Enable Http Server with two https ports

Enable http server with another alternative https port,
this gives us the freedom that if the second port is needed.

Author: jingmeih

http-server/src/main/java/com/facebook/airlift/http/server/HttpServer.java

@@ -170,6 +170,7 @@ public HttpServer(HttpServerInfo httpServerInfo,
                 "http-server-timeout",
                 config.getTimeoutConcurrency(),
                 config.getTimeoutThreads());
+
         // set up HTTP connector
         ServerConnector httpConnector;
         if (config.isHttpEnabled()) {
@@ -216,77 +217,20 @@ public HttpServer(HttpServerInfo httpServerInfo,
             server.addConnector(httpConnector);
         }
 
-        List<String> includedCipherSuites = config.getHttpsIncludedCipherSuites();
-        List<String> excludedCipherSuites = config.getHttpsExcludedCipherSuites();
-
-        // set up NIO-based HTTPS connector
-        ServerConnector httpsConnector;
+        // Set up NIO-based HTTPS connector.
         if (config.isHttpsEnabled()) {
-            HttpConfiguration httpsConfiguration = new HttpConfiguration(baseHttpConfiguration);
-            httpsConfiguration.addCustomizer(new SecureRequestCustomizer());
-
-            SslContextFactory sslContextFactory = new SslContextFactory();
-            Optional<KeyStore> pemKeyStore = tryLoadPemKeyStore(config);
-            if (pemKeyStore.isPresent()) {
-                sslContextFactory.setKeyStore(pemKeyStore.get());
-                sslContextFactory.setKeyStorePassword("");
-            }
-            else {
-                sslContextFactory.setKeyStorePath(config.getKeystorePath());
-                sslContextFactory.setKeyStorePassword(config.getKeystorePassword());
-                if (config.getKeyManagerPassword() != null) {
-                    sslContextFactory.setKeyManagerPassword(config.getKeyManagerPassword());
-                }
-            }
-            if (config.getTrustStorePath() != null) {
-                Optional<KeyStore> pemTrustStore = tryLoadPemTrustStore(config);
-                if (pemTrustStore.isPresent()) {
-                    sslContextFactory.setTrustStore(pemTrustStore.get());
-                    sslContextFactory.setTrustStorePassword("");
-                }
-                else {
-                    sslContextFactory.setTrustStorePath(config.getTrustStorePath());
-                    sslContextFactory.setTrustStorePassword(config.getTrustStorePassword());
-                }
-            }
-
-            sslContextFactory.setIncludeCipherSuites(includedCipherSuites.toArray(new String[0]));
-            sslContextFactory.setExcludeCipherSuites(excludedCipherSuites.toArray(new String[0]));
-            sslContextFactory.setSecureRandomAlgorithm(config.getSecureRandomAlgorithm());
-            sslContextFactory.setWantClientAuth(true);
-            sslContextFactory.setSslSessionTimeout((int) config.getSslSessionTimeout().getValue(SECONDS));
-            sslContextFactory.setSslSessionCacheSize(config.getSslSessionCacheSize());
-            SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(sslContextFactory, "http/1.1");
-
-            Integer acceptors = config.getHttpsAcceptorThreads();
-            Integer selectors = config.getHttpsSelectorThreads();
-            httpsConnector = createServerConnector(
-                    httpServerInfo.getHttpsChannel(),
-                    server,
-                    null,
-                    concurrentScheduler,
-                    firstNonNull(acceptors, -1),
-                    firstNonNull(selectors, -1),
-                    sslConnectionFactory,
-                    new HttpConnectionFactory(httpsConfiguration));
-            httpsConnector.setName("https");
-            httpsConnector.setPort(httpServerInfo.getHttpsUri().getPort());
-            httpsConnector.setIdleTimeout(config.getNetworkMaxIdleTime().toMillis());
-            httpsConnector.setHost(nodeInfo.getBindIp().getHostAddress());
-            httpsConnector.setAcceptQueueSize(config.getHttpAcceptQueueSize());
-
-            // track connection statistics
-            ConnectionStatistics connectionStats = new ConnectionStatistics();
-            httpsConnector.addBean(connectionStats);
-            this.httpsConnectionStats = new ConnectionStats(connectionStats);
-
-            if (channelListener != null) {
-                httpsConnector.addBean(channelListener);
-            }
-
+            ServerConnector httpsConnector = createHttpsConnector(config, nodeInfo, baseHttpConfiguration, concurrentScheduler,
+                    channelListener, "https", httpServerInfo.getHttpsUri().getPort(), httpServerInfo.getHttpsChannel());
             server.addConnector(httpsConnector);
         }
 
+        // Set up NIO-based alternative HTTPS connector.
+        if (config.isHttpsEnabled() && config.isAlternativeHttpsEnabled()) {
+            ServerConnector alternativeHttpsConnector = createHttpsConnector(config, nodeInfo, baseHttpConfiguration, concurrentScheduler,
+                    channelListener, "alternative-https", httpServerInfo.getAlternativeHttpsUri().getPort(), httpServerInfo.getAlternativeHttpsChannel());
+            server.addConnector(alternativeHttpsConnector);
+        }
+
         // set up NIO-based Admin connector
         ServerConnector adminConnector;
         if (theAdminServlet != null && config.isAdminEnabled()) {
@@ -308,8 +252,8 @@ public HttpServer(HttpServerInfo httpServerInfo,
                 }
                 sslContextFactory.setSecureRandomAlgorithm(config.getSecureRandomAlgorithm());
                 sslContextFactory.setWantClientAuth(true);
-                sslContextFactory.setIncludeCipherSuites(includedCipherSuites.toArray(new String[0]));
-                sslContextFactory.setExcludeCipherSuites(excludedCipherSuites.toArray(new String[0]));
+                sslContextFactory.setIncludeCipherSuites(config.getHttpsIncludedCipherSuites().toArray(new String[0]));
+                sslContextFactory.setExcludeCipherSuites(config.getHttpsExcludedCipherSuites().toArray(new String[0]));
                 SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(sslContextFactory, "http/1.1");
                 adminConnector = createServerConnector(
                         httpServerInfo.getAdminChannel(),
@@ -370,7 +314,7 @@ public HttpServer(HttpServerInfo httpServerInfo,
             handlers.addHandler(gzipHandler);
         }
 
-        handlers.addHandler(createServletContext(config, defaultServlet, servlets, parameters, filters, tokenManager, loginService, authorizer, "http", "https"));
+        handlers.addHandler(createServletContext(config, defaultServlet, servlets, parameters, filters, tokenManager, loginService, authorizer, "http", "https", "alternative-https"));
 
         if (config.isRequestStatsEnabled()) {
             RequestLogHandler statsRecorder = new RequestLogHandler();
@@ -649,4 +593,84 @@ private static ServerConnector createServerConnector(
         connector.open(channel);
         return connector;
     }
+
+    private ServerConnector createHttpsConnector(
+            HttpServerConfig config,
+            NodeInfo nodeInfo,
+            HttpConfiguration baseHttpConfiguration,
+            ConcurrentScheduler concurrentScheduler,
+            HttpServerChannelListener channelListener,
+            String httpsName,
+            int httpsPort,
+            ServerSocketChannel socketChannel)
+            throws IOException
+    {
+        ServerConnector httpsConnector;
+        List<String> includedCipherSuites = config.getHttpsIncludedCipherSuites();
+        List<String> excludedCipherSuites = config.getHttpsExcludedCipherSuites();
+
+        HttpConfiguration httpsConfiguration = new HttpConfiguration(baseHttpConfiguration);
+        httpsConfiguration.addCustomizer(new SecureRequestCustomizer());
+
+        SslContextFactory sslContextFactory = new SslContextFactory();
+        Optional<KeyStore> pemKeyStore = tryLoadPemKeyStore(config);
+        if (pemKeyStore.isPresent()) {
+            sslContextFactory.setKeyStore(pemKeyStore.get());
+            sslContextFactory.setKeyStorePassword("");
+        }
+        else {
+            sslContextFactory.setKeyStorePath(config.getKeystorePath());
+            sslContextFactory.setKeyStorePassword(config.getKeystorePassword());
+            if (config.getKeyManagerPassword() != null) {
+                sslContextFactory.setKeyManagerPassword(config.getKeyManagerPassword());
+            }
+        }
+        if (config.getTrustStorePath() != null) {
+            Optional<KeyStore> pemTrustStore = tryLoadPemTrustStore(config);
+            if (pemTrustStore.isPresent()) {
+                sslContextFactory.setTrustStore(pemTrustStore.get());
+                sslContextFactory.setTrustStorePassword("");
+            }
+            else {
+                sslContextFactory.setTrustStorePath(config.getTrustStorePath());
+                sslContextFactory.setTrustStorePassword(config.getTrustStorePassword());
+            }
+        }
+
+        sslContextFactory.setIncludeCipherSuites(includedCipherSuites.toArray(new String[0]));
+        sslContextFactory.setExcludeCipherSuites(excludedCipherSuites.toArray(new String[0]));
+        sslContextFactory.setSecureRandomAlgorithm(config.getSecureRandomAlgorithm());
+        sslContextFactory.setWantClientAuth(true);
+        sslContextFactory.setSslSessionTimeout((int) config.getSslSessionTimeout().getValue(SECONDS));
+        sslContextFactory.setSslSessionCacheSize(config.getSslSessionCacheSize());
+        SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(sslContextFactory, "http/1.1");
+
+        Integer acceptors = config.getHttpsAcceptorThreads();
+        Integer selectors = config.getHttpsSelectorThreads();
+        httpsConnector = createServerConnector(
+                socketChannel,
+                server,
+                null,
+                concurrentScheduler,
+                firstNonNull(acceptors, -1),
+                firstNonNull(selectors, -1),
+                sslConnectionFactory,
+                new HttpConnectionFactory(httpsConfiguration));
+        httpsConnector.setName(httpsName);
+        httpsConnector.setPort(httpsPort);
+        httpsConnector.setIdleTimeout(config.getNetworkMaxIdleTime().toMillis());
+        httpsConnector.setHost(nodeInfo.getBindIp().getHostAddress());
+        httpsConnector.setAcceptQueueSize(config.getHttpAcceptQueueSize());
+
+        // track connection statistics
+        ConnectionStatistics connectionStats = new ConnectionStatistics();
+        httpsConnector.addBean(connectionStats);
+        this.httpsConnectionStats = new ConnectionStats(connectionStats);
+
+        if (channelListener != null) {
+            httpsConnector.addBean(channelListener);
+        }
+
+        return httpsConnector;
+    }
 }

http-server/src/main/java/com/facebook/airlift/http/server/HttpServerConfig.java

@@ -72,7 +72,9 @@ public enum AuthorizationPolicy
     private int httpAcceptQueueSize = 8000;
 
     private boolean httpsEnabled;
+    private boolean alternativeHttpsEnabled;
     private int httpsPort = 8443;
+    private int alternativeHttpsPort = 8444;
     private String keystorePath;
     private String keystorePassword;
     private String keyManagerPassword;
@@ -178,18 +180,42 @@ public HttpServerConfig setHttpsEnabled(boolean httpsEnabled)
         return this;
     }
 
+    public boolean isAlternativeHttpsEnabled()
+    {
+        return alternativeHttpsEnabled;
+    }
+
+    @Config("http-server.https.alternative.enabled")
+    public HttpServerConfig setAlternativeHttpsEnabled(boolean alternativeHttpsEnabled)
+    {
+        this.alternativeHttpsEnabled = alternativeHttpsEnabled;
+        return this;
+    }
+
     public int getHttpsPort()
     {
         return httpsPort;
     }
 
+    public int getAlternativeHttpsPort()
+    {
+        return alternativeHttpsPort;
+    }
+
     @Config("http-server.https.port")
     public HttpServerConfig setHttpsPort(int httpsPort)
     {
         this.httpsPort = httpsPort;
         return this;
     }
 
+    @Config("http-server.https.alternative-port")
+    public HttpServerConfig setAlternativeHttpsPort(int httpsPort)
+    {
+        this.alternativeHttpsPort = httpsPort;
+        return this;
+    }
+
     @MinDuration("1s")
     public Duration getSslSessionTimeout()
     {

http-server/src/main/java/com/facebook/airlift/http/server/HttpServerInfo.java

@@ -35,12 +35,15 @@ public class HttpServerInfo
     private final URI httpUri;
     private final URI httpExternalUri;
     private final URI httpsUri;
+    private final URI alternativeHttpsUri;
     private final URI httpsExternalUri;
+    private final URI alternativeHttpsExternalUri;
     private final URI adminUri;
     private final URI adminExternalUri;
 
     private final ServerSocketChannel httpChannel;
     private final ServerSocketChannel httpsChannel;
+    private final ServerSocketChannel alternativeHttpsChannel;
     private final ServerSocketChannel adminChannel;
 
     @Inject
@@ -61,11 +64,25 @@ public HttpServerInfo(HttpServerConfig config, NodeInfo nodeInfo)
             httpsChannel = createChannel(nodeInfo.getBindIp(), config.getHttpsPort(), config.getHttpAcceptQueueSize());
             httpsUri = buildUri("https", nodeInfo.getInternalAddress(), port(httpsChannel));
             httpsExternalUri = buildUri("https", nodeInfo.getExternalAddress(), httpsUri.getPort());
+
+            if (config.isAlternativeHttpsEnabled()) {
+                alternativeHttpsChannel = createChannel(nodeInfo.getBindIp(), config.getAlternativeHttpsPort(), config.getHttpAcceptQueueSize());
+                alternativeHttpsUri = buildUri("https", nodeInfo.getInternalAddress(), port(alternativeHttpsChannel));
+                alternativeHttpsExternalUri = buildUri("https", nodeInfo.getExternalAddress(), alternativeHttpsUri.getPort());
+            }
+            else {
+                alternativeHttpsChannel = null;
+                alternativeHttpsUri = null;
+                alternativeHttpsExternalUri = null;
+            }
         }
         else {
             httpsChannel = null;
             httpsUri = null;
             httpsExternalUri = null;
+            alternativeHttpsChannel = null;
+            alternativeHttpsUri = null;
+            alternativeHttpsExternalUri = null;
         }
 
         if (config.isAdminEnabled()) {
@@ -101,11 +118,21 @@ public URI getHttpsUri()
         return httpsUri;
     }
 
+    public URI getAlternativeHttpsUri()
+    {
+        return alternativeHttpsUri;
+    }
+
     public URI getHttpsExternalUri()
     {
         return httpsExternalUri;
     }
 
+    public URI getAlternativeHttpsExternalUri()
+    {
+        return alternativeHttpsExternalUri;
+    }
+
     public URI getAdminUri()
     {
         return adminUri;
@@ -131,6 +158,11 @@ ServerSocketChannel getAdminChannel()
         return adminChannel;
     }
 
+    ServerSocketChannel getAlternativeHttpsChannel()
+    {
+        return alternativeHttpsChannel;
+    }
+
     private static URI buildUri(String scheme, String host, int port)
     {
         try {

http-server/src/test/java/com/facebook/airlift/http/server/TestHttpServerConfig.java

@@ -87,7 +87,9 @@ public void testDefaults()
                 .setAuthorizationEnabled(false)
                 .setDefaultAuthorizationPolicy(HttpServerConfig.AuthorizationPolicy.ALLOW)
                 .setDefaultAllowedRoles("")
-                .setAllowUnsecureRequestsInAuthorizer(false));
+                .setAllowUnsecureRequestsInAuthorizer(false)
+                .setAlternativeHttpsEnabled(false)
+                .setAlternativeHttpsPort(8444));
     }
 
     @Test
@@ -143,6 +145,8 @@ public void testExplicitPropertyMappings()
                 .put("http-server.authorization.default-policy", "DENY")
                 .put("http-server.authorization.default-allowed-roles", "user, internal, admin")
                 .put("http-server.authorization.allow-unsecured-requests", "true")
+                .put("http-server.https.alternative.enabled", "true")
+                .put("http-server.https.alternative-port", "4")
                 .build();
 
         HttpServerConfig expected = new HttpServerConfig()
@@ -194,7 +198,9 @@ public void testExplicitPropertyMappings()
                 .setAuthorizationEnabled(true)
                 .setDefaultAuthorizationPolicy(HttpServerConfig.AuthorizationPolicy.DENY)
                 .setDefaultAllowedRoles("user, internal, admin")
-                .setAllowUnsecureRequestsInAuthorizer(true);
+                .setAllowUnsecureRequestsInAuthorizer(true)
+                .setAlternativeHttpsEnabled(true)
+                .setAlternativeHttpsPort(4);
 
         ConfigAssertions.assertFullMapping(properties, expected);
     }

http-server/src/test/java/com/facebook/airlift/http/server/TestHttpServerInfo.java

@@ -43,6 +43,8 @@ public void testIPv6Url()
         serverConfig.setHttpsEnabled(true);
         serverConfig.setHttpsPort(0);
         serverConfig.setAdminEnabled(true);
+        serverConfig.setAlternativeHttpsEnabled(true);
+        serverConfig.setAlternativeHttpsPort(0);
 
         HttpServerInfo httpServerInfo = new HttpServerInfo(serverConfig, nodeInfo);
 
@@ -58,6 +60,10 @@ public void testIPv6Url()
         assertEquals(httpServerInfo.getAdminUri(), new URI("https://[::1]:" + adminPort));
         assertEquals(httpServerInfo.getAdminExternalUri(), new URI("https://[2001:db8::2:1]:" + adminPort));
 
+        int proxygenPort = httpServerInfo.getAlternativeHttpsUri().getPort();
+        assertEquals(httpServerInfo.getAlternativeHttpsUri(), new URI("https://[::1]:" + proxygenPort));
+        assertEquals(httpServerInfo.getAlternativeHttpsExternalUri(), new URI("https://[2001:db8::2:1]:" + proxygenPort));
+
         closeChannels(httpServerInfo);
     }