diff options
Diffstat (limited to 'jetty_conf')
| -rw-r--r-- | jetty_conf/idp.xml | 10 | ||||
| -rw-r--r-- | jetty_conf/jetty-https.xml | 66 | ||||
| -rw-r--r-- | jetty_conf/jetty-ssl.xml | 64 | ||||
| -rw-r--r-- | jetty_conf/ssl.mod | 34 | ||||
| -rw-r--r-- | jetty_conf/start.ini | 28 |
5 files changed, 202 insertions, 0 deletions
diff --git a/jetty_conf/idp.xml b/jetty_conf/idp.xml new file mode 100644 index 0000000..cdeed1e --- /dev/null +++ b/jetty_conf/idp.xml @@ -0,0 +1,10 @@ +<Configure class="org.eclipse.jetty.webapp.WebAppContext"> + <Set name="war"> + <SystemProperty name="idp.home" /> + /war/idp.war + </Set> + <Set name="contextPath">/idp</Set> + <Set name="extractWAR">false</Set> + <Set name="copyWebDir">false</Set> + <Set name="copyWebInf">true</Set> +</Configure> diff --git a/jetty_conf/jetty-https.xml b/jetty_conf/jetty-https.xml new file mode 100644 index 0000000..8078f9b --- /dev/null +++ b/jetty_conf/jetty-https.xml @@ -0,0 +1,66 @@ +<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd" >
+<!-- ============================================================= -->
+<!-- Configure HTTPS connectors. -->
+<!-- This configuration must be used in conjunction with jetty.xml -->
+<!-- and jetty-ssl.xml. -->
+<!-- ============================================================= -->
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+ <!-- ============================================================= -->
+ <!-- Anonymous (no client TLS) HTTPS connector -->
+ <!-- ============================================================= -->
+ <Call id="httpsConnector" name="addConnector">
+ <Arg>
+ <New class="org.eclipse.jetty.server.ServerConnector">
+ <Arg name="server">
+ <Ref refid="Server" />
+ </Arg>
+ <Arg name="acceptors" type="int">
+ <Property name="ssl.acceptors" default="-1" />
+ </Arg>
+ <Arg name="selectors" type="int">
+ <Property name="ssl.selectors" default="-1" />
+ </Arg>
+ <Arg name="factories">
+ <Array type="org.eclipse.jetty.server.ConnectionFactory">
+ <Item>
+ <New class="org.eclipse.jetty.server.SslConnectionFactory">
+ <Arg name="next">http/1.1</Arg>
+ <Arg name="sslContextFactory">
+ <Ref refid="sslContextFactory" />
+ </Arg>
+ </New>
+ </Item>
+ <Item>
+ <New class="org.eclipse.jetty.server.HttpConnectionFactory">
+ <Arg name="config">
+ <Ref refid="sslHttpConfig" />
+ </Arg>
+ </New>
+ </Item>
+ </Array>
+ </Arg>
+ <Set name="host">
+ <Property name="jetty.host" />
+ </Set>
+ <Set name="port">
+ <Property name="https.port" />
+ </Set>
+ <Set name="idleTimeout">
+ <Property name="https.timeout" default="30000" />
+ </Set>
+ <Set name="soLingerTime">
+ <Property name="https.soLingerTime" default="-1" />
+ </Set>
+ <Set name="acceptorPriorityDelta">
+ <Property name="ssl.acceptorPriorityDelta" default="0" />
+ </Set>
+ <Set name="selectorPriorityDelta">
+ <Property name="ssl.selectorPriorityDelta" default="0" />
+ </Set>
+ <Set name="acceptQueueSize">
+ <Property name="https.acceptQueueSize" default="0" />
+ </Set>
+ </New>
+ </Arg>
+ </Call>
+</Configure> diff --git a/jetty_conf/jetty-ssl.xml b/jetty_conf/jetty-ssl.xml new file mode 100644 index 0000000..b822ae5 --- /dev/null +++ b/jetty_conf/jetty-ssl.xml @@ -0,0 +1,64 @@ +<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd" >
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+ <!-- ============================================================= -->
+ <!-- TLS context factory without client auth -->
+ <!-- ============================================================= -->
+ <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+ <Set name="KeyStorePath">
+ <Property name="jetty.keystore" />
+ </Set>
+ <Set name="KeyStoreType">
+ <Property name="jetty.keystore.type" />
+ </Set>
+ <Set name="KeyStorePassword">
+ <Property name="jetty.keystore.password" />
+ </Set>
+ <Set name="EndpointIdentificationAlgorithm" />
+ <Set name="NeedClientAuth">false</Set>
+ <Set name="WantClientAuth">false</Set>
+ <Set name="excludeProtocols">
+ <Array type="String">
+ <Item>SSLv3</Item>
+ </Array>
+ </Set>
+ <Set name="IncludeCipherSuites">
+ <Array type="String">
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
+ <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
+ <Item>TLS_RSA_WITH_AES_256_GCM_SHA256</Item>
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Item>
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
+ <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
+ <Item>TLS_RSA_WITH_AES_256_CBC_SHA384</Item>
+ <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
+ <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
+ </Array>
+ </Set>
+ </New>
+ <!-- =========================================================== -->
+ <!-- Create a TLS specific HttpConfiguration based on the -->
+ <!-- common HttpConfiguration defined in jetty.xml -->
+ <!-- Add a SecureRequestCustomizer to extract certificate and -->
+ <!-- session information -->
+ <!-- =========================================================== -->
+ <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+ <Arg>
+ <Ref refid="httpConfig" />
+ </Arg>
+ <Call name="addCustomizer">
+ <Arg>
+ <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
+ </Arg>
+ </Call>
+ </New>
+</Configure> diff --git a/jetty_conf/ssl.mod b/jetty_conf/ssl.mod new file mode 100644 index 0000000..77ceb76 --- /dev/null +++ b/jetty_conf/ssl.mod @@ -0,0 +1,34 @@ +# +# SSL Keystore module +# + +[depend] +server + +[xml] +etc/jetty-ssl.xml + +[ini-template] +### SSL Keystore Configuration +# define the port to use for secure redirection +jetty.secure.port=8443 + +## Setup a demonstration keystore and truststore +jetty.keystore=/opt/shibboleth-idp/credentials/idp-browser.p12 + +## Set the demonstration passwords. +## Note that OBF passwords are not secure, just protected from casual observation +## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html +jetty.keystore.password= + +### Set the client auth behavior +## Set to true if client certificate authentication is required +# jetty.ssl.needClientAuth=true +## Set to true if client certificate authentication is desired +# jetty.ssl.wantClientAuth=true + +## Parameters to control the number and priority of acceptors and selectors +# ssl.selectors=1 +# ssl.acceptors=1 +# ssl.selectorPriorityDelta=0 +# ssl.acceptorPriorityDelta=0 diff --git a/jetty_conf/start.ini b/jetty_conf/start.ini new file mode 100644 index 0000000..460dd32 --- /dev/null +++ b/jetty_conf/start.ini @@ -0,0 +1,28 @@ +# Required Jetty modules +--module=server +--module=deploy +--module=annotations +--module=resources +--module=logging +--module=requestlog +--module=https +--module=ssl +--module=servlets +--module=jsp +--module=jstl +--module=ext +--module=plus + +# Allows setting Java system properties (-Dname=value) +# and JVM flags (-X, -XX) in this file +# NOTE: spawns child Java process +--exec + +# IDP home +-Didp.home=/opt/shibboleth-idp + +# Maximum amount of memory that Jetty may use, at least 512M is recommended +-Xmx512m +# Maximum amount of memory allowed for the JVM permanent generation +-XX:MaxPermSize=128m + |