Skip to content

Commit

Permalink
Support deployment behind nginx reverse proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Bassi committed Oct 17, 2024
1 parent dd7ae26 commit 719b68d
Show file tree
Hide file tree
Showing 11 changed files with 280 additions and 10 deletions.
61 changes: 61 additions & 0 deletions doc/nginx-reverse-proxy.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Use nginx as a reverse proxy

It is possible to deploy StoRM WebDAV using nginx as a reverse proxy.

The main pros of this type of deployment are:

- use nginx to manage TLS termination
- delegate VOMS proxy authentication to [ngx_http_voms_module](https://baltig.infn.it/cnafsd/ngx_http_voms_module)
- improve performance of downloads by using nginx to handle GET requests

## How to deploy StoRM WebDAV using nginx

Install nginx and [ngx_http_voms_module](https://baltig.infn.it/cnafsd/ngx_http_voms_module) on your server.

Change the configuration of nginx to:

- enable the client certificates
- set the correct headers for VOMS authentication
- add an internal endpoint to which to redirect GET requests

In your `application.yml` configuration set `storm.nginx-reverse-proxy` to `true`.

Example nginx configuration:

```
server {
location /internal-get {
internal;
alias /;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
tcp_nodelay on;
}
location / {
proxy_pass http://127.0.0.1:8086;
proxy_set_header X-VOMS-voms_user $voms_user;
proxy_set_header X-VOMS-ssl_client_ee_s_dn $ssl_client_ee_s_dn;
proxy_set_header X-VOMS-voms_user_ca $voms_user_ca;
proxy_set_header X-VOMS-ssl_client_ee_i_dn $ssl_client_ee_i_dn;
proxy_set_header X-VOMS-voms_fqans $voms_fqans;
proxy_set_header X-VOMS-voms_server $voms_server;
proxy_set_header X-VOMS-voms_server_ca $voms_server_ca;
proxy_set_header X-VOMS-voms_vo $voms_vo;
proxy_set_header X-VOMS-voms_server_uri $voms_server_uri;
proxy_set_header X-VOMS-voms_not_before $voms_not_before;
proxy_set_header X-VOMS-voms_not_after $voms_not_after;
proxy_set_header X-VOMS-voms_generic_attributes $voms_generic_attributes;
proxy_set_header X-VOMS-voms_serial $voms_serial;
}
listen [::]:8443 ssl http2;
listen 8443 ssl http2;
ssl_certificate /etc/grid-security/hostcert.pem;
ssl_certificate_key /etc/grid-security/hostkey.pem;
ssl_client_certificate /etc/pki/ca-trust/extracted/pem/tls-ca-bundle-all.pem;
ssl_verify_client optional;
ssl_verify_depth 10;
client_max_body_size 0;
error_page 497 https://$host:8443$request_uri;
}
```
6 changes: 5 additions & 1 deletion etc/systemd/system/storm-webdav.service.d/storm-webdav.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,4 +159,8 @@ Environment="STORM_WEBDAV_TPC_MAX_CONNECTIONS_PER_ROUTE=25"

# Cache entries lifetime, used if caching for VOMS certificate validation is enabled
# Default: 300
# Environment="STORM_WEBDAV_VOMS_CACHE_ENTRY_LIFETIME_SEC=300"
# Environment="STORM_WEBDAV_VOMS_CACHE_ENTRY_LIFETIME_SEC=300"

# Use nginx as a reverse proxy
# Default: false
# Environment="STORM_WEBDAV_NGINX_REVERSE_PROXY=false"
36 changes: 36 additions & 0 deletions src/main/java/org/italiangrid/storm/webdav/authz/VOMSConstants.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
/**
* Copyright (c) Istituto Nazionale di Fisica Nucleare, 2014-2023.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.italiangrid.storm.webdav.authz;

public interface VOMSConstants {

String VOMS_USER_HEADER = "X-VOMS-voms_user";
String SSL_CLIENT_EE_S_DN_HEADER = "X-VOMS-ssl_client_ee_s_dn";
String VOMS_USER_CA_HEADER = "X-VOMS-voms_user_ca";
String SSL_CLIENT_EE_I_DN_HEADER = "X-VOMS-ssl_client_ee_i_dn";
String VOMS_FQANS_HEADER = "X-VOMS-voms_fqans";
String VOMS_VO_HEADER = "X-VOMS-voms_vo";
String VOMS_SERVER_URI_HEADER = "X-VOMS-voms_server_uri";
String VOMS_NOT_BEFORE_HEADER = "X-VOMS-voms_not_before";
String VOMS_NOT_AFTER_HEADER = "X-VOMS-voms_not_after";
String VOMS_GENERIC_ATTRIBUTES_HEADER = "X-VOMS-voms_generic_attributes";
String VOMS_SERIAL_HEADER = "X-VOMS-voms_serial";

String VOMS_DATE_FORMAT = "yyyyMMddHHmmss'Z'";

String VOMS_GENERIC_ATTRIBUTES_REGEX = "n=(\\S*) v=(\\S*) q=(\\S*)";

}
43 changes: 43 additions & 0 deletions src/main/java/org/italiangrid/storm/webdav/authz/VOMSNginxFilter.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
/**
* Copyright (c) Istituto Nazionale di Fisica Nucleare, 2014-2023.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.italiangrid.storm.webdav.authz;

import javax.security.auth.x500.X500Principal;
import javax.servlet.http.HttpServletRequest;

import org.springframework.security.authentication.AuthenticationManager;

public class VOMSNginxFilter extends VOMSAuthenticationFilter implements VOMSConstants {

public VOMSNginxFilter(AuthenticationManager mgr) {
super(mgr);
}

@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
if (request.getHeader(VOMS_USER_HEADER) != null
&& request.getHeader(SSL_CLIENT_EE_S_DN_HEADER) != null) {
return new X500Principal(request.getHeader(SSL_CLIENT_EE_S_DN_HEADER)).getName();
}
return null;
}

@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
return new Object();
}

}
85 changes: 82 additions & 3 deletions src/main/java/org/italiangrid/storm/webdav/authz/VOMSPreAuthDetailsSource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,38 +15,55 @@
*/
package org.italiangrid.storm.webdav.authz;

import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.regex.Matcher;

import javax.security.auth.x500.X500Principal;
import javax.servlet.http.HttpServletRequest;

import org.italiangrid.storm.webdav.authz.vomap.VOMapDetailsService;
import org.italiangrid.voms.VOMSAttribute;
import org.italiangrid.voms.VOMSGenericAttribute;
import org.italiangrid.voms.ac.VOMSACValidator;
import org.italiangrid.voms.ac.impl.VOMSAttributesImpl;
import org.italiangrid.voms.ac.impl.VOMSGenericAttributeImpl;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.core.GrantedAuthority;

import com.google.common.collect.Sets;

import eu.emi.security.authn.x509.proxy.ProxyUtils;

public class VOMSPreAuthDetailsSource
implements AuthenticationDetailsSource<HttpServletRequest, VOMSAuthenticationDetails> {
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class VOMSPreAuthDetailsSource implements
AuthenticationDetailsSource<HttpServletRequest, VOMSAuthenticationDetails>, VOMSConstants {

public static final Logger LOG = LoggerFactory.getLogger(VOMSPreAuthDetailsSource.class);

private final AuthorizationPolicyService policyService;
private final VOMSACValidator validator;
private final VOMapDetailsService voMapDetailsService;
private final boolean nginxReverseProxy;

public VOMSPreAuthDetailsSource(VOMSACValidator vomsValidator,
AuthorizationPolicyService policyService, VOMapDetailsService voMapDetailsService) {
AuthorizationPolicyService policyService, VOMapDetailsService voMapDetailsService,
boolean nginxReverseProxy) {
this.policyService = policyService;
this.validator = vomsValidator;
this.voMapDetailsService = voMapDetailsService;
this.nginxReverseProxy = nginxReverseProxy;
}

@Override
Expand Down Expand Up @@ -116,6 +133,68 @@ protected Optional<X509SubjectAuthority> getSubjectAuthority(HttpServletRequest
}

protected List<VOMSAttribute> getAttributes(HttpServletRequest request) {
if (nginxReverseProxy) {
VOMSAttributesImpl attrs = new VOMSAttributesImpl();
// voms_user and voms_user_ca are present only when a VOMS proxy is used
// After checking that they are present, use ssl_client_ee_*_dn that are formatted according
// to RFC 2253
if (request.getHeader(VOMS_USER_HEADER) != null
&& request.getHeader(SSL_CLIENT_EE_S_DN_HEADER) != null) {
attrs.setHolder(new X500Principal(request.getHeader(SSL_CLIENT_EE_S_DN_HEADER)));
}
if (request.getHeader(VOMS_USER_CA_HEADER) != null
&& request.getHeader(SSL_CLIENT_EE_I_DN_HEADER) != null) {
attrs.setIssuer(new X500Principal(request.getHeader(SSL_CLIENT_EE_I_DN_HEADER)));
}
if (request.getHeader(VOMS_FQANS_HEADER) != null) {
attrs.setFQANs(Arrays.asList(request.getHeader(VOMS_FQANS_HEADER).split(",")));
}
if (request.getHeader(VOMS_VO_HEADER) != null) {
attrs.setVO(request.getHeader(VOMS_VO_HEADER));
}
if (request.getHeader(VOMS_SERVER_URI_HEADER) != null) {
String[] splittedServerUri = request.getHeader(VOMS_SERVER_URI_HEADER).split(":");
attrs.setHost(splittedServerUri[0]);
attrs.setPort(Integer.parseInt(splittedServerUri[1]));
}
SimpleDateFormat simpleDateFormat = new SimpleDateFormat(VOMS_DATE_FORMAT);
if (request.getHeader(VOMS_NOT_BEFORE_HEADER) != null) {
try {
attrs.setNotBefore(simpleDateFormat.parse(request.getHeader(VOMS_NOT_BEFORE_HEADER)));
} catch (ParseException e) {
LOG.warn("Error parsing X-VOMS-voms_not_before header: {}",
request.getHeader(VOMS_NOT_BEFORE_HEADER));
}
}
if (request.getHeader(VOMS_NOT_AFTER_HEADER) != null) {
try {
attrs.setNotAfter(simpleDateFormat.parse(request.getHeader(VOMS_NOT_AFTER_HEADER)));
} catch (ParseException e) {
LOG.warn("Error parsing X-VOMS-voms_not_after header: {}",
request.getHeader(VOMS_NOT_AFTER_HEADER));
}
}
if (request.getHeader(VOMS_GENERIC_ATTRIBUTES_HEADER) != null) {
List<VOMSGenericAttribute> genericAttrs = Collections.emptyList();
Pattern pattern = Pattern.compile(VOMS_GENERIC_ATTRIBUTES_REGEX);
for (String genericAttribute : request.getHeader(VOMS_GENERIC_ATTRIBUTES_HEADER)
.split(",")) {
Matcher matcher = pattern.matcher(genericAttribute);
if (matcher.find()) {
VOMSGenericAttributeImpl genericAttr = new VOMSGenericAttributeImpl();
genericAttr.setName(matcher.group(1));
genericAttr.setValue(matcher.group(2));
genericAttr.setContext(matcher.group(3));
genericAttrs.add(genericAttr);
}
}
attrs.setGenericAttributes(genericAttrs);
}
if (request.getHeader(VOMS_SERIAL_HEADER) != null) {
attrs.setHolderSerialNumber(new BigInteger(request.getHeader(VOMS_SERIAL_HEADER), 16));
}
return List.of(attrs);
}

Optional<X509Certificate[]> chain = Utils.getCertificateChainFromRequest(request);

Expand Down
9 changes: 9 additions & 0 deletions src/main/java/org/italiangrid/storm/webdav/config/ServiceConfigurationProperties.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -642,6 +642,8 @@ public void setTrustStore(VOMSTrustStoreProperties trustStore) {

private ChecksumStrategy checksumStrategy = ChecksumStrategy.EARLY;

private boolean nginxReverseProxy = false;

private BufferProperties buffer;

private RedirectorProperties redirector;
Expand Down Expand Up @@ -877,6 +879,13 @@ public void setChecksumStrategy(ChecksumStrategy checksumStrategy) {
this.checksumStrategy = checksumStrategy;
}

public boolean getNginxReverseProxy() {
return nginxReverseProxy;
}

public void setNginxReverseProxy(boolean nginxReverseProxy) {
this.nginxReverseProxy = nginxReverseProxy;
}

@Override
public boolean useConscrypt() {
Expand Down
4 changes: 3 additions & 1 deletion src/main/java/org/italiangrid/storm/webdav/server/DefaultJettyServerCustomizer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,9 @@ public void customize(Server server) {

server.setConnectors(null);
configurePlainConnector(server);
configureTLSConnector(server);
if (!serviceConfig.getNginxReverseProxy()) {
configureTLSConnector(server);
}
configureRewriteHandler(server);
configureAccessLog(server);

Expand Down
6 changes: 6 additions & 0 deletions src/main/java/org/italiangrid/storm/webdav/server/servlet/StoRMServlet.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,12 @@ public Resource getResource(String pathInContext) {

}

@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
resourceService.doGet(request, response, pathResolver, serviceConfig);

Check notice

Code scanning / SonarCloud

Exceptions should not be thrown from servlet methods Low

Handle the following exceptions that could be thrown by "doGet": ServletException, IOException. See more on SonarCloud
}

@Override
protected void doHead(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
Expand Down
21 changes: 21 additions & 0 deletions src/main/java/org/italiangrid/storm/webdav/server/servlet/resource/StormResourceService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,11 @@
*/
package org.italiangrid.storm.webdav.server.servlet.resource;

import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.RequestDispatcher;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
Expand All @@ -26,6 +28,9 @@
import org.eclipse.jetty.server.ResourceService;
import org.eclipse.jetty.util.URIUtil;

import org.italiangrid.storm.webdav.config.ServiceConfigurationProperties;
import org.italiangrid.storm.webdav.server.PathResolver;

public class StormResourceService extends ResourceService {

private String pathInContext(HttpServletRequest request) {
Expand Down Expand Up @@ -73,4 +78,20 @@ public boolean doHead(HttpServletRequest request, HttpServletResponse response)
return true;
}

public boolean doGet(HttpServletRequest request, HttpServletResponse response,
PathResolver resolver, ServiceConfigurationProperties serviceConfig)
throws ServletException, IOException {

if (serviceConfig.getNginxReverseProxy()) {
final String pathInContext = pathInContext(request);
String resolvedPath = resolver.resolvePath(pathInContext);
File f = new File(resolvedPath);
if (f.isFile()) {
response.setHeader("X-Accel-Redirect", "/internal-get" + resolvedPath);
return response.isCommitted();
}
}
return super.doGet(request, response);
}

}
Loading

0 comments on commit 719b68d

Please sign in to comment.