Skip to content

Commit

Permalink
Mention how to disable the HTTP port
Browse files Browse the repository at this point in the history
This is particularly important when mTLS is used.
  • Loading branch information
cescoffier committed Nov 27, 2023
1 parent cd89658 commit 3bc3468
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 6 deletions.
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/http-reference.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ Refer to the xref:./management-interface-reference.adoc[management interface ref
====

[[ssl]]
== Supporting secure connections with SSL
== Supporting secure connections with TLS/SSL

Check warning on line 154 in docs/src/main/asciidoc/http-reference.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.CaseSensitiveTerms] Use 'SSL/TLS' rather than 'SSL'. Raw Output: {"message": "[Quarkus.CaseSensitiveTerms] Use 'SSL/TLS' rather than 'SSL'.", "location": {"path": "docs/src/main/asciidoc/http-reference.adoc", "range": {"start": {"line": 154, "column": 43}}}, "severity": "INFO"}

In order to have Quarkus support secure connections, you must either provide a certificate and associated key file, or supply a keystore.

Check warning on line 156 in docs/src/main/asciidoc/http-reference.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.TermsWarnings] Consider using 'to' rather than 'In order to' unless updating existing content that uses the term. Raw Output: {"message": "[Quarkus.TermsWarnings] Consider using 'to' rather than 'In order to' unless updating existing content that uses the term.", "location": {"path": "docs/src/main/asciidoc/http-reference.adoc", "range": {"start": {"line": 156, "column": 1}}}, "severity": "WARNING"}

Check warning on line 156 in docs/src/main/asciidoc/http-reference.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Fluff] Depending on the context, consider using 'Be concise: use 'to' rather than' rather than 'In order to'. Raw Output: {"message": "[Quarkus.Fluff] Depending on the context, consider using 'Be concise: use 'to' rather than' rather than 'In order to'.", "location": {"path": "docs/src/main/asciidoc/http-reference.adoc", "range": {"start": {"line": 156, "column": 1}}}, "severity": "INFO"}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -193,13 +193,15 @@ quarkus.http.ssl.certificate.trust-store-password=the_trust_store_secret
quarkus.http.ssl.client-auth=required <3>
quarkus.http.auth.permission.default.paths=/* <4>
quarkus.http.auth.permission.default.policy=authenticated
quarkus.http.insecure-requests=disabled <5>
----
<1> The keystore where the server's private key is located.

Check warning on line 198 in docs/src/main/asciidoc/security-authentication-mechanisms.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.SentenceLength] Try to keep sentences to an average of 32 words or fewer. Raw Output: {"message": "[Quarkus.SentenceLength] Try to keep sentences to an average of 32 words or fewer.", "location": {"path": "docs/src/main/asciidoc/security-authentication-mechanisms.adoc", "range": {"start": {"line": 198, "column": 49}}}, "severity": "INFO"}
<2> The truststore from which the trusted certificates are loaded.

Check warning on line 199 in docs/src/main/asciidoc/security-authentication-mechanisms.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.TermsSuggestions] Depending on the context, consider using ', which (non restrictive clause preceded by a comma)' or 'that (restrictive clause without a comma)' rather than 'which'. Raw Output: {"message": "[Quarkus.TermsSuggestions] Depending on the context, consider using ', which (non restrictive clause preceded by a comma)' or 'that (restrictive clause without a comma)' rather than 'which'.", "location": {"path": "docs/src/main/asciidoc/security-authentication-mechanisms.adoc", "range": {"start": {"line": 199, "column": 24}}}, "severity": "INFO"}
<3> With this value set to `required`, the server requires certificates from clients.
To relax this requirement so that the server accepts requests without a certificate, set the value to `REQUEST`.
This option is useful when you are also supporting authentication methods other than mTLS.
<4> Defines a policy where only authenticated users should have access to resources from your application.
<5> Optionally, disable the plain HTTP protocol, and consequently require all requests to be made over HTTPS.

When the incoming request matches a valid certificate in the truststore, your application can obtain the subject by injecting a `SecurityIdentity` as follows:

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,10 @@ public class HttpBuildTimeConfig {

/**
* Configures the engine to require/request client authentication.
* NONE, REQUEST, REQUIRED
* {@code NONE, REQUEST, REQUIRED}.
* <p>
* When set to REQUIRED, it's recommended to also set `quarkus.http.insecure-requests=disabled` to disable the
* plain HTTP port.
*/
@ConfigItem(name = "ssl.client-auth", defaultValue = "NONE")
public ClientAuth tlsClientAuth;
Expand All @@ -43,15 +46,15 @@ public class HttpBuildTimeConfig {
/**
* A common root path for non-application endpoints. Various extension-provided endpoints such as metrics, health,
* and openapi are deployed under this path by default.
*
* <p>
* * Relative path (Default, `q`) ->
* Non-application endpoints will be served from
* `${quarkus.http.root-path}/${quarkus.http.non-application-root-path}`.
* * Absolute path (`/q`) ->
* Non-application endpoints will be served from the specified path.
* * `${quarkus.http.root-path}` -> Setting this path to the same value as HTTP root path disables
* this root path. All extension-provided endpoints will be served from `${quarkus.http.root-path}`.
*
* <p>
* If the management interface is enabled, the root path for the endpoints exposed on the management interface
* is configured using the `quarkus.management.root-path` property instead of this property.
*
Expand All @@ -69,7 +72,7 @@ public class HttpBuildTimeConfig {
/**
* If enabled then the response body is compressed if the {@code Content-Type} header is set and the value is a compressed
* media type as configured via {@link #compressMediaTypes}.
*
* <p>
* Note that the RESTEasy Reactive and Reactive Routes extensions also make it possible to enable/disable compression
* declaratively using the annotations {@link io.quarkus.vertx.http.Compressed} and
* {@link io.quarkus.vertx.http.Uncompressed}.
Expand All @@ -79,7 +82,7 @@ public class HttpBuildTimeConfig {

/**
* When enabled, vert.x will decompress the request's body if it's compressed.
*
* <p>
* Note that the compression format (e.g., gzip) must be specified in the Content-Encoding header
* in the request.
*/
Expand Down

0 comments on commit 3bc3468

Please sign in to comment.