Add initial-pipeline-transform option to aleph.http/server-start

This allows :manual-ssl? to be used in combination with HTTP/2, as well.

Author: DerGuteMoritz

src/aleph/http.clj

@@ -54,7 +54,7 @@
    | `bootstrap-transform`             | A function that takes an `io.netty.bootstrap.ServerBootstrap` object, which represents the server, and modifies it. |
    | `http-versions`                   | An optional vector of allowable HTTP versions to negotiate via ALPN, in preference order. Defaults to `[:http1]`. |
    | `ssl-context`                     | An `io.netty.handler.ssl.SslContext` object or a map of SSL context options (see `aleph.netty/ssl-server-context` for more details) if an SSL connection is desired. When passing an `io.netty.handler.ssl.SslContext` object, it must have an ALPN config matching the `http-versions` option (see `aleph.netty/ssl-server-context` and `aleph.netty/application-protocol-config`). If only HTTP/1.1 is desired, ALPN config is optional.
-   | `manual-ssl?`                     | Set to `true` to indicate that SSL is active, but the caller is managing it (this implies `:ssl-context` is nil). For example, this can be used if you want to use configure SNI (perhaps in `:pipeline-transform` ) to select the SSL context based on the client's indicated host name. |
+   | `manual-ssl?`                     | Set to `true` to indicate that SSL is active, but the caller is managing it (this implies `:ssl-context` is nil). For example, this can be used if you want to use configure SNI (usually via `:initial-pipeline-transform`) to select the SSL context based on the client's indicated host name. |
    | `executor`                        | A `java.util.concurrent.Executor` which is used to handle individual requests. To avoid this indirection you may specify `:none`, but in this case extreme care must be taken to avoid blocking operations on the handler's thread. |
    | `shutdown-executor?`              | If `true`, the executor will be shut down when `.close()` is called on the server, defaults to `true` . |
    | `request-buffer-size`             | The maximum body size, in bytes, that the server will allow to accumulate before placing on the body stream, defaults to `16384` . This does *not* represent the maximum size request the server can handle (which is unbounded), and is only a means of maximizing performance. |
@@ -69,6 +69,7 @@
    | `continue-handler`                | Optional handler which is invoked when header sends \"Except: 100-continue\" header to test whether the request should be accepted or rejected. Handler should return `true`, `false`, ring responseo to be used as a reject response or deferred that yields one of those. |
    | `continue-executor`               | Optional `java.util.concurrent.Executor` which is used to handle requests passed to :continue-handler. To avoid this indirection you may specify `:none`, but in this case extreme care must be taken to avoid blocking operations on the handler's thread. |
    | `shutdown-timeout`                | Interval in seconds within which in-flight requests must be processed, defaults to 15 seconds. A value of `0` bypasses waiting entirely. |
+   | `initial-pipeline-transform`      | A function that takes an `io.netty.channel.ChannelPipeline` object, which represents the connection before any default handlers are installed (and thus, before HTTP version negotiation), and modifies it. |
 
    HTTP/1-specific options
    | Param key                         | Description |

src/aleph/http/server.clj

@@ -46,7 +46,8 @@
       LastHttpContent)
     (io.netty.handler.ssl
       ApplicationProtocolNames
-      SslContext)
+      SslContext
+      SslHandler)
     (io.netty.handler.stream
       ChunkedWriteHandler)
     (io.netty.util AsciiString)
@@ -633,40 +634,48 @@
 
 (defn make-pipeline-builder
   "Returns a function that initializes a new server channel's pipeline."
-  [handler {:keys [ssl? ^SslContext ssl-context use-h2c?] :as opts}]
+  [handler {:keys [ssl?
+                   ^SslContext ssl-context
+                   use-h2c?
+                   initial-pipeline-transform]
+            :or {initial-pipeline-transform identity}
+            :as opts}]
   (fn pipeline-builder*
     [^ChannelPipeline pipeline]
     (log/trace "pipeline-builder*" pipeline opts)
     (let [setup-opts (assoc opts
                             :handler handler
                             :server? true
                             :pipeline pipeline)]
-      (cond (and ssl? ssl-context)
-            (let [ssl-handler (netty/ssl-handler (.channel pipeline) ssl-context)]
-              (log/debug "Setting up secure HTTP server pipeline.")
-              (log/debug "ALPN HTTP versions:" (mapv str (.nextProtocols ssl-context)))
-
-              (-> pipeline
-                  (.addLast "ssl-handler" ssl-handler)
-                  (.addLast "apn-handler"
-                            (ApnHandler.
-                              (fn setup-secure-pipeline
-                                [^ChannelPipeline pipeline protocol]
-                                (log/trace "setup-secure-pipeline: chosen protocol:" protocol)
-                                (when (nil? (.applicationProtocol ssl-handler))
-                                  (log/debug (str "ALPN not used. Protocol " protocol " chosen by fallback.")))
-                                (cond (.equals ApplicationProtocolNames/HTTP_1_1 protocol)
-                                      (setup-http1-pipeline setup-opts)
-
-                                      (.equals ApplicationProtocolNames/HTTP_2 protocol)
-                                      (http2/setup-conn-pipeline setup-opts)
-
-                                      :else
-                                      (let [msg (str "Unknown protocol: " protocol)
-                                            e (IllegalStateException. msg)]
-                                        (log/error e msg)
-                                        (throw e))))
-                              apn-fallback-protocol)))
+      (initial-pipeline-transform pipeline)
+      (cond ssl?
+            (do
+              ;; might be nil in manual-ssl? mode
+              (when ssl-context
+                (log/debug "Setting up secure HTTP server pipeline.")
+                (log/debug "ALPN HTTP versions:" (mapv str (.nextProtocols ssl-context)))
+                (.addLast pipeline "ssl-handler" (netty/ssl-handler (.channel pipeline) ssl-context)))
+              (.addLast pipeline
+                        "apn-handler"
+                        (ApnHandler.
+                         (fn setup-secure-pipeline
+                           [^ChannelPipeline pipeline protocol]
+                           (log/trace "setup-secure-pipeline: chosen protocol:" protocol)
+                           (let [^SslHandler ssl-handler (.get pipeline SslHandler)]
+                             (when (nil? (.applicationProtocol ssl-handler))
+                               (log/debug (str "ALPN not used. Protocol " protocol " chosen by fallback.")))
+                             (cond (.equals ApplicationProtocolNames/HTTP_1_1 protocol)
+                                   (setup-http1-pipeline setup-opts)
+
+                                   (.equals ApplicationProtocolNames/HTTP_2 protocol)
+                                   (http2/setup-conn-pipeline setup-opts)
+
+                                   :else
+                                   (let [msg (str "Unknown protocol: " protocol)
+                                         e (IllegalStateException. msg)]
+                                     (log/error e msg)
+                                     (throw e)))))
+                         apn-fallback-protocol))
               pipeline)
 
             use-h2c?
@@ -750,28 +759,32 @@
         opts (assoc opts :ssl-context ssl-context)
         http1-pipeline-transform (common/validate-http1-pipeline-transform opts)
         executor (setup-executor executor)
-        continue-executor (setup-continue-executor executor continue-executor)
-        pipeline-builder (make-pipeline-builder
-                           handler
-                           (assoc opts
-                                  :executor executor
-                                  :ssl? (or manual-ssl? (boolean ssl-context))
-                                  :http1-pipeline-transform http1-pipeline-transform
-                                  :continue-executor continue-executor))]
+        continue-executor (setup-continue-executor executor continue-executor)]
 
     (if (some #{:http2} http-versions)
       (when (and (not ssl-context)
-                 (not use-h2c?))
-        (throw (IllegalArgumentException. "HTTP/2 requires ssl-context to be given or use-h2c? to be true.")))
+                 (not use-h2c?)
+                 (not manual-ssl?))
+        (throw (IllegalArgumentException. "HTTP/2 requires passing an ssl-context or manual-ssl? true. Alternatively, pass use-h2c? true to disable TLS.")))
       (when use-h2c?
         (throw (IllegalArgumentException. "use-h2c? may only be true when HTTP/2 is enabled."))))
 
     (when (and ssl-context
                use-h2c?)
       (throw (IllegalArgumentException. "use-h2c? must not be true when ssl-context is given.")))
 
+    (when (and ssl-context
+               manual-ssl?)
+      (throw (IllegalArgumentException. "manual-ssl? must not be true when ssl-context is given.")))
+
     (netty/start-server
-      {:pipeline-builder    pipeline-builder
+      {:pipeline-builder    (make-pipeline-builder
+                             handler
+                             (assoc opts
+                                    :executor executor
+                                    :ssl? (or manual-ssl? (boolean ssl-context))
+                                    :http1-pipeline-transform http1-pipeline-transform
+                                    :continue-executor continue-executor))
        :bootstrap-transform bootstrap-transform
        :socket-address      (if socket-address
                               socket-address

test/aleph/http_test.clj

@@ -2,6 +2,7 @@
   (:require
     [aleph.flow :as flow]
     [aleph.http :as http]
+    [aleph.http.common :as common]
     [aleph.http.core :as http.core]
     [aleph.netty :as netty]
     [aleph.resource-leak-detector]
@@ -518,6 +519,29 @@
         (is (= 200 (:status @(http-get "/"))))
         (is (some? @ssl-session))))))
 
+
+(defn test-manual-ssl-for-version [http-version]
+  (testing (str "manual ssl with " http-version)
+    (with-redefs [*use-tls-requests* true]
+      (with-server (http/start-server string-handler
+                                      (assoc http-server-options
+                                             :manual-ssl? true
+                                             :http-versions [http-version]
+                                             :initial-pipeline-transform (fn [pipeline]
+                                                                           (let [ssl-handler (netty/ssl-handler (.channel pipeline)
+                                                                                                                (-> test-ssl/server-ssl-context-opts
+                                                                                                                    (common/ensure-consistent-alpn-config [http-version])
+                                                                                                                    (netty/coerce-ssl-server-context)))]
+                                                                             (.addLast pipeline
+                                                                                       "ssl-handler"
+                                                                                       ssl-handler)))))
+        (binding [*connection-options* {:http-versions [http-version]}]
+          (is (= 200 (:status @(http-get "/")))))))))
+
+(deftest test-manual-ssl
+  (test-manual-ssl-for-version :http1)
+  (test-manual-ssl-for-version :http2))
+
 (deftest test-invalid-body
   (let [client-url "/"]
     (with-handler echo-handler
@@ -1449,7 +1473,7 @@
     (let [result (try-start-server
                   {:http-versions [:http2]})]
       (is (instance? IllegalArgumentException result))
-      (is (= "HTTP/2 requires ssl-context to be given or use-h2c? to be true." (ex-message result)))))
+      (is (= "HTTP/2 requires passing an ssl-context or manual-ssl? true. Alternatively, pass use-h2c? true to disable TLS." (ex-message result)))))
 
   (testing "HTTP/2 without ssl-context but with h2c"
     (let [result (try-start-server