From 1c347a375b9db7eb7d62366d1529554e883f8a0d Mon Sep 17 00:00:00 2001 From: Jo Vandeginste Date: Fri, 26 Nov 2021 11:04:34 +0100 Subject: [PATCH] Support IPv6 by default in Jetty The equivalent "all" interface to `0.0.0.0` for IPv6 is `::`; this _includes_ IPv4's `0.0.0.0`. In other words, this should be fully backward compatible. Signed-off-by: Jo Vandeginste --- docker/puppetdb/conf.d/jetty.ini | 6 +++--- documentation/configure.markdown | 6 +++--- documentation/load_testing_tool.markdown | 2 +- documentation/release_notes_older.markdown | 4 ++-- resources/ext/cli/ssl-setup.erb | 4 ++-- resources/ext/config/conf.d/jetty.ini | 2 +- resources/puppetlabs/puppetdb/benchmark/config.ini | 2 +- test-resources/integration-puppetdb.conf | 4 ++-- test-resources/puppetserver/puppetserver.conf | 4 ++-- test/puppetlabs/puppetdb/cli/services_test.clj | 2 +- 10 files changed, 18 insertions(+), 18 deletions(-) diff --git a/docker/puppetdb/conf.d/jetty.ini b/docker/puppetdb/conf.d/jetty.ini index d30cfd0ecb..82b9fcb1a4 100644 --- a/docker/puppetdb/conf.d/jetty.ini +++ b/docker/puppetdb/conf.d/jetty.ini @@ -2,7 +2,7 @@ # IP address or hostname to listen for clear-text HTTP. To avoid resolution # issues, IP addresses are recommended over hostnames. # Default is `localhost`. -host = 0.0.0.0 +host = :: # Port to listen on for clear-text HTTP. port = 8080 @@ -13,8 +13,8 @@ port = 8080 # IP address to listen on for HTTPS connections. Hostnames can also be used # but are not recommended to avoid DNS resolution issues. To listen on all -# interfaces, use `0.0.0.0`. -# ssl-host = 0.0.0.0 +# interfaces, use `::`. +# ssl-host = :: # The port to listen on for HTTPS connections # ssl-port = 8081 diff --git a/documentation/configure.markdown b/documentation/configure.markdown index aa6d73e8ab..e7c8fcb557 100644 --- a/documentation/configure.markdown +++ b/documentation/configure.markdown @@ -623,7 +623,7 @@ The `[jetty]` section configures HTTP for PuppetDB. Sets the IP interface to listen on for **unencrypted** HTTP traffic. If not supplied, we bind to `localhost`, which will reject connections from anywhere but the PuppetDB server itself. To listen on -all available interfaces, use `0.0.0.0`. +all available interfaces, use `::`. To avoid DNS resolution confusion, if you wish to set this to something other than `localhost`, we reccomend using an IP address instead of a hostname. @@ -654,7 +654,7 @@ can be made at one time. Defaults to 50. Sets which IP interface to listen on for **encrypted** HTTPS traffic. If not supplied, we bind to `localhost`. To listen on all available -interfaces, use `0.0.0.0`. +interfaces, use `::`. To avoid DNS resolution confusion, if you wish to set this to something other than `localhost`, we reccomend using an IP address instead of a hostname @@ -821,7 +821,7 @@ Specifies the host or IP address for the REPL service to listen on. By default this is `127.0.0.1` only. As this is an insecure channel this is the only recommended setting for production environments. -If you wish to listen on all interfaces, you can specify `0.0.0.0`, for example, although this is generally not recommended for production. +If you wish to listen on all interfaces, you can specify `::`, for example, although this is generally not recommended for production. ## `[developer]` settings diff --git a/documentation/load_testing_tool.markdown b/documentation/load_testing_tool.markdown index b7da114eee..6b03fe48e5 100644 --- a/documentation/load_testing_tool.markdown +++ b/documentation/load_testing_tool.markdown @@ -67,7 +67,7 @@ below. * On the primary server, modify `/etc/puppetlabs/puppetdb/conf.d/jetty.ini`. In the `[jetty]` section, set either: - * `host=0.0.0.0 # http access from all agents` + * `host=:: # http access from all agents` * `host= # access from specific agent` * Install java on the agent diff --git a/documentation/release_notes_older.markdown b/documentation/release_notes_older.markdown index d44a6d79a8..1e2bcd25cc 100644 --- a/documentation/release_notes_older.markdown +++ b/documentation/release_notes_older.markdown @@ -3149,11 +3149,11 @@ Notable improvements and fixes: maintained downstream in the OpenBSD ports tree to be greatly simplified. -* (PDB-177) Replace ssl-host default with 0.0.0.0 +* (PDB-177) Replace ssl-host default with :: By trying to use a hostname, the amount of issues people suffer with during setup times related to hostname resolution is quite high. This patch - replaces the hostname with 0.0.0.0 which by default listens on all + replaces the hostname with :: which by default listens on all interfaces. * (PDB-402) Remove ahead-of-time compilation diff --git a/resources/ext/cli/ssl-setup.erb b/resources/ext/cli/ssl-setup.erb index 2877a8b742..fc5e57ee21 100644 --- a/resources/ext/cli/ssl-setup.erb +++ b/resources/ext/cli/ssl-setup.erb @@ -349,7 +349,7 @@ chown -R "$user:$group" "$ssl_dir" if [ -f "$jettyfile" ] ; then # Check settings are correct and fix or warn settings=( - "ssl-host:0.0.0.0" + "ssl-host:::" "ssl-port:8081" "ssl-key:${private_file}" "ssl-cert:${public_file}" @@ -423,7 +423,7 @@ then echo " [jetty]" echo " #host = localhost" echo " port = 8080" - echo " ssl-host = 0.0.0.0" + echo " ssl-host = ::" echo " ssl-port = 8081" echo " ssl-key = ${private_file}" echo " ssl-cert = ${public_file}" diff --git a/resources/ext/config/conf.d/jetty.ini b/resources/ext/config/conf.d/jetty.ini index 46e893415e..d080c19121 100644 --- a/resources/ext/config/conf.d/jetty.ini +++ b/resources/ext/config/conf.d/jetty.ini @@ -13,7 +13,7 @@ port = 8080 # IP address to listen on for HTTPS connections. Hostnames can also be used # but are not recommended to avoid DNS resolution issues. To listen on all -# interfaces, use `0.0.0.0`. +# interfaces, use `::`. # ssl-host = # The port to listen on for HTTPS connections diff --git a/resources/puppetlabs/puppetdb/benchmark/config.ini b/resources/puppetlabs/puppetdb/benchmark/config.ini index 376ad7d063..ebf5e7deb5 100644 --- a/resources/puppetlabs/puppetdb/benchmark/config.ini +++ b/resources/puppetlabs/puppetdb/benchmark/config.ini @@ -2,5 +2,5 @@ logging-config = resources/logback.xml [jetty] -host = 0.0.0.0 +host = :: port = 8080 diff --git a/test-resources/integration-puppetdb.conf b/test-resources/integration-puppetdb.conf index 9f9dc2f055..33c60c7707 100644 --- a/test-resources/integration-puppetdb.conf +++ b/test-resources/integration-puppetdb.conf @@ -19,10 +19,10 @@ nrepl: { } jetty: { - host: 0.0.0.0 + host: :: port: 0 - ssl-host: 0.0.0.0 + ssl-host: :: ssl-port: 0 # filled out by the test harness # Original settings diff --git a/test-resources/puppetserver/puppetserver.conf b/test-resources/puppetserver/puppetserver.conf index 817d45e35b..001ea6ab8b 100644 --- a/test-resources/puppetserver/puppetserver.conf +++ b/test-resources/puppetserver/puppetserver.conf @@ -12,9 +12,9 @@ webserver: { access-log-config: ./dev/request-logging-dev.xml client-auth: want # ssl-host controls what networks the server will accept connections from. - # The default value below is '0.0.0.0', so will accept connections from + # The default value below is '::', so will accept connections from # any client. For better security, you might wish to set this to 'localhost'. - ssl-host: 0.0.0.0 + ssl-host: :: #ssl-host: localhost ssl-port: 8140 } diff --git a/test/puppetlabs/puppetdb/cli/services_test.clj b/test/puppetlabs/puppetdb/cli/services_test.clj index 938880087e..9c74e16c17 100644 --- a/test/puppetlabs/puppetdb/cli/services_test.clj +++ b/test/puppetlabs/puppetdb/cli/services_test.clj @@ -214,7 +214,7 @@ (assoc :database *db*) (assoc :jetty (merge cert-config {:ssl-port 0 - :ssl-host "0.0.0.0" + :ssl-host "::" :ssl-protocols "TLSv1,TLSv1.1,TLSv1.2"})) (assoc-in [:puppetdb :certificate-allowlist] (str allowlist-file))) (fn []