pedestal

sirwobin 2025-07-09T13:17:14.206689Z

Where can I find an example of enabling the https://jetty.org/docs/jetty/12/operations-guide/modules/standard.html#ssl-reload for a pedestal 0.7 server? I don't see anything obvious in the https://pedestal.io/pedestal/0.7/reference/service-map.html#_service_map_keys.

sirwobin 2025-07-10T15:01:13.479109Z

Good news! I have a working example using 0.8 and Jetty 12, including using a wildcard SSL cert. This has raised 1 minor and 1 major concern: 1. MINOR: the :insecure-ssl? keyword in :container-options is misnamed. The value is https://github.com/pedestal/pedestal/blob/master/jetty/src/io/pedestal/http/jetty.clj#L105, creating a SecureRequestCustomizer with a single param constructor. https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/server/SecureRequestCustomizer.html#%3Cinit%3E(boolean) correctly names the value sniHostCheck (which is essential for using wildcard DNS certs). I propose to create an alternate key :sni-host-check? in container options and during http-configuration prefer the new key and if not found, fall back to the older key name. Deprecate the old key name. 2. MAJOR: SSL certs are typically issued with 90 day expiry and are usually revoked and replaced within 60 days. There is already a very nice solution to this inside Jetty called org.eclipse.jetty.util.ssl.KeyStoreScanner which watches for updates and transparently reloads new certs with no downtime. I propose to copy https://github.com/ring-clojure/ring/blob/master/ring-jetty-adapter/src/ring/adapter/jetty.clj#L239-L241 including their use of a container option :keystore-scal-interval to solve this important requirement.

sirwobin 2025-07-10T15:02:15.076169Z

Would you like me to open separate issues for each of these and then send 2 PRs, make one issue and PR or do something else?

sirwobin 2025-07-10T15:06:39.007299Z

Once these are resolved, I will submit the example (or can send the example with the PR) and then an update to the docs.

hlship 2025-07-09T15:26:44.014839Z

I don't have an example of that; to be honest, we don't do SSL termination from within the Pedestal application at Nubank. In any case, Jetty has a myriad of possible configuration options, but for this kind of thing, I would fall back on the https://pedestal.io/pedestal/0.7/reference/jetty.html :configurator callback, which is essentially a chance for you to configure the Server however you like, once Pedestal's Jetty code has done as much as it can.

sirwobin 2025-07-09T15:44:36.047809Z

Thanks for the pointer. I've been reading the configuration and setup code and almost got to this part. 🙂 Would you like me to contribute an example when I get it working?

hlship 2025-07-09T15:46:20.881719Z

Sure. Are you up for extending the documentation, or are you thinking more like a Gist or Wiki page?

sirwobin 2025-07-09T15:48:53.604099Z

I don't mind any of those. How should I send a PR for extending the documentation? I also see /docs/modules/guides/examples which might be good place for a working example.

hlship 2025-07-09T15:49:56.416539Z

The https://github.com/pedestal/pedestal-docs README has all the details about how to set up locally to build the documentation.

🙌 1
sirwobin 2025-07-09T15:51:32.430229Z

pedestal 0.7 uses jetty 11, right?

hlship 2025-07-09T15:51:57.345729Z

yes, though I'd rather focus was on Jetty 12 and Pedestal 0.8.

👍 1
sirwobin 2025-07-09T15:53:07.250549Z

Great software btw. Thanks again.