Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Recommended Configuration

...

Jetty Logging

File(s): etc/jetty-rewrite-requestlog.xml, resources/logback.xml, resources/logback-access.xml

The following configuration will cause each response from the IdP to set the Content-Security-Policy and X-Frame-Options headers to help mitigate clickjacking attacks:recommended approach is to use logback for all Jetty logging. The logback and slf4j libraries are needed to support this configuration and must be copied into  JETTY_BASE/lib/logging.

  1. From the slf4j distribution, copy in slf4j-api-version.jar
  2. From the logback distribution, copy in logback-classic-version.jar, logback-core-version.jar, and logback-access-version.jar
  3. Configure Jetty to use logback for request logging by creating JETTY_BASE/etc/jetty-requestlog.xml with the following content:

    Code Block
    languagexml
    titlejetty-

...

  1. requestlog.xml
    collapsetrue
    <?xml version="1.0"?>
    <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_

...

  1. 0.dtd">
    

...

  1. <!-- =============================================================== -->
    

...

  1. <!-- 

...

  1. Configure 

...

  1. the 

...

  1. Jetty Request Log                                 -->
    

...

  1. <!-- =============================================================== -->
    <Configure 

...

  1. id="

...

  1. Server" class="org.eclipse.jetty.

...

  1. server.

...

  1. Server">
      <Set name="RequestLog">
        

...

  1. <New 

...

  1. id="

...

  1. RequestLog"

...

  1.  

...

  1. class="

...

  1. ch.qos.logback.access.jetty.RequestLogImpl">
          

...

  1. <Set name="

...

  1. fileName"><Property name="jetty.

...

  1. base" 

...

  1. default="

...

  1. .

...

  1. " 

...

  1. />/resources/logback-access.xml</Set>
        </New>
      </Set>
     

...

  1.  <Ref 

...

  1. refid="

...

  1. RequestLog">
        <Call name="

...

  1. start" />
      </Ref>
    </Configure>
    
  2. Configure logging policy for Jetty internals logging and request logging. Sample logback configuration files are provided for convenience.

    Code Block
    languagexml
    titlelogback.xml
    collapsetrue
    <?xml version="1.0" encoding="UTF-8"?>
    <configuration scan="true">
        <appender 

...

  1. name="jetty" class="ch.qos.logback.core.rolling.RollingFileAppender">
            <File>${jetty.base}/logs/jetty.log</File>
         

...

  1.  

...

  1.   
            

...

  1. <rollingPolicy 

...

  1. class="

...

  1. ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
                

...

  1. <FileNamePattern>${jetty.base}/logs/jetty-%d{yyyy-MM-dd}.log.gz</FileNamePattern>
            </rollingPolicy>
    
        

...

  1.     <encoder class="

...

  1. ch.qos.logback.classic.encoder.PatternLayoutEncoder">
                

...

  1. <charset>UTF-8</

...

  1. charset>
            

...

  1.     <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern>
      

...

  1.  

...

  1.      </encoder>
        </appender>
    

...

  1.   
        

...

  1. <root level="INFO">
            

...

  1. <appender-ref ref="

...

  1. jetty" />

...

  1. 
        </root>
        <logger 

...

  1. name="

...

  1. org.springframework" level="OFF" />
        

...

  1. <logger name="ch.qos.logback" level="WARN" />
    </configuration>
    Code Block
    languagexml
    titlelogback-access.xml
    collapsetrue
    <configuration>
      

...

  1. <statusListener 

...

  1. class="

...

  1. ch.qos.logback.core.status.OnConsoleStatusListener" />  
      <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
        

...

  1. <file>${jetty.base}/logs/access.log</file>
        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
        

...

  1.   <fileNamePattern>${jetty.base}/logs/access-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
        

...

  1. </

...

  1. rollingPolicy>
        <encoder>
        

...

  1.  

...

  1.  <pattern>combined</pattern>
        </encoder>
      </appender>
     

...

  1. 
      

...

File(s): etc/jetty-requestlog.xml, resources/logback.xml, resources/logback-access.xml

The recommended approach is to use logback for all Jetty logging. The logback and slf4j libraries are needed to support this configuration and must be copied into  JETTY_BASE/lib/logging.

  1. From the slf4j distribution, copy in slf4j-api-version.jar
  2. From the logback distribution, copy in logback-classic-version.jar, logback-core-version.jar, and logback-access-version.jar
  3. Configure Jetty to use logback for request logging by creating JETTY_BASE/etc/jetty-requestlog.xml with the following content:

    Code Block
    languagexml
    titlejetty-requestlog.xml
    collapsetrue
    <?xml version="1.0"?>
    <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
    <!-- =============================================================== -->
    <!-- Configure the Jetty Request Log                                 -->
    <!-- =============================================================== -->
    <Configure id="Server" class="org.eclipse.jetty.server.Server">
      <Set name="RequestLog">
        <New id="RequestLog" class="ch.qos.logback.access.jetty.RequestLogImpl">
          <Set name="fileName"><Property name="jetty.base" default="." />/resources/logback-access.xml</Set>
        </New>
      </Set>
      <Ref refid="RequestLog">
        <Call name="start" />
      </Ref>
    </Configure>
    
  4. Configure logging policy for Jetty internals logging and request logging. Sample logback configuration files are provided for convenience.

    Code Block
    languagexml
    titlelogback.xml
    collapsetrue
    <?xml version="1.0" encoding="UTF-8"?>
    <configuration scan="true">
        <appender name="jetty" class="ch.qos.logback.core.rolling.RollingFileAppender">
            <File>${jetty.base}/logs/jetty.log</File>
            
            <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
                <FileNamePattern>${jetty.base}/logs/jetty-%d{yyyy-MM-dd}.log.gz</FileNamePattern>
            </rollingPolicy>
    
            <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
                <charset>UTF-8</charset>
                <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern>
            </encoder>
        </appender>
      
        <root level="INFO">
            <appender-ref ref="jetty" />
        </root>
        <logger name="org.springframework" level="OFF" />
        <logger name="ch.qos.logback" level="WARN" />
    </configuration><appender-ref ref="FILE" />
    </configuration>

Temporary Files

Jetty will use /tmp as a staging area for unpacking the warfile, and if you have cron jobs sweeping that for old files, your IdP can be disrupted. You will probably want to create JETTY_BASE/tmp, and add the following configuration directive to JETTY_BASE/start.ini:

-Djava.io.tmpdir=tmp

Disable Directory Indexing

Jetty has vulnerabilities related to directory indexing (sigh) so we suggest disabling that feature at this point. There are a few different ways this can be done (see https://webtide.com/indexing-listing-vulnerability-in-jetty/), but one method that's fairly self-contained within the IdP footprint is to modify web.xml (i.e. copy the original version from idp.home/dist/webapp/WEB-INF/web.xml to idp.home/edit-webapp/WEB-INF/web.xml) and then rebuild the war file.

Code Block
languagexml
title

...

web.xml addition
collapse

...

true
  <servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class>
    <init-param>
    

...

  <param-name>dirAllowed</param-name>
    

...

  

...

<param-value>false</param-value>
 

...

   </

...

init-param>
    

...

Temporary Files

Jetty will use /tmp as a staging area for unpacking the warfile, and if you have cron jobs sweeping that for old files, your IdP can be disrupted. You will probably want to create JETTY_BASE/tmp, and add the following configuration directive to JETTY_BASE/start.ini:

...

<load-on-startup>0</load-on-startup>
  </servlet>

You can place it above the existing <servlet>  elements in the file.

Optional Configuration

Supporting SOAP Endpoints

...

Jetty can be configured to consume the 'x-forwarded-proto' HTTP header to override the connection protocol originating at the load balancer, instead respecting the protocol being used between the client and the load balancer, communicated in the x-forwarded-proto header.  The Proxy / Load Balancer Configuration section of the Jetty documentation provides instruction on the required configuration.

...

Code Block
RequestHeader set X-Forwarded-Proto "https" env=HTTPS
ProxyPass /idp http://localhost:8080/idp connectiontimeout=5 timeout=15
RequestHeader set REMOTE-USER %{REMOTE_USER}s

Supporting X-Forwarded-For

...

If you are running the Jetty engine behind a proxy or load balancer Jetty 9.3 has built-in support for forwarding the client address and other details via headers.

Warning

As with any proxied deployment, you MUST take care to lock down the path between the proxy and the Jetty server, and the proxy MUST have support for sanitizing and preventing any client attempt to smuggle and hijack those headers. Failure to do so will result in a variety of security compromises. There are many other considerations to proxying far beyond the scope of this document.

  1. Copy the file JETTY_BASE/etc/jetty.xml  to JETTY_HOME/etc/jetty.xml
  2. Edit the file in JETTY_HOME/etc/jetty.xml, locate the:

...

Code Block
<Set name="outputBufferSize">32768</Set>
<Set name="requestHeaderSize">8192</Set>
<Set name="responseHeaderSize">8192</Set>

<Call name="addCustomizer">
   <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer" /></Arg>
</Call>
If your you are using a custom header, you can change the addCustomizer section to specify the custom header. An example is below:


Code Block
<Call name="addCustomizer">
  <Arg>
      <New class="org.eclipse.jetty.server.ForwardedRequestCustomizer" >
         <Set name="forwardedForHeader">X-MyCustom-Header</Set>
      </New>
   </Arg>
</Call>

...