those. |
  | `continue-executor` | Optional `java.util.concurrent.Executor` which is used to handle requests passed to :continue-handler. To avoid this indirection you may specify `:none`, but in this case extreme care must be taken to avoid blocking operations on the handler's thread. |
  | `shutdown-timeout` | Interval in seconds within which in-flight requests must be processed, defaults to 15 seconds. A value of `0` bypasses waiting entirely. |
+ | `initial-pipeline-transform` | A function that takes an `io.netty.channel.ChannelPipeline` object, which represents the connection before any default handlers are installed (and thus, before HTTP version negotiation), and modifies it. |
 
  HTTP/1-specific options
  | Param key | Description |
 
@@ -46,7 +46,8 @@
  LastHttpContent)
  (io.netty.handler.ssl
  ApplicationProtocolNames
- SslContext)
+ SslContext
+ SslHandler)
  (io.netty.handler.stream
  ChunkedWriteHandler)
  (io.netty.util AsciiString)
@@ -633,40 +634,48 @@
 
 (defn make-pipeline-builder
  "Returns a function that initializes a new server channel's pipeline."
- [handler {:keys [ssl? ^SslContext ssl-context use-h2c?] :as opts}]
+ [handler {:keys [ssl?
+ ^SslContext ssl-context
+ use-h2c?
+ initial-pipeline-transform]
+ :or {initial-pipeline-transform identity}
+ :as opts}]
  (fn pipeline-builder*
  [^ChannelPipeline pipeline]
  (log/trace "pipeline-builder*" pipeline opts)
  (let [setup-opts (assoc opts
  :handler handler
  :server? true
  :pipeline pipeline)]
- (cond (and ssl? ssl-context)
- (let [ssl-handler (netty/ssl-handler (.channel pipeline) ssl-context)]
- (log/debug "Setting up secure HTTP server pipeline.")
- (log/debug "ALPN HTTP versions:" (mapv str (.nextProtocols ssl-context)))
-
- (-> pipeline
- (.addLast "ssl-handler" ssl-handler)
- (.addLast "apn-handler"
- (ApnHandler.
- (fn setup-secure-pipeline
- [^ChannelPipeline pipeline protocol]
- (log/trace "setup-secure-pipeline: chosen protocol:" protocol)
- (when (nil? (.applicationProtocol ssl-handler))
- (log/debug (str "ALPN not used. Protocol " protocol " chosen by fallback.")))
- (cond (.equals ApplicationProtocolNames/HTTP_1_1 protocol)
- (setup-http1-pipeline setup-opts)
-
- (.equals ApplicationProtocolNames/HTTP_2 protocol)
- (http2/setup-conn-pipeline setup-opts)
-
- :else
- (let [msg (str "Unknown protocol: " protocol)
- e (IllegalStateException. msg)]
- (log/error e msg)
- (throw e))))
- apn-fallback-protocol)))
+ (initial-pipeline-transform pipeline)
+ (cond ssl?
+ (do
+ ;; might be nil in manual-ssl? mode
+ (when ssl-context
+ (log/debug "Setting up secure HTTP server pipeline.")
+ (log/debug "ALPN HTTP versions:" (mapv str (.nextProtocols ssl-context)))
+ (.addLast pipeline "ssl-handler" (netty/ssl-handler (.channel pipeline) ssl-context)))
+ (.addLast pipeline
+ "apn-handler"
+ (ApnHandler.
+ (fn setup-secure-pipeline
+ [^ChannelPipeline pipeline protocol]
+ (log/trace "setup-secure-pipeline: chosen protocol:" protocol)
+ (let [^SslHandler ssl-handler (.get pipeline SslHandler)]
+ (when (nil? (.applicationProtocol ssl-handler))
+ (log/debug (str "ALPN not used. Protocol " protocol " chosen by fallback.")))
+ (cond (.equals ApplicationProtocolNames/HTTP_1_1 protocol)
+ (setup-http1-pipeline setup-opts)
+
+ (.equals ApplicationProtocolNames/HTTP_2 protocol)
+ (http2/setup-conn-pipeline setup-opts)
+
+ :else
+ (let [msg (str "Unknown protocol: " protocol)
+ e (IllegalStateException. msg)]
+ (log/error e msg)
+ (throw e)))))
+ apn-fallback-protocol))
  pipeline)
 
  use-h2c?
@@ -750,28 +759,32 @@
  opts (assoc opts :ssl-context ssl-context)
  http1-pipeline-transform (common/validate-http1-pipeline-transform opts)
  executor (setup-executor executor)
- continue-executor (setup-continue-executor executor continue-executor)
- pipeline-builder (make-pipeline-builder
- handler
- (assoc opts
- :executor executor
- :ssl? (or manual-ssl? (boolean ssl-context))
- :http1-pipeline-transform http1-pipeline-transform
- :continue-executor continue-executor))]
+ continue-executor (setup-continue-executor executor continue-executor)]
 
  (if (some #{:http2} http-versions)
  (when (and (not ssl-context)
- (not use-h2c?))
- (throw (IllegalArgumentException. "HTTP/2 requires ssl-context to be given or use-h2c? to be true.")))
+ (not use-h2c?)
+ (not manual-ssl?))
+ (throw (IllegalArgumentException. "HTTP/2 requires passing an ssl-context or manual-ssl? true. Alternatively, pass use-h2c? true to disable TLS.")))
  (when use-h2c?
  (throw (IllegalArgumentException. "use-h2c? may only be true when HTTP/2 is enabled."))))
 
  (when (and ssl-context
  use-h2c?)
  (throw (IllegalArgumentException. "use-h2c? must not be true when ssl-context is given.")))
 
+ (when (and ssl-context
+ manual-ssl?)
+ (throw (IllegalArgumentException. "manual-ssl? must not be true when ssl-context is given.")))
+
  (netty/start-server
- {:pipeline-builder pipeline-builder
+ {:pipeline-builder (make-pipeline-builder
+ handler
+ (assoc opts
+ :executor executor
+ :ssl? (or manual-ssl? (boolean ssl-context))
+ :http1-pipeline-transform http1-pipeline-transform
+ :continue-executor continue-executor))
  :bootstrap-transform bootstrap-transform
  :socket-address (if socket-address
  socket-address
 
@@ -2,6 +2,7 @@
  (:require
  [aleph.flow :as flow]
  [aleph.http :as http]
+ [aleph.http.common :as common]
  [aleph.http.core :as http.core]
  [aleph.netty :as netty]
  [aleph.resource-leak-detector]
@@ -518,6 +519,29 @@
  (is (= 200 (:status @(http-get "/"))))
  (is (some? @ssl-session))))))
 
+
+(defn test-manual-ssl-for-version [http-version]
+ (testing (str "manual ssl with " http-version)
+ (with-redefs [*use-tls-requests* true]
+ (with-server (http/start-server string-handler
+ (assoc http-server-options
+ :manual-ssl? true
+ :http-versions [http-version]
+ :initial-pipeline-transform (fn [pipeline]
+ (let [ssl-handler (netty/ssl-handler (.channel pipeline)
+ (-> test-ssl/server-ssl-context-opts
+ (common/ensure-consistent-alpn-config [http-version])
+ (netty/coerce-ssl-server-context)))]
+ (.addLast pipeline
+ "ssl-handler"
+ ssl-handler)))))
+ (binding [*connection-options* {:http-versions [http-version]}]
+ (is (= 200 (:status @(http-get "/")))))))))
+
+(deftest test-manual-ssl
+ (test-manual-ssl-for-version :http1)
+ (test-manual-ssl-for-version :http2))
+
 (deftest test-invalid-body
  (let [client-url "/"]
  (with-handler echo-handler
@@ -1449,7 +1473,7 @@
  (let [result (try-start-server
  {:http-versions [:http2]})]
  (is (instance? IllegalArgumentException result))
- (is (= "HTTP/2 requires ssl-context to be given or use-h2c? to be true." (ex-message result)))))
+ (is (= "HTTP/2 requires passing an ssl-context or manual-ssl? true. Alternatively, pass use-h2c? true to disable TLS." (ex-message result)))))
 
  (testing "HTTP/2 without ssl-context but with h2c"
  (let [result (try-start-server