Where can I find an example of enabling the https://jetty.org/docs/jetty/12/operations-guide/modules/standard.html#ssl-reload for a pedestal 0.7 server? I don't see anything obvious in the https://pedestal.io/pedestal/0.7/reference/service-map.html#_service_map_keys.
Good news! I have a working example using 0.8 and Jetty 12, including using a wildcard SSL cert. This has raised 1 minor and 1 major concern:
1. MINOR: the :insecure-ssl? keyword in :container-options is misnamed. The value is https://github.com/pedestal/pedestal/blob/master/jetty/src/io/pedestal/http/jetty.clj#L105, creating a SecureRequestCustomizer with a single param constructor. https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/server/SecureRequestCustomizer.html#%3Cinit%3E(boolean) correctly names the value sniHostCheck (which is essential for using wildcard DNS certs). I propose to create an alternate key :sni-host-check? in container options and during http-configuration prefer the new key and if not found, fall back to the older key name. Deprecate the old key name.
2. MAJOR: SSL certs are typically issued with 90 day expiry and are usually revoked and replaced within 60 days. There is already a very nice solution to this inside Jetty called org.eclipse.jetty.util.ssl.KeyStoreScanner which watches for updates and transparently reloads new certs with no downtime. I propose to copy https://github.com/ring-clojure/ring/blob/master/ring-jetty-adapter/src/ring/adapter/jetty.clj#L239-L241 including their use of a container option :keystore-scal-interval to solve this important requirement.
Would you like me to open separate issues for each of these and then send 2 PRs, make one issue and PR or do something else?
Once these are resolved, I will submit the example (or can send the example with the PR) and then an update to the docs.
I don't have an example of that; to be honest, we don't do SSL termination from within the Pedestal application at Nubank. In any case, Jetty has a myriad of possible configuration options, but for this kind of thing, I would fall back on the https://pedestal.io/pedestal/0.7/reference/jetty.html :configurator callback, which is essentially a chance for you to configure the Server however you like, once Pedestal's Jetty code has done as much as it can.
Thanks for the pointer. I've been reading the configuration and setup code and almost got to this part. 🙂 Would you like me to contribute an example when I get it working?
Sure. Are you up for extending the documentation, or are you thinking more like a Gist or Wiki page?
I don't mind any of those. How should I send a PR for extending the documentation? I also see /docs/modules/guides/examples which might be good place for a working example.
The https://github.com/pedestal/pedestal-docs README has all the details about how to set up locally to build the documentation.
pedestal 0.7 uses jetty 11, right?
yes, though I'd rather focus was on Jetty 12 and Pedestal 0.8.
Great software btw. Thanks again.