...
Recommended Configuration
...
Jetty Logging
File(s): etc/jetty-rewrite-requestlog.xml, resources/logback.xml, resources/logback-access.xml
The following configuration will cause each response from the IdP to set the Content-Security-Policy and X-Frame-Options headers to help mitigate clickjacking attacks:recommended approach is to use logback for all Jetty logging. The logback and slf4j libraries are needed to support this configuration and must be copied into JETTY_BASE/lib/logging
.
- From the slf4j distribution, copy in slf4j-api-version.jar
- From the logback distribution, copy in logback-classic-version.jar, logback-core-version.jar, and logback-access-version.jar
Configure Jetty to use logback for request logging by creating JETTY_BASE/etc/jetty-requestlog.xml with the following content:
Code Block language xml title jetty-
...
requestlog.xml collapse true <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_
...
0.dtd">
...
<!-- =============================================================== -->
...
<!--
...
Configure
...
the
...
Jetty Request Log -->
...
<!-- =============================================================== --> <Configure
...
id="
...
Server" class="org.eclipse.jetty.
...
server.
...
Server"> <Set name="RequestLog">
...
<New
...
id="
...
RequestLog"
...
...
class="
...
ch.qos.logback.access.jetty.RequestLogImpl">
...
<Set name="
...
fileName"><Property name="jetty.
...
base"
...
default="
...
.
...
"
...
/>/resources/logback-access.xml</Set> </New> </Set>
...
<Ref
...
refid="
...
RequestLog"> <Call name="
...
start" /> </Ref> </Configure>
Configure logging policy for Jetty internals logging and request logging. Sample logback configuration files are provided for convenience.
Code Block language xml title logback.xml collapse true <?xml version="1.0" encoding="UTF-8"?> <configuration scan="true"> <appender
...
name="jetty" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${jetty.base}/logs/jetty.log</File>
...
...
...
<rollingPolicy
...
class="
...
ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
...
<FileNamePattern>${jetty.base}/logs/jetty-%d{yyyy-MM-dd}.log.gz</FileNamePattern> </rollingPolicy>
...
<encoder class="
...
ch.qos.logback.classic.encoder.PatternLayoutEncoder">
...
<charset>UTF-8</
...
charset>
...
<Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern>
...
...
</encoder> </appender>
...
...
<root level="INFO">
...
<appender-ref ref="
...
jetty" />
...
</root> <logger
...
name="
...
org.springframework" level="OFF" />
...
<logger name="ch.qos.logback" level="WARN" /> </configuration>
Code Block language xml title logback-access.xml collapse true <configuration>
...
<statusListener
...
class="
...
ch.qos.logback.core.status.OnConsoleStatusListener" /> <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
...
<file>${jetty.base}/logs/access.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
...
<fileNamePattern>${jetty.base}/logs/access-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
...
</
...
rollingPolicy> <encoder>
...
...
<pattern>combined</pattern> </encoder> </appender>
...
...
File(s): etc/jetty-requestlog.xml, resources/logback.xml, resources/logback-access.xml
The recommended approach is to use logback for all Jetty logging. The logback and slf4j libraries are needed to support this configuration and must be copied into JETTY_BASE/lib/logging
.
- From the slf4j distribution, copy in slf4j-api-version.jar
- From the logback distribution, copy in logback-classic-version.jar, logback-core-version.jar, and logback-access-version.jar
Configure Jetty to use logback for request logging by creating JETTY_BASE/etc/jetty-requestlog.xml with the following content:
Code Block language xml title jetty-requestlog.xml collapse true <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd"> <!-- =============================================================== --> <!-- Configure the Jetty Request Log --> <!-- =============================================================== --> <Configure id="Server" class="org.eclipse.jetty.server.Server"> <Set name="RequestLog"> <New id="RequestLog" class="ch.qos.logback.access.jetty.RequestLogImpl"> <Set name="fileName"><Property name="jetty.base" default="." />/resources/logback-access.xml</Set> </New> </Set> <Ref refid="RequestLog"> <Call name="start" /> </Ref> </Configure>
Configure logging policy for Jetty internals logging and request logging. Sample logback configuration files are provided for convenience.
Code Block language xml title logback.xml collapse true <?xml version="1.0" encoding="UTF-8"?> <configuration scan="true"> <appender name="jetty" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${jetty.base}/logs/jetty.log</File> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <FileNamePattern>${jetty.base}/logs/jetty-%d{yyyy-MM-dd}.log.gz</FileNamePattern> </rollingPolicy> <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> <charset>UTF-8</charset> <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern> </encoder> </appender> <root level="INFO"> <appender-ref ref="jetty" /> </root> <logger name="org.springframework" level="OFF" /> <logger name="ch.qos.logback" level="WARN" /> </configuration>
Code Block language xml title logback-access.xml collapse true <configuration> <statusListener class="ch.qos.logback.core.status.OnConsoleStatusListener" /> <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>${jetty.base}/logs/access.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <fileNamePattern>${jetty.base}/logs/access-%d{yyyy-MM-dd}.log.gz</fileNamePattern> </rollingPolicy> <encoder> <pattern>combined</pattern> </encoder> </appender> <appender-ref ref="FILE" /> </configuration>
Temporary Files
Jetty will use /tmp
as a staging area for unpacking the warfile, and if you have cron jobs sweeping that for old files, your IdP can be disrupted. You will probably want to create JETTY_BASE/tmp
, and add the following configuration directive to JETTY_BASE/start.ini:
...
<appender-ref ref="FILE" /> </configuration>
Temporary Files
Jetty will use /tmp
as a staging area for unpacking the warfile, and if you have cron jobs sweeping that for old files, your IdP can be disrupted. You will probably want to create JETTY_BASE/tmp
, and add the following configuration directive to JETTY_BASE/start.ini:
-Djava.io.tmpdir=tmp
Disable Directory Indexing
Jetty has vulnerabilities related to directory indexing (sigh) so we suggest disabling that feature at this point. There are a few different ways this can be done (see https://webtide.com/indexing-listing-vulnerability-in-jetty/), but one method that's fairly self-contained within the IdP footprint is to modify web.xml (i.e. copy the original version from idp.home/dist/webapp/WEB-INF/web.xml to idp.home/edit-webapp/WEB-INF/web.xml) and then rebuild the war file.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class>
<init-param>
<param-name>dirAllowed</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet> |
You can place it above the existing <servlet>
elements in the file.
Optional Configuration
Supporting SOAP Endpoints
...
Jetty can be configured to consume the 'x-forwarded-proto' HTTP header to override the connection protocol originating at the load balancer, instead respecting the protocol being used between the client and the load balancer, communicated in the x-forwarded-proto header. The Proxy / Load Balancer Configuration section of the Jetty documentation provides instruction on the required configuration.
...
Supporting X-Forwarded-For
If your you are running the Jetty engine behind a proxy or load balancer Jetty 9.3 has built-in support for forwarding the client address and other details via headers.
...
Code Block |
---|
<Set name="outputBufferSize">32768</Set> <Set name="requestHeaderSize">8192</Set> <Set name="responseHeaderSize">8192</Set> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer" /></Arg> </Call> |
...