0

I have two jetty instances. The first Jetty instance has an external port. All requests come through the first Jetty instance. Some requests need to be redirected to the second Jetty instance. The certificate will be validated on the second jetty.

What is the best way to do this with jetty (9)?

Thank you in advance.

JProgrammer
  • 38
  • 7
  • Why not 1 Jetty with 2 ServerConnectors (one on an external IP/port, one with a different IP/port with ssl/tls turned on with client certificate requirements)? – Joakim Erdfelt May 27 '20 at 11:22
  • Hi Joakim, I need two jetty instances, because I want to separate the third party java libaries under lib/ext. extraClasspath is not an option, because of perfomance issues and a group of services needs a own java lib under lib/ext (strange, I know). Do you have a idea or do you need further details? – JProgrammer May 27 '20 at 12:16
  • `lib/ext` is actually the wrong way to go for performance concerns (you add needlessly complex classloader behavior for every access to a class or resource outside of the war's `WEB-INF/lib`). It also slows down deployment by a ton. (You can have an isolated WAR deployment in under 250ms every time, regardless of size or complexity of the WAR by using quickstart. which was created for the cloud/vm communities that want fast startup). – Joakim Erdfelt May 27 '20 at 22:33
  • Back to the original question, does this public layer redirect (ala 301/302) or proxy to the second Jetty instance? – Joakim Erdfelt May 27 '20 at 22:35
  • Short question to the lib/ext topic: How is the proposed way to share common third party libraries? Because I dont want to have the same java libraries over and over again in each WAR file. – JProgrammer May 28 '20 at 03:58
  • Back to the original question: It proxy to the second Jetty instance. I need also the certificate attribute in the second jetty instance: `servletRequest.getAttribute("javax.servlet.request.X509Certificate");` I need something like a nginx reverse proxy with ssl passthrough, but I have to realize it within the first jetty instance. – JProgrammer May 28 '20 at 04:09

1 Answers1

1

In a proxy scenario, the first server will negotiate all of the SSL/TLS layer before issuing the request to the proxy server.

Once the SSL/TLS layer is successfully negotiated, there's no option to THEN perform the Client certificate validation, as that only occurs during the SSL/TLS layer.

In short, once your User-Agent (client/browser) can start making requests, then it's too late for the Client Certificate validation.

As for accessing the javax.servlet.request.X509Certificate that will require whatever proxy you are using to include the appropriate forwarding headers to the second server.

If the second server is Jetty, then that server will requires the ForwardedRequestCustomerizer to pull the Forwarding headers out from the request to then insert into the Request attributes.

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136