You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by Jason Levitt <sl...@gmail.com> on 2015/08/18 01:07:51 UTC
Fuseki over HTTPS?
Sorry if this is a FAQ, but I'm wondering if there are
any guidelines online to setting up
Fuseki for HTTPS access?
Jason
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
If I remove this one line from my config file:
<Set name="host">mysite.com</Set>
then it starts up fine. However, It's not accessible from
any external port e.g. http://77.88.99.11:3030 or https://77.88.99.11:8443
etc.....
DNS is set to resolve mysite.com to the ip address of the machine and
Linux is set to
resolve that as well, btw.
J
On Thu, Aug 27, 2015 at 6:42 AM, Andy Seaborne <an...@apache.org> wrote:
> Jason - thank you for pushing on with this. It seems a lot of Jetty has
> changed Jetty8->Jetty9.1 in this area which is all news to me.
>
> On 27/08/15 06:09, Jason Levitt wrote:
>>
>> Making some progress but things still don't work.
>>
>> The startup log (edited) looks like this (domain name changed to
>> mysite.com):
>
>
> This looks like it is because its asking to run on an address that isn't the
> local machine for some reason. It does not look like something on the same
> port because it is (usually)
>
> "java.net.BindException: Address already in use"
>
> but it's might be worth checking. On Linux, "sudo lsof -i:8443"
>
> Your config does not set the host but maybe the IP config is getting in the
> way. This is EC2 so does the real DNS name resolve to the IP address of a
> local interface? Does using "localhost" work (= do something different)?
>
> That's the best clue I could find on StackOverflow. I haven't found a way
> to get the same error message using plan HTTP on a non-EC2 machine though.
>
>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>> to start server: Cannot assign requested address
>
> port=0 looks weird though if you are taking control with the config file
> that is possible due to the earlier error.
>
> What is printed is serverConnector.getPort() and serverConnector is the
> first/only configured ServerConnector.
>
> Andy
>
>
>
>>
>> [2015-08-27 03:56:03] Server INFO Jetty server config file =
>> myconfig.xml
>> [2015-08-27 03:56:03] Server INFO Fuseki 2.3.0
>> 2015-07-25T17:11:28+0000
>> [2015-08-27 03:56:03] Config INFO FUSEKI_HOME=/home/ec2-user/fuseki
>> [2015-08-27 03:56:03] Config INFO
>> FUSEKI_BASE=/home/ec2-user/fuseki/run
>> [2015-08-27 03:56:03] Servlet INFO Initializing Shiro environment
>> [2015-08-27 03:56:03] Config INFO Shiro file:
>> file:///home/ec2-user/fuseki/run/shiro.ini
>> [2015-08-27 03:56:03] Config INFO Template file:
>> templates/config-tdb-dir
>> [2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
>> [2015-08-27 03:56:03] Config INFO Register: /ds
>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>> ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
>> java.net.BindException: Cannot assign requested address
>> java.net.BindException: Cannot assign requested address
>> at sun.nio.ch.Net.bind0(Native Method)
>> at sun.nio.ch.Net.bind(Net.java:433)
>> at sun.nio.ch.Net.bind(Net.java:425)
>> ....
>> ....
>> ....
>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>> org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException: Cannot
>> assign requested address
>> java.net.BindException: Cannot assign requested address
>> at sun.nio.ch.Net.bind0(Native Method)
>> at sun.nio.ch.Net.bind(Net.java:433)
>> at sun.nio.ch.Net.bind(Net.java:425)
>> ....
>> ....
>> ....
>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>> to start server: Cannot assign requested address
>>
>>
>> And I'm running fuseki 2.3.0 with this command:
>>
>> nohup ./fuseki-server --port 8443 --update
>> --jetty-config=myconfig.xml --loc=ds /ds
>>
>>
>> The "myconfig.xml" file is below (I've already added my certificate
>> and key to the Java 8 JSSE):
>>
>> <?xml version="1.0"?>
>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> "http://www.eclipse.org/jetty/configure.dtd">
>>
>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>> <Call name="addConnector">
>> <Arg>
>> <New class="org.eclipse.jetty.server.ServerConnector">
>> <Arg name="server"><Ref refid="Server" /></Arg>
>> <Arg name="factories">
>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>> <Item>
>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>> </New>
>> </Item>
>> </Array>
>> </Arg>
>> </New>
>> </Arg>
>> </Call>
>>
>> <New id="sslContextFactory"
>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>> <Set name="KeyStorePath">/home/ec2-user/keystore</Set>
>> <Set name="KeyStorePassword">somepassword</Set>
>> <Set name="KeyManagerPassword">somepassword</Set>
>> <Set name="TrustStorePath">/home/ec2-user/keystore</Set>
>> <Set name="TrustStorePassword">somepassword</Set>
>> </New>
>>
>> <Call id="sslConnector" name="addConnector">
>> <Arg>
>> <New class="org.eclipse.jetty.server.ServerConnector">
>> <Arg name="server"><Ref refid="Server" /></Arg>
>> <Arg name="factories">
>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>> <Item>
>> <New class="org.eclipse.jetty.server.SslConnectionFactory">
>> <Arg name="next">http/1.1</Arg>
>> <Arg name="sslContextFactory"><Ref
>> refid="sslContextFactory"/></Arg>
>> </New>
>> </Item>
>> <Item>
>> <New
>> class="org.eclipse.jetty.server.HttpConnectionFactory">
>> <Arg name="config"><Ref refid="tlsHttpConfig"/></Arg>
>> </New>
>> </Item>
>> </Array>
>> </Arg>
>> <Set name="host"><Property name="jetty.host"/></Set>
>> <Set name="port"><Property name="jetty.tls.port" default="8443"
>> /></Set>
>> <Set name="idleTimeout">30000</Set>
>> <Set name="host">mysite.com</Set>
>> </New>
>> </Arg>
>> </Call>
>>
>> </Configure>
>>
>> ===================================
>>
>> On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt <sl...@gmail.com>
>> wrote:
>>>
>>> I can't find any examples of the file that you hand to "--jetty-config"
>>>
>>> The "official" jetty docs for configuring SSL imply that there are two
>>> configuration files,
>>> jetty-ssl-context.xml and jetty-https.xml.
>>> (http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)
>>>
>>> The example that you cite:
>>>
>>>
>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>
>>> says that: "This configuration must be used in conjunction with
>>> jetty.xml and jetty-ssl.xml"
>>>
>>> Where do these files go? The Fuseki download does not have any "etc"
>>> directory or
>>> any xml configuration files at all.
>>>
>>> So, I tried handing some XML config files to Fuseki using
>>> --jetty-config and it gives very little
>>> info in the error (see below). Has anyone actually successfully run
>>> Fuseki over SSL?
>>>
>>> [2015-08-25 22:13:34] Server INFO Jetty server config file =
>>> ./jetty-https.xml
>>> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
>>> configure server: Unknown configuration type: Call in
>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>> java.lang.IllegalStateException: Unknown configuration type: Call in
>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>> at
>>> org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.java:198)
>>> at
>>> org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:177)
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:264)
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>> at
>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>> at
>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>> org.apache.jena.fuseki.FusekiException: Failed to configure a server
>>> using configuration file './jetty-https.xml'
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>> at
>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>> at
>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>
>>> J
>>>
>>>
>>> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>
>>>> On 20/08/15 22:37, Jason Levitt wrote:
>>>>>
>>>>>
>>>>> Thanks. So I can still use the "--jetty-config" option with Fuseki
>>>>> v2.30 ?
>>>>>
>>>>> J
>>>>
>>>>
>>>>
>>>> Yes, should work to pass in the file. There was a major jetty version
>>>> change (8 to 9) and what effect that has had on that option is unclear
>>>> to
>>>> me. Connector changed Jetty 8->9
>>>>
>>>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
>>>>
>>>> and their example:
>>>>
>>>>
>>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>>
>>>> It would be good to add this to the distribution - if you or anyone else
>>>> has
>>>> a working version, I'd be very grateful to get a copy.
>>>>
>>>>
>>>> Andy
>>>>
>>>>>
>>>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org> wrote:
>>>>>>
>>>>>>
>>>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>>>>>
>>>>>>> J
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>>>>>
>>>>>> ==> Jetty 9.1.1.v20140108
>>>>>>
>>>>>> Andy
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> The Jetty documentation is the best place to go for details of
>>>>>>>> setting
>>>>>>>> up
>>>>>>>> Jetty.
>>>>>>>>
>>>>>>>> Here's one in the examples/ area but as far as I can tell it's more
>>>>>>>> int
>>>>>>>> he
>>>>>>>> category of "should work" (it is from Fuseki1 and that was a
>>>>>>>> different
>>>>>>>> version of Jetty) rather than tested.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>>>>>
>>>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>>>
>>>>>>>> Andy
>>>>>>>>
>>>>>>>>
>>>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>>>>>>>>> only talks to internal machines so there
>>>>>>>>> is no need to protect it from external exposure. So that means
>>>>>>>>> that
>>>>>>>>> the easiest way is to use the
>>>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs
>>>>>>>>> on
>>>>>>>>> what the options are for that
>>>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>>>
>>>>>>>>> J
>>>>>>>>>
>>>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Right. In a production environment, a reverse proxy is useful for
>>>>>>>>>> several
>>>>>>>>>> things and while there is nothing that force a reverse proxy, the
>>>>>>>>>> weight
>>>>>>>>>> of
>>>>>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>>>>>> production
>>>>>>>>>> system.
>>>>>>>>>>
>>>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>>>> Java web containers just aren't as good under silly load
>>>>>>>>>> conditions.
>>>>>>>>>> 3/ URL rewrite
>>>>>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>>>>>> 4/ Security
>>>>>>>>>> integrate with local systems; rich choice of controls.
>>>>>>>>>> Control who and what can update
>>>>>>>>>> No need to restart for shiro chnages.
>>>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>>>
>>>>>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>>>>>> network
>>>>>>>>>> interface. In an environment like AWS, where port control is
>>>>>>>>>> easily,
>>>>>>>>>> it's
>>>>>>>>>> trivial to secure the Fuseki server to only talk to the local
>>>>>>>>>> reverse
>>>>>>>>>> proxy
>>>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>>>
>>>>>>>>>> Andy
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I checked more carefully (should have done that before replying)
>>>>>>>>>>> and
>>>>>>>>>>> it
>>>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for
>>>>>>>>>>> using
>>>>>>>>>>> a
>>>>>>>>>>> Jetty
>>>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>>>
>>>>>>>>>>> --jetty-config=FILE Set up the server (not services) with a
>>>>>>>>>>> Jetty
>>>>>>>>>>> XML
>>>>>>>>>>> file
>>>>>>>>>>>
>>>>>>>>>>> ---
>>>>>>>>>>> A. Soroka
>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>
>>>>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g.
>>>>>>>>>>>> Tomcat
>>>>>>>>>>>> or
>>>>>>>>>>>> Jetty) or using the server included with Fuseki and is it Fuskei
>>>>>>>>>>>> 1
>>>>>>>>>>>> or
>>>>>>>>>>>> 2?
>>>>>>>>>>>>
>>>>>>>>>>>> If the former, you will need to supply configuration specific to
>>>>>>>>>>>> that
>>>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>>>>>> Overflow
>>>>>>>>>>>> answer for it:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>>>>>
>>>>>>>>>>>> but the links seems to be dead. The idea is to supply your own
>>>>>>>>>>>> Jetty
>>>>>>>>>>>> configuration (Jetty is the servlet container that the Fuseki
>>>>>>>>>>>> command
>>>>>>>>>>>> uses).
>>>>>>>>>>>> For Fuseki 2, I think it is still under development? You could
>>>>>>>>>>>> use
>>>>>>>>>>>> a
>>>>>>>>>>>> reverse
>>>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>>>
>>>>>>>>>>>> ---
>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>
>>>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt
>>>>>>>>>>>> <sl...@gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jason
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
Jason,
> The error:
>
>> java.lang.IllegalStateException: No Method: <Call
>> name="addIfAbsentConnectionFactory"><Arg>
>> <New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
>> name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
>> refid="sslContextFactory"/></Arg></New>
>> </Arg></Call> on class org.eclipse.jetty.server.Server
>
> says that the method addIfAbsentConnectionFactory is being called on Server. Server does not have that method but there is one on Connector.
>
> Maybe some kind of alignment problem in the configuration file?
I am not an expert in the Jetty configuration language which is, well,
"different" :-)
My current idea is that it needs a <Ref id="sslConnector"> to wrap the
<Call name="addIfAbsentConnectionFactory">
and
<Call name="addConnectionFactory">
to set the target object for the call. And maybe reordering to put after
the creation of "sslConnector".
I'm finding it error-prone to reconstruct the XML configuration file
after email has messed it up as I had to fix some things up. Also, the
file file jettyall has more in it than the files you listed?
(jetty-ssl.xml for example?)
Could we establish a baseline file? Either directly email a file
(sorry, no attachments here reliably) or put it on a gist/pastebin
somewhere.
Do you have a HTTP (only) setup that works? If we could work from a
version that adds http and adds https, and works with http only, https
commented out, then things might be clearer.
Andy
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
Hi Andy,
I've tried several permutations of the merged configuration file,
but I can't get your new build of Fuseki
to accept the config file. If you have some config file samples you'd
like me to try, I'd be happy to
do so since I have a server setup with a valid SSL cert (works fine
with Jetty 9.3.x).
Jason
On Thu, Sep 3, 2015 at 3:24 AM, Andy Seaborne <an...@apache.org> wrote:
> The error:
>
>> java.lang.IllegalStateException: No Method: <Call
>> name="addIfAbsentConnectionFactory"><Arg>
>> <New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
>> name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
>> refid="sslContextFactory"/></Arg></New>
>> </Arg></Call> on class org.eclipse.jetty.server.Server
>
> says that the method addIfAbsentConnectionFactory is being called on Server.
> Server does not have that method but there is one on Connector.
>
> Maybe some kind of alignment problem in the configuration file?
>
> Andy
>
>
> On 02/09/15 23:39, Jason Levitt wrote:
>>
>> Below is the combined XML config file I'm trying to use. Fuseki (your
>> Jetty v9.3.3 build) spits this error out (also below).
>> The combined config files, separately, provide SSL fine in Jetty
>> v9.3.3 but I can't get it to work in Fuseki. The only change I had to
>> make, for XML
>> syntax purposes, was changing:
>>
>> <Configure id="sslContextFactory"
>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>
>> To this:
>>
>> <New id="sslContextFactory"
>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>
>> ====================================
>>
>> [2015-09-02 22:36:24] Server INFO Jetty server config file =
>> /home/ec2-user/fuseki/jettyconfig/jettyall.xml
>> [2015-09-02 22:36:24] XmlConfiguration WARN Config error at <Call
>> name="addIfAbsentConnectionFactory"><Arg>
>> <New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
>> name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
>> refid="sslContextFactory"/></Arg></New>
>> </Arg></Call>
>> [2015-09-02 22:36:24] Server ERROR SPARQLServer: Failed to
>> configure server: No Method: <Call
>> name="addIfAbsentConnectionFactory"><Arg>
>> <New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
>> name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
>> refid="sslContextFactory"/></Arg></New>
>> </Arg></Call> on class org.eclipse.jetty.server.Server
>> java.lang.IllegalStateException: No Method: <Call
>> name="addIfAbsentConnectionFactory"><Arg>
>> <New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
>> name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
>> refid="sslContextFactory"/></Arg></New>
>> </Arg></Call> on class org.eclipse.jetty.server.Server
>> at
>> org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:734)
>> at
>> org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:417)
>> at
>> org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:300)
>> at
>> org.eclipse.jetty.xml.XmlConfiguration.configure(XmlConfiguration.java:245)
>> at
>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:265)
>> at
>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>> at
>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>> at
>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>> at
>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>> Caused by: java.lang.NoSuchMethodException: addIfAbsentConnectionFactory
>> at org.eclipse.jetty.util.TypeUtil.call(TypeUtil.java:552)
>> at
>> org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:726)
>> ... 13 more
>> org.apache.jena.fuseki.FusekiException: Failed to configure a server
>> using configuration file
>> '/home/ec2-user/fuseki/jettyconfig/jettyall.xml'
>> at
>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
>> at
>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>> at
>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>> at
>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>> at
>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>
>> ============================
>>
>> jettyall.xml file:
>>
>>
>> <?xml version="1.0"?>
>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>>
>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>
>> <Get name="ThreadPool">
>> <Set name="minThreads" type="int"><Property
>> name="jetty.threadPool.minThreads" deprecated="threads.min"
>> default="10"/></Set>
>> <Set name="maxThreads" type="int"><Property
>> name="jetty.threadPool.maxThreads" deprecated="threads.max"
>> default="200"/></Set>
>> <Set name="idleTimeout" type="int"><Property
>> name="jetty.threadPool.idleTimeout" deprecated="threads.timeout"
>> default="60000"/></Set>
>> <Set name="detailedDump">false</Set>
>> </Get>
>>
>> <!-- =========================================================== -->
>> <!-- Add shared Scheduler instance -->
>> <!-- =========================================================== -->
>> <Call name="addBean">
>> <Arg>
>> <New
>> class="org.eclipse.jetty.util.thread.ScheduledExecutorScheduler"/>
>> </Arg>
>> </Call>
>>
>> <!-- =========================================================== -->
>> <!-- Http Configuration. -->
>> <!-- This is a common configuration instance used by all -->
>> <!-- connectors that can carry HTTP semantics (HTTP, HTTPS, etc.)-->
>> <!-- It configures the non wire protocol aspects of the HTTP -->
>> <!-- semantic. -->
>> <!-- -->
>> <!-- This configuration is only defined here and is used by -->
>> <!-- reference from other XML files such as jetty-http.xml, -->
>> <!-- jetty-https.xml and other configuration files which -->
>> <!-- instantiate the connectors. -->
>> <!-- -->
>> <!-- Consult the javadoc of o.e.j.server.HttpConfiguration -->
>> <!-- for all configuration that may be set here. -->
>> <!-- =========================================================== -->
>> <New id="httpConfig"
>> class="org.eclipse.jetty.server.HttpConfiguration">
>> <Set name="secureScheme"><Property
>> name="jetty.httpConfig.secureScheme" default="https" /></Set>
>> <Set name="securePort"><Property
>> name="jetty.httpConfig.securePort" deprecated="jetty.secure.port"
>> default="8443" /></Set>
>> <Set name="outputBufferSize"><Property
>> name="jetty.httpConfig.outputBufferSize"
>> deprecated="jetty.output.buffer.size" default="32768" /></Set>
>> <Set name="outputAggregationSize"><Property
>> name="jetty.httpConfig.outputAggregationSize"
>> deprecated="jetty.output.aggregation.size" default="8192" /></Set>
>> <Set name="requestHeaderSize"><Property
>> name="jetty.httpConfig.requestHeaderSize"
>> deprecated="jetty.request.header.size" default="8192" /></Set>
>> <Set name="responseHeaderSize"><Property
>> name="jetty.httpConfig.responseHeaderSize"
>> deprecated="jetty.response.header.size" default="8192" /></Set>
>> <Set name="sendServerVersion"><Property
>> name="jetty.httpConfig.sendServerVersion"
>> deprecated="jetty.send.server.version" default="true" /></Set>
>> <Set name="sendDateHeader"><Property
>> name="jetty.httpConfig.sendDateHeader"
>> deprecated="jetty.send.date.header" default="false" /></Set>
>> <Set name="headerCacheSize"><Property
>> name="jetty.httpConfig.headerCacheSize" default="512" /></Set>
>> <Set name="delayDispatchUntilContent"><Property
>> name="jetty.httpConfig.delayDispatchUntilContent"
>> deprecated="jetty.delayDispatchUntilContent" default="true"/></Set>
>> <!-- Uncomment to enable handling of X-Forwarded- style headers
>> <Call name="addCustomizer">
>> <Arg><New
>> class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
>> </Call>
>> -->
>> </New>
>>
>> <!-- =========================================================== -->
>> <!-- Set the default handler structure for the Server -->
>> <!-- A handler collection is used to pass received requests to -->
>> <!-- both the ContextHandlerCollection, which selects the next -->
>> <!-- handler by context path and virtual host, and the -->
>> <!-- DefaultHandler, which handles any requests not handled by -->
>> <!-- the context handlers. -->
>> <!-- Other handlers may be added to the "Handlers" collection, -->
>> <!-- for example the jetty-requestlog.xml file adds the -->
>> <!-- RequestLogHandler after the default handler -->
>> <!-- =========================================================== -->
>> <Set name="handler">
>> <New id="Handlers"
>> class="org.eclipse.jetty.server.handler.HandlerCollection">
>> <Set name="handlers">
>> <Array type="org.eclipse.jetty.server.Handler">
>> <Item>
>> <New id="Contexts"
>> class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
>> </Item>
>> <Item>
>> <New id="DefaultHandler"
>> class="org.eclipse.jetty.server.handler.DefaultHandler"/>
>> </Item>
>> </Array>
>> </Set>
>> </New>
>> </Set>
>>
>> <!-- =========================================================== -->
>> <!-- extra server options -->
>> <!-- =========================================================== -->
>> <Set name="stopAtShutdown"><Property
>> name="jetty.server.stopAtShutdown" default="true"/></Set>
>> <Set name="stopTimeout">5000</Set>
>> <Set name="dumpAfterStart"><Property
>> name="jetty.server.dumpAfterStart" deprecated="jetty.dump.start"
>> default="false"/></Set>
>> <Set name="dumpBeforeStop"><Property
>> name="jetty.server.dumpBeforeStop" deprecated="jetty.dump.stop"
>> default="false"/></Set>
>>
>> <!-- ============================================================= -->
>> <!-- Configure the Jetty Server instance with an ID "Server" -->
>> <!-- by adding a HTTP connector. -->
>> <!-- This configuration must be used in conjunction with jetty.xml -->
>> <!-- ============================================================= -->
>>
>> <!-- =========================================================== -->
>> <!-- Add a HTTP Connector. -->
>> <!-- Configure an o.e.j.server.ServerConnector with a single -->
>> <!-- HttpConnectionFactory instance using the common httpConfig -->
>> <!-- instance defined in jetty.xml -->
>> <!-- -->
>> <!-- Consult the javadoc of o.e.j.server.ServerConnector and -->
>> <!-- o.e.j.server.HttpConnectionFactory for all configuration -->
>> <!-- that may be set here. -->
>> <!-- =========================================================== -->
>> <Call name="addConnector">
>> <Arg>
>> <New id="httpConnector"
>> class="org.eclipse.jetty.server.ServerConnector">
>> <Arg name="server"><Ref refid="Server" /></Arg>
>> <Arg name="acceptors" type="int"><Property
>> name="jetty.http.acceptors" deprecated="http.acceptors"
>> default="-1"/></Arg>
>> <Arg name="selectors" type="int"><Property
>> name="jetty.http.selectors" deprecated="http.selectors"
>> default="-1"/></Arg>
>> <Arg name="factories">
>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>> <!-- uncomment to support proxy protocol
>> <Item>
>> <New
>> class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
>> </Item>-->
>> <Item>
>> <New
>> class="org.eclipse.jetty.server.HttpConnectionFactory">
>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>> </New>
>> </Item>
>> </Array>
>> </Arg>
>> <Set name="host"><Property name="jetty.http.host"
>> deprecated="jetty.host" /></Set>
>> <Set name="port"><Property name="jetty.http.port"
>> deprecated="jetty.port" default="8080" /></Set>
>> <Set name="idleTimeout"><Property
>> name="jetty.http.idleTimeout" deprecated="http.timeout"
>> default="30000"/></Set>
>> <Set name="soLingerTime"><Property
>> name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
>> default="-1"/></Set>
>> <Set name="acceptorPriorityDelta"><Property
>> name="jetty.http.acceptorPriorityDelta"
>> deprecated="http.acceptorPriorityDelta" default="0"/></Set>
>> <Set name="acceptQueueSize"><Property
>> name="jetty.http.acceptQueueSize" deprecated="http.acceptQueueSize"
>> default="0"/></Set>
>> </New>
>> </Arg>
>> </Call>
>>
>> <!-- ============================================================= -->
>> <!-- Configure a HTTPS connector. -->
>> <!-- This configuration must be used in conjunction with jetty.xml -->
>> <!-- and jetty-ssl.xml. -->
>> <!-- ============================================================= -->
>>
>> <Call name="addIfAbsentConnectionFactory">
>> <Arg>
>> <New class="org.eclipse.jetty.server.SslConnectionFactory">
>> <Arg name="next">http/1.1</Arg>
>> <Arg name="sslContextFactory"><Ref
>> refid="sslContextFactory"/></Arg>
>> </New>
>> </Arg>
>> </Call>
>>
>> <Call name="addConnectionFactory">
>> <Arg>
>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>> <Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
>> </New>
>> </Arg>
>> </Call>
>>
>>
>> <!-- ============================================================= -->
>> <!-- Base SSL configuration -->
>> <!-- This configuration needs to be used together with 1 or more -->
>> <!-- of jetty-https.xml or jetty-http2.xml -->
>> <!-- ============================================================= -->
>>
>> <!-- =========================================================== -->
>> <!-- Add a SSL Connector with no protocol factories -->
>> <!-- =========================================================== -->
>> <Call name="addConnector">
>> <Arg>
>> <New id="sslConnector"
>> class="org.eclipse.jetty.server.ServerConnector">
>> <Arg name="server"><Ref refid="Server" /></Arg>
>> <Arg name="acceptors" type="int"><Property
>> name="jetty.ssl.acceptors" deprecated="ssl.acceptors"
>> default="-1"/></Arg>
>> <Arg name="selectors" type="int"><Property
>> name="jetty.ssl.selectors" deprecated="ssl.selectors"
>> default="-1"/></Arg>
>> <Arg name="factories">
>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>> <!-- uncomment to support proxy protocol
>> <Item>
>> <New
>> class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
>> </Item>-->
>> </Array>
>> </Arg>
>>
>> <Set name="host"><Property name="jetty.ssl.host"
>> deprecated="jetty.host" /></Set>
>> <Set name="port"><Property name="jetty.ssl.port"
>> deprecated="ssl.port" default="8443" /></Set>
>> <Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout"
>> deprecated="ssl.timeout" default="30000"/></Set>
>> <Set name="soLingerTime"><Property
>> name="jetty.ssl.soLingerTime" deprecated="ssl.soLingerTime"
>> default="-1"/></Set>
>> <Set name="acceptorPriorityDelta"><Property
>> name="jetty.ssl.acceptorPriorityDelta"
>> deprecated="ssl.acceptorPriorityDelta" default="0"/></Set>
>> <Set name="acceptQueueSize"><Property
>> name="jetty.ssl.acceptQueueSize" deprecated="ssl.acceptQueueSize"
>> default="0"/></Set>
>> </New>
>> </Arg>
>> </Call>
>>
>> <!-- =========================================================== -->
>> <!-- Create a TLS specific HttpConfiguration based on the -->
>> <!-- common HttpConfiguration defined in jetty.xml -->
>> <!-- Add a SecureRequestCustomizer to extract certificate and -->
>> <!-- session information -->
>> <!-- =========================================================== -->
>> <New id="sslHttpConfig"
>> class="org.eclipse.jetty.server.HttpConfiguration">
>> <Arg><Ref refid="httpConfig"/></Arg>
>> <Call name="addCustomizer">
>> <Arg>
>> <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
>> <Arg type="boolean"><Property name="jetty.ssl.sniHostCheck"
>> default="true"/></Arg>
>> </New>
>> </Arg>
>> </Call>
>> </New>
>>
>> <!-- ============================================================= -->
>> <!-- SSL ContextFactory configuration -->
>> <!-- ============================================================= -->
>> <!-- Configure id="sslContextFactory"
>> class="org.eclipse.jetty.util.ssl.SslContextFactory" -->
>>
>> <New id="sslContextFactory"
>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>> <Set name="KeyStorePath"><Property name="jetty.base" default="."
>> />/<Property name="jetty.sslContext.keyStorePath"
>> deprecated="jetty.keystore" default="etc/keystore"/></Set>
>> <Set name="KeyStorePassword"><Property
>> name="jetty.sslContext.keyStorePassword"
>> deprecated="jetty.keystore.password" default="MyPassword" /></Set>
>> <Set name="KeyStoreType"><Property
>> name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
>> <Set name="KeyStoreProvider"><Property
>> name="jetty.sslContext.keyStoreProvider"/></Set>
>> <Set name="KeyManagerPassword"><Property
>> name="jetty.sslContext.keyManagerPassword"
>> deprecated="jetty.keymanager.password" default="MyPassword" /></Set>
>> <Set name="TrustStorePath"><Property name="jetty.base" default="."
>> />/<Property name="jetty.sslContext.trustStorePath"
>> deprecated="jetty.truststore" default="etc/keystore"/></Set>
>> <Set name="TrustStorePassword"><Property
>> name="jetty.sslContext.trustStorePassword"
>> deprecated="jetty.truststore.password" default="MyPassword" /></Set>
>> <Set name="TrustStoreType"><Property
>> name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
>> <Set name="TrustStoreProvider"><Property
>> name="jetty.sslContext.trustStoreProvider"/></Set>
>> <Set name="EndpointIdentificationAlgorithm"></Set>
>> <Set name="NeedClientAuth"><Property
>> name="jetty.sslContext.needClientAuth"
>> deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
>> <Set name="WantClientAuth"><Property
>> name="jetty.sslContext.wantClientAuth"
>> deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
>> <Set name="ExcludeCipherSuites">
>> <Array type="String">
>> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
>> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
>> </Array>
>> </Set>
>> <Set name="useCipherSuitesOrder"><Property
>> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
>> </New>
>>
>> </Configure>
>>
>> ===================================
>>
>> On Wed, Sep 2, 2015 at 2:46 PM, Jason Levitt <sl...@gmail.com>
>> wrote:
>>>
>>> I can get Jetty 9.3.3 to work over SSL with these four files, but I
>>> cannot figure out a way to
>>> put them into one file (required by fuseki) to get SSL working with
>>> fuseki:
>>>
>>> jetty.xml
>>>
>>> <?xml version="1.0"?>
>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>>> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>>>
>>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>>
>>> <New id="httpConfig"
>>> class="org.eclipse.jetty.server.HttpConfiguration">
>>> <Set name="secureScheme"><Property
>>> name="jetty.httpConfig.secureScheme" default="https" /></Set>
>>> <Set name="securePort"><Property
>>> name="jetty.httpConfig.securePort" deprecated="jetty.secure.port"
>>> default="8443" /></Set>
>>> <Set name="outputBufferSize"><Property
>>> name="jetty.httpConfig.outputBufferSize"
>>> deprecated="jetty.output.buffer.size" default="32768" /></Set>
>>> <Set name="outputAggregationSize"><Property
>>> name="jetty.httpConfig.outputAggregationSize"
>>> deprecated="jetty.output.aggregation.size" default="8192" /></Set>
>>> <Set name="requestHeaderSize"><Property
>>> name="jetty.httpConfig.requestHeaderSize"
>>> deprecated="jetty.request.header.size" default="8192" /></Set>
>>> <Set name="responseHeaderSize"><Property
>>> name="jetty.httpConfig.responseHeaderSize"
>>> deprecated="jetty.response.header.size" default="8192" /></Set>
>>> <Set name="sendServerVersion"><Property
>>> name="jetty.httpConfig.sendServerVersion"
>>> deprecated="jetty.send.server.version" default="true" /></Set>
>>> <Set name="sendDateHeader"><Property
>>> name="jetty.httpConfig.sendDateHeader"
>>> deprecated="jetty.send.date.header" default="false" /></Set>
>>> <Set name="headerCacheSize"><Property
>>> name="jetty.httpConfig.headerCacheSize" default="512" /></Set>
>>> <Set name="delayDispatchUntilContent"><Property
>>> name="jetty.httpConfig.delayDispatchUntilContent"
>>> deprecated="jetty.delayDispatchUntilContent" default="true"/></Set>
>>> </New>
>>>
>>> </Configure>
>>>
>>> jetty-http.xml
>>>
>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>>> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>>>
>>> <Call name="addConnector">
>>> <Arg>
>>> <New id="httpConnector"
>>> class="org.eclipse.jetty.server.ServerConnector">
>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>> <Arg name="acceptors" type="int"><Property
>>> name="jetty.http.acceptors" deprecated="http.acceptors"
>>> default="-1"/></Arg>
>>> <Arg name="selectors" type="int"><Property
>>> name="jetty.http.selectors" deprecated="http.selectors"
>>> default="-1"/></Arg>
>>> <Arg name="factories">
>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>> <!-- uncomment to support proxy protocol
>>> <Item>
>>> <New
>>> class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
>>> </Item>-->
>>> <Item>
>>> <New
>>> class="org.eclipse.jetty.server.HttpConnectionFactory">
>>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>>> </New>
>>> </Item>
>>> </Array>
>>> </Arg>
>>> <Set name="host"><Property name="jetty.http.host"
>>> deprecated="jetty.host" /></Set>
>>> <Set name="port"><Property name="jetty.http.port"
>>> deprecated="jetty.port" default="8080" /></Set>
>>> <Set name="idleTimeout"><Property
>>> name="jetty.http.idleTimeout" deprecated="http.timeout"
>>> default="30000"/></Set>
>>> <Set name="soLingerTime"><Property
>>> name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
>>> default="-1"/></Set>
>>> <Set name="acceptorPriorityDelta"><Property
>>> name="jetty.http.acceptorPriorityDelta"
>>> deprecated="http.acceptorPriorityDelta" default="0"/></Set>
>>> <Set name="acceptQueueSize"><Property
>>> name="jetty.http.acceptQueueSize" deprecated="http.acceptQueueSize"
>>> default="0"/></Set>
>>> </New>
>>> </Arg>
>>> </Call>
>>>
>>> </Configure>
>>>
>>>
>>> jetty-https.xml
>>>
>>> <?xml version="1.0"?>
>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>>> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>>>
>>> <Configure id="sslConnector"
>>> class="org.eclipse.jetty.server.ServerConnector">
>>>
>>> <Call name="addIfAbsentConnectionFactory">
>>> <Arg>
>>> <New class="org.eclipse.jetty.server.SslConnectionFactory">
>>> <Arg name="next">http/1.1</Arg>
>>> <Arg name="sslContextFactory"><Ref
>>> refid="sslContextFactory"/></Arg>
>>> </New>
>>> </Arg>
>>> </Call>
>>>
>>> <Call name="addConnectionFactory">
>>> <Arg>
>>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>>> <Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
>>> </New>
>>> </Arg>
>>> </Call>
>>>
>>> </Configure>
>>>
>>> jetty-ssl-context.xml
>>>
>>> <?xml version="1.0"?>
>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>>> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>>>
>>> <Configure id="sslContextFactory"
>>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>>
>>> <Set name="KeyStorePath"><Property name="jetty.base" default="."
>>> />/<Property name="jetty.sslContext.keyStorePath"
>>> deprecated="jetty.keystore" default="etc/keystore"/></Set>
>>> <Set name="KeyStorePassword"><Property
>>> name="jetty.sslContext.keyStorePassword"
>>> deprecated="jetty.keystore.password" />MyPassword</Set>
>>> <Set name="KeyStoreType"><Property
>>> name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
>>> <Set name="KeyStoreProvider"><Property
>>> name="jetty.sslContext.keyStoreProvider"/></Set>
>>> <Set name="KeyManagerPassword"><Property
>>> name="jetty.sslContext.keyManagerPassword"
>>> deprecated="jetty.keymanager.password" />MyPassword</Set>
>>> <Set name="TrustStorePath"><Property name="jetty.base" default="."
>>> />/<Property name="jetty.sslContext.trustStorePath"
>>> deprecated="jetty.truststore" default="etc/keystore"/></Set>
>>> <Set name="TrustStorePassword"><Property
>>> name="jetty.sslContext.trustStorePassword"
>>> deprecated="jetty.truststore.password" />MyPassword</Set>
>>> <Set name="TrustStoreType"><Property
>>> name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
>>> <Set name="TrustStoreProvider"><Property
>>> name="jetty.sslContext.trustStoreProvider"/></Set>
>>> <Set name="EndpointIdentificationAlgorithm"></Set>
>>> <Set name="NeedClientAuth"><Property
>>> name="jetty.sslContext.needClientAuth"
>>> deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
>>> <Set name="WantClientAuth"><Property
>>> name="jetty.sslContext.wantClientAuth"
>>> deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
>>> <Set name="ExcludeCipherSuites">
>>> <Array type="String">
>>> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
>>> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
>>> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
>>> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
>>> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>>> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>>> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
>>> </Array>
>>> </Set>
>>> <Set name="useCipherSuitesOrder"><Property
>>> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
>>> </Configure>
>>>
>>> ================
>>>
>>> On Wed, Sep 2, 2015 at 8:18 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>
>>>> Hi Jason,
>>>>
>>>> I have made some progress with your config.
>>>>
>>>> 1/ I switched the development code to 9.3.3 so we have one target and
>>>> because I got that version to work with your config
>>>>
>>>> 9.3.3. was release 27/Aug/2015.
>>>>
>>>> Don't know if your working from the source or not so I did a development
>>>> build of Fuseki2 with 9.3.3.
>>>>
>>>>
>>>> https://repository.apache.org/content/repositories/snapshots/org/apache/jena/apache-jena-fuseki/2.3.1-SNAPSHOT/
>>>>
>>>> NB There are 2 builds for today - latest with Jetty 9.3.3 is
>>>>
>>>> 20150902.121407-19
>>>>
>>>> 2/ Fix for your config file below.
>>>> Needs some details from jetty.xml copied into it.
>>>>
>>>> Andy
>>>>
>>>> On 01/09/15 20:36, Jason Levitt wrote:
>>>>>
>>>>>
>>>>> Back to square one.
>>>>>
>>>>> This Jetty config file works fine with Jetty 9:
>>>>
>>>>
>>>>
>>>> Which jetty version? I'm seeing differences between 9.1.1 and 9.3.3
>>>>
>>>> With 9.3.2 I get a different error, more useful error (yes, I was using
>>>> 9.3.2 at that point)
>>>>
>>>> [2015-09-02 12:24:37] Server ERROR SPARQLServer: Failed to configure
>>>> server: null
>>>> java.lang.reflect.InvocationTargetException
>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>>>
>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>>>
>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>>> org.eclipse.jetty.util.TypeUtil.construct(TypeUtil.java:627)
>>>>
>>>> org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:782)
>>>>
>>>> which looks to be caused by:
>>>>
>>>>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>>>>> </New>
>>>>
>>>>
>>>> and httpConfig is not defined. (I debug traced the Jetty code).
>>>>
>>>> It says higher up:
>>>>
>>>> <!-- HttpConnectionFactory instance using the common httpConfig -->
>>>> <!-- instance defined in jetty.xml
>>>>
>>>>
>>>> I copied the block from jetty.xml 9.3.3 into you configuration:
>>>> <New id="httpConfig"
>>>> </New>
>>>>
>>>> Full copy below.
>>>>
>>>> This is for 9.3.3 only - I tried the same approach with 9.1.1 and it
>>>> didn't
>>>> work. Maybe my user error, maybe because your config makes a 9.3
>>>> specific
>>>> call. Rather than worry about that, I switched the development code
>>>> base to
>>>> 9.3.3.
>>>>
>>>> Hey presto - server runs for me. Confirmed it is using the config by
>>>> changing the port but that's all the testing I have time for ATM.
>>>> (Looking
>>>> for a job (= employment) can be quite time consuming!)
>>>>
>>>> Andy
>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> Copy of new section, reformatted for email :-| , inserted before <Call>
>>>>
>>>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>>> <New
>>>> ....
>>>> </New>
>>>>
>>>> <Call name="addConnector">
>>>> </Call>
>>>>
>>>>
>>>> </Configure>
>>>>
>>>> --------- Full insert
>>>>
>>>>
>>>> <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
>>>> <Set name="secureScheme">
>>>> <Property name="jetty.httpConfig.secureScheme"
>>>> default="https" />
>>>> </Set>
>>>> <Set name="securePort">
>>>> <Property name="jetty.httpConfig.securePort"
>>>> deprecated="jetty.secure.port"
>>>> default="8443" />
>>>> </Set>
>>>> <Set name="outputBufferSize">
>>>> <Property name="jetty.httpConfig.outputBufferSize"
>>>> deprecated="jetty.output.buffer.size"
>>>> default="32768" />
>>>> </Set>
>>>> <Set name="outputAggregationSize">
>>>> <Property name="jetty.httpConfig.outputAggregationSize"
>>>> deprecated="jetty.output.aggregation.size"
>>>> default="8192" />
>>>> </Set>
>>>> <Set name="requestHeaderSize">
>>>> <Property name="jetty.httpConfig.requestHeaderSize"
>>>> deprecated="jetty.request.header.size"
>>>> default="8192" />
>>>> </Set>
>>>> <Set name="responseHeaderSize">
>>>> <Property name="jetty.httpConfig.responseHeaderSize"
>>>> deprecated="jetty.response.header.size"
>>>> default="8192" />
>>>> </Set>
>>>> <Set name="sendServerVersion">
>>>> <Property name="jetty.httpConfig.sendServerVersion"
>>>> deprecated="jetty.send.server.version"
>>>> default="true" />
>>>> </Set>
>>>> <Set name="sendDateHeader">
>>>> <Property name="jetty.httpConfig.sendDateHeader"
>>>> deprecated="jetty.send.date.header"
>>>> default="false" />
>>>> </Set>
>>>> <Set name="headerCacheSize">
>>>> <Property name="jetty.httpConfig.headerCacheSize"
>>>> default="512" />
>>>> </Set>
>>>> <Set name="delayDispatchUntilContent">
>>>> <Property name="jetty.httpConfig.delayDispatchUntilContent"
>>>> deprecated="jetty.delayDispatchUntilContent"
>>>> default="true"/>
>>>> </Set>
>>>> <Set name="maxErrorDispatches">
>>>> <Property name="jetty.httpConfig.maxErrorDispatches"
>>>> default="10"/>
>>>> </Set>
>>>> <!-- Uncomment to enable handling of X-Forwarded- style headers
>>>> <Call name="addCustomizer">
>>>> <Arg><New
>>>> class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
>>>> </Call>
>>>> -->
>>>> </New>
>>>>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
The error:
> java.lang.IllegalStateException: No Method: <Call
> name="addIfAbsentConnectionFactory"><Arg>
> <New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
> name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
> refid="sslContextFactory"/></Arg></New>
> </Arg></Call> on class org.eclipse.jetty.server.Server
says that the method addIfAbsentConnectionFactory is being called on
Server. Server does not have that method but there is one on Connector.
Maybe some kind of alignment problem in the configuration file?
Andy
On 02/09/15 23:39, Jason Levitt wrote:
> Below is the combined XML config file I'm trying to use. Fuseki (your
> Jetty v9.3.3 build) spits this error out (also below).
> The combined config files, separately, provide SSL fine in Jetty
> v9.3.3 but I can't get it to work in Fuseki. The only change I had to
> make, for XML
> syntax purposes, was changing:
>
> <Configure id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>
> To this:
>
> <New id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>
> ====================================
>
> [2015-09-02 22:36:24] Server INFO Jetty server config file =
> /home/ec2-user/fuseki/jettyconfig/jettyall.xml
> [2015-09-02 22:36:24] XmlConfiguration WARN Config error at <Call
> name="addIfAbsentConnectionFactory"><Arg>
> <New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
> name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
> refid="sslContextFactory"/></Arg></New>
> </Arg></Call>
> [2015-09-02 22:36:24] Server ERROR SPARQLServer: Failed to
> configure server: No Method: <Call
> name="addIfAbsentConnectionFactory"><Arg>
> <New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
> name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
> refid="sslContextFactory"/></Arg></New>
> </Arg></Call> on class org.eclipse.jetty.server.Server
> java.lang.IllegalStateException: No Method: <Call
> name="addIfAbsentConnectionFactory"><Arg>
> <New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
> name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
> refid="sslContextFactory"/></Arg></New>
> </Arg></Call> on class org.eclipse.jetty.server.Server
> at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:734)
> at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:417)
> at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:300)
> at org.eclipse.jetty.xml.XmlConfiguration.configure(XmlConfiguration.java:245)
> at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:265)
> at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
> at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
> Caused by: java.lang.NoSuchMethodException: addIfAbsentConnectionFactory
> at org.eclipse.jetty.util.TypeUtil.call(TypeUtil.java:552)
> at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:726)
> ... 13 more
> org.apache.jena.fuseki.FusekiException: Failed to configure a server
> using configuration file
> '/home/ec2-user/fuseki/jettyconfig/jettyall.xml'
> at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
> at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
> at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>
> ============================
>
> jettyall.xml file:
>
>
> <?xml version="1.0"?>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>
> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>
> <Get name="ThreadPool">
> <Set name="minThreads" type="int"><Property
> name="jetty.threadPool.minThreads" deprecated="threads.min"
> default="10"/></Set>
> <Set name="maxThreads" type="int"><Property
> name="jetty.threadPool.maxThreads" deprecated="threads.max"
> default="200"/></Set>
> <Set name="idleTimeout" type="int"><Property
> name="jetty.threadPool.idleTimeout" deprecated="threads.timeout"
> default="60000"/></Set>
> <Set name="detailedDump">false</Set>
> </Get>
>
> <!-- =========================================================== -->
> <!-- Add shared Scheduler instance -->
> <!-- =========================================================== -->
> <Call name="addBean">
> <Arg>
> <New class="org.eclipse.jetty.util.thread.ScheduledExecutorScheduler"/>
> </Arg>
> </Call>
>
> <!-- =========================================================== -->
> <!-- Http Configuration. -->
> <!-- This is a common configuration instance used by all -->
> <!-- connectors that can carry HTTP semantics (HTTP, HTTPS, etc.)-->
> <!-- It configures the non wire protocol aspects of the HTTP -->
> <!-- semantic. -->
> <!-- -->
> <!-- This configuration is only defined here and is used by -->
> <!-- reference from other XML files such as jetty-http.xml, -->
> <!-- jetty-https.xml and other configuration files which -->
> <!-- instantiate the connectors. -->
> <!-- -->
> <!-- Consult the javadoc of o.e.j.server.HttpConfiguration -->
> <!-- for all configuration that may be set here. -->
> <!-- =========================================================== -->
> <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
> <Set name="secureScheme"><Property
> name="jetty.httpConfig.secureScheme" default="https" /></Set>
> <Set name="securePort"><Property
> name="jetty.httpConfig.securePort" deprecated="jetty.secure.port"
> default="8443" /></Set>
> <Set name="outputBufferSize"><Property
> name="jetty.httpConfig.outputBufferSize"
> deprecated="jetty.output.buffer.size" default="32768" /></Set>
> <Set name="outputAggregationSize"><Property
> name="jetty.httpConfig.outputAggregationSize"
> deprecated="jetty.output.aggregation.size" default="8192" /></Set>
> <Set name="requestHeaderSize"><Property
> name="jetty.httpConfig.requestHeaderSize"
> deprecated="jetty.request.header.size" default="8192" /></Set>
> <Set name="responseHeaderSize"><Property
> name="jetty.httpConfig.responseHeaderSize"
> deprecated="jetty.response.header.size" default="8192" /></Set>
> <Set name="sendServerVersion"><Property
> name="jetty.httpConfig.sendServerVersion"
> deprecated="jetty.send.server.version" default="true" /></Set>
> <Set name="sendDateHeader"><Property
> name="jetty.httpConfig.sendDateHeader"
> deprecated="jetty.send.date.header" default="false" /></Set>
> <Set name="headerCacheSize"><Property
> name="jetty.httpConfig.headerCacheSize" default="512" /></Set>
> <Set name="delayDispatchUntilContent"><Property
> name="jetty.httpConfig.delayDispatchUntilContent"
> deprecated="jetty.delayDispatchUntilContent" default="true"/></Set>
> <!-- Uncomment to enable handling of X-Forwarded- style headers
> <Call name="addCustomizer">
> <Arg><New
> class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
> </Call>
> -->
> </New>
>
> <!-- =========================================================== -->
> <!-- Set the default handler structure for the Server -->
> <!-- A handler collection is used to pass received requests to -->
> <!-- both the ContextHandlerCollection, which selects the next -->
> <!-- handler by context path and virtual host, and the -->
> <!-- DefaultHandler, which handles any requests not handled by -->
> <!-- the context handlers. -->
> <!-- Other handlers may be added to the "Handlers" collection, -->
> <!-- for example the jetty-requestlog.xml file adds the -->
> <!-- RequestLogHandler after the default handler -->
> <!-- =========================================================== -->
> <Set name="handler">
> <New id="Handlers"
> class="org.eclipse.jetty.server.handler.HandlerCollection">
> <Set name="handlers">
> <Array type="org.eclipse.jetty.server.Handler">
> <Item>
> <New id="Contexts"
> class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
> </Item>
> <Item>
> <New id="DefaultHandler"
> class="org.eclipse.jetty.server.handler.DefaultHandler"/>
> </Item>
> </Array>
> </Set>
> </New>
> </Set>
>
> <!-- =========================================================== -->
> <!-- extra server options -->
> <!-- =========================================================== -->
> <Set name="stopAtShutdown"><Property
> name="jetty.server.stopAtShutdown" default="true"/></Set>
> <Set name="stopTimeout">5000</Set>
> <Set name="dumpAfterStart"><Property
> name="jetty.server.dumpAfterStart" deprecated="jetty.dump.start"
> default="false"/></Set>
> <Set name="dumpBeforeStop"><Property
> name="jetty.server.dumpBeforeStop" deprecated="jetty.dump.stop"
> default="false"/></Set>
>
> <!-- ============================================================= -->
> <!-- Configure the Jetty Server instance with an ID "Server" -->
> <!-- by adding a HTTP connector. -->
> <!-- This configuration must be used in conjunction with jetty.xml -->
> <!-- ============================================================= -->
>
> <!-- =========================================================== -->
> <!-- Add a HTTP Connector. -->
> <!-- Configure an o.e.j.server.ServerConnector with a single -->
> <!-- HttpConnectionFactory instance using the common httpConfig -->
> <!-- instance defined in jetty.xml -->
> <!-- -->
> <!-- Consult the javadoc of o.e.j.server.ServerConnector and -->
> <!-- o.e.j.server.HttpConnectionFactory for all configuration -->
> <!-- that may be set here. -->
> <!-- =========================================================== -->
> <Call name="addConnector">
> <Arg>
> <New id="httpConnector" class="org.eclipse.jetty.server.ServerConnector">
> <Arg name="server"><Ref refid="Server" /></Arg>
> <Arg name="acceptors" type="int"><Property
> name="jetty.http.acceptors" deprecated="http.acceptors"
> default="-1"/></Arg>
> <Arg name="selectors" type="int"><Property
> name="jetty.http.selectors" deprecated="http.selectors"
> default="-1"/></Arg>
> <Arg name="factories">
> <Array type="org.eclipse.jetty.server.ConnectionFactory">
> <!-- uncomment to support proxy protocol
> <Item>
> <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
> </Item>-->
> <Item>
> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
> <Arg name="config"><Ref refid="httpConfig" /></Arg>
> </New>
> </Item>
> </Array>
> </Arg>
> <Set name="host"><Property name="jetty.http.host"
> deprecated="jetty.host" /></Set>
> <Set name="port"><Property name="jetty.http.port"
> deprecated="jetty.port" default="8080" /></Set>
> <Set name="idleTimeout"><Property
> name="jetty.http.idleTimeout" deprecated="http.timeout"
> default="30000"/></Set>
> <Set name="soLingerTime"><Property
> name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
> default="-1"/></Set>
> <Set name="acceptorPriorityDelta"><Property
> name="jetty.http.acceptorPriorityDelta"
> deprecated="http.acceptorPriorityDelta" default="0"/></Set>
> <Set name="acceptQueueSize"><Property
> name="jetty.http.acceptQueueSize" deprecated="http.acceptQueueSize"
> default="0"/></Set>
> </New>
> </Arg>
> </Call>
>
> <!-- ============================================================= -->
> <!-- Configure a HTTPS connector. -->
> <!-- This configuration must be used in conjunction with jetty.xml -->
> <!-- and jetty-ssl.xml. -->
> <!-- ============================================================= -->
>
> <Call name="addIfAbsentConnectionFactory">
> <Arg>
> <New class="org.eclipse.jetty.server.SslConnectionFactory">
> <Arg name="next">http/1.1</Arg>
> <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
> </New>
> </Arg>
> </Call>
>
> <Call name="addConnectionFactory">
> <Arg>
> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
> <Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
> </New>
> </Arg>
> </Call>
>
>
> <!-- ============================================================= -->
> <!-- Base SSL configuration -->
> <!-- This configuration needs to be used together with 1 or more -->
> <!-- of jetty-https.xml or jetty-http2.xml -->
> <!-- ============================================================= -->
>
> <!-- =========================================================== -->
> <!-- Add a SSL Connector with no protocol factories -->
> <!-- =========================================================== -->
> <Call name="addConnector">
> <Arg>
> <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
> <Arg name="server"><Ref refid="Server" /></Arg>
> <Arg name="acceptors" type="int"><Property
> name="jetty.ssl.acceptors" deprecated="ssl.acceptors"
> default="-1"/></Arg>
> <Arg name="selectors" type="int"><Property
> name="jetty.ssl.selectors" deprecated="ssl.selectors"
> default="-1"/></Arg>
> <Arg name="factories">
> <Array type="org.eclipse.jetty.server.ConnectionFactory">
> <!-- uncomment to support proxy protocol
> <Item>
> <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
> </Item>-->
> </Array>
> </Arg>
>
> <Set name="host"><Property name="jetty.ssl.host"
> deprecated="jetty.host" /></Set>
> <Set name="port"><Property name="jetty.ssl.port"
> deprecated="ssl.port" default="8443" /></Set>
> <Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout"
> deprecated="ssl.timeout" default="30000"/></Set>
> <Set name="soLingerTime"><Property
> name="jetty.ssl.soLingerTime" deprecated="ssl.soLingerTime"
> default="-1"/></Set>
> <Set name="acceptorPriorityDelta"><Property
> name="jetty.ssl.acceptorPriorityDelta"
> deprecated="ssl.acceptorPriorityDelta" default="0"/></Set>
> <Set name="acceptQueueSize"><Property
> name="jetty.ssl.acceptQueueSize" deprecated="ssl.acceptQueueSize"
> default="0"/></Set>
> </New>
> </Arg>
> </Call>
>
> <!-- =========================================================== -->
> <!-- Create a TLS specific HttpConfiguration based on the -->
> <!-- common HttpConfiguration defined in jetty.xml -->
> <!-- Add a SecureRequestCustomizer to extract certificate and -->
> <!-- session information -->
> <!-- =========================================================== -->
> <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
> <Arg><Ref refid="httpConfig"/></Arg>
> <Call name="addCustomizer">
> <Arg>
> <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
> <Arg type="boolean"><Property name="jetty.ssl.sniHostCheck"
> default="true"/></Arg>
> </New>
> </Arg>
> </Call>
> </New>
>
> <!-- ============================================================= -->
> <!-- SSL ContextFactory configuration -->
> <!-- ============================================================= -->
> <!-- Configure id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory" -->
>
> <New id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
> <Set name="KeyStorePath"><Property name="jetty.base" default="."
> />/<Property name="jetty.sslContext.keyStorePath"
> deprecated="jetty.keystore" default="etc/keystore"/></Set>
> <Set name="KeyStorePassword"><Property
> name="jetty.sslContext.keyStorePassword"
> deprecated="jetty.keystore.password" default="MyPassword" /></Set>
> <Set name="KeyStoreType"><Property
> name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
> <Set name="KeyStoreProvider"><Property
> name="jetty.sslContext.keyStoreProvider"/></Set>
> <Set name="KeyManagerPassword"><Property
> name="jetty.sslContext.keyManagerPassword"
> deprecated="jetty.keymanager.password" default="MyPassword" /></Set>
> <Set name="TrustStorePath"><Property name="jetty.base" default="."
> />/<Property name="jetty.sslContext.trustStorePath"
> deprecated="jetty.truststore" default="etc/keystore"/></Set>
> <Set name="TrustStorePassword"><Property
> name="jetty.sslContext.trustStorePassword"
> deprecated="jetty.truststore.password" default="MyPassword" /></Set>
> <Set name="TrustStoreType"><Property
> name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
> <Set name="TrustStoreProvider"><Property
> name="jetty.sslContext.trustStoreProvider"/></Set>
> <Set name="EndpointIdentificationAlgorithm"></Set>
> <Set name="NeedClientAuth"><Property
> name="jetty.sslContext.needClientAuth"
> deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
> <Set name="WantClientAuth"><Property
> name="jetty.sslContext.wantClientAuth"
> deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
> <Set name="ExcludeCipherSuites">
> <Array type="String">
> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
> </Array>
> </Set>
> <Set name="useCipherSuitesOrder"><Property
> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
> </New>
>
> </Configure>
>
> ===================================
>
> On Wed, Sep 2, 2015 at 2:46 PM, Jason Levitt <sl...@gmail.com> wrote:
>> I can get Jetty 9.3.3 to work over SSL with these four files, but I
>> cannot figure out a way to
>> put them into one file (required by fuseki) to get SSL working with fuseki:
>>
>> jetty.xml
>>
>> <?xml version="1.0"?>
>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>>
>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>
>> <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
>> <Set name="secureScheme"><Property
>> name="jetty.httpConfig.secureScheme" default="https" /></Set>
>> <Set name="securePort"><Property
>> name="jetty.httpConfig.securePort" deprecated="jetty.secure.port"
>> default="8443" /></Set>
>> <Set name="outputBufferSize"><Property
>> name="jetty.httpConfig.outputBufferSize"
>> deprecated="jetty.output.buffer.size" default="32768" /></Set>
>> <Set name="outputAggregationSize"><Property
>> name="jetty.httpConfig.outputAggregationSize"
>> deprecated="jetty.output.aggregation.size" default="8192" /></Set>
>> <Set name="requestHeaderSize"><Property
>> name="jetty.httpConfig.requestHeaderSize"
>> deprecated="jetty.request.header.size" default="8192" /></Set>
>> <Set name="responseHeaderSize"><Property
>> name="jetty.httpConfig.responseHeaderSize"
>> deprecated="jetty.response.header.size" default="8192" /></Set>
>> <Set name="sendServerVersion"><Property
>> name="jetty.httpConfig.sendServerVersion"
>> deprecated="jetty.send.server.version" default="true" /></Set>
>> <Set name="sendDateHeader"><Property
>> name="jetty.httpConfig.sendDateHeader"
>> deprecated="jetty.send.date.header" default="false" /></Set>
>> <Set name="headerCacheSize"><Property
>> name="jetty.httpConfig.headerCacheSize" default="512" /></Set>
>> <Set name="delayDispatchUntilContent"><Property
>> name="jetty.httpConfig.delayDispatchUntilContent"
>> deprecated="jetty.delayDispatchUntilContent" default="true"/></Set>
>> </New>
>>
>> </Configure>
>>
>> jetty-http.xml
>>
>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>>
>> <Call name="addConnector">
>> <Arg>
>> <New id="httpConnector" class="org.eclipse.jetty.server.ServerConnector">
>> <Arg name="server"><Ref refid="Server" /></Arg>
>> <Arg name="acceptors" type="int"><Property
>> name="jetty.http.acceptors" deprecated="http.acceptors"
>> default="-1"/></Arg>
>> <Arg name="selectors" type="int"><Property
>> name="jetty.http.selectors" deprecated="http.selectors"
>> default="-1"/></Arg>
>> <Arg name="factories">
>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>> <!-- uncomment to support proxy protocol
>> <Item>
>> <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
>> </Item>-->
>> <Item>
>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>> </New>
>> </Item>
>> </Array>
>> </Arg>
>> <Set name="host"><Property name="jetty.http.host"
>> deprecated="jetty.host" /></Set>
>> <Set name="port"><Property name="jetty.http.port"
>> deprecated="jetty.port" default="8080" /></Set>
>> <Set name="idleTimeout"><Property
>> name="jetty.http.idleTimeout" deprecated="http.timeout"
>> default="30000"/></Set>
>> <Set name="soLingerTime"><Property
>> name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
>> default="-1"/></Set>
>> <Set name="acceptorPriorityDelta"><Property
>> name="jetty.http.acceptorPriorityDelta"
>> deprecated="http.acceptorPriorityDelta" default="0"/></Set>
>> <Set name="acceptQueueSize"><Property
>> name="jetty.http.acceptQueueSize" deprecated="http.acceptQueueSize"
>> default="0"/></Set>
>> </New>
>> </Arg>
>> </Call>
>>
>> </Configure>
>>
>>
>> jetty-https.xml
>>
>> <?xml version="1.0"?>
>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>>
>> <Configure id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
>>
>> <Call name="addIfAbsentConnectionFactory">
>> <Arg>
>> <New class="org.eclipse.jetty.server.SslConnectionFactory">
>> <Arg name="next">http/1.1</Arg>
>> <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
>> </New>
>> </Arg>
>> </Call>
>>
>> <Call name="addConnectionFactory">
>> <Arg>
>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>> <Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
>> </New>
>> </Arg>
>> </Call>
>>
>> </Configure>
>>
>> jetty-ssl-context.xml
>>
>> <?xml version="1.0"?>
>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>>
>> <Configure id="sslContextFactory"
>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>
>> <Set name="KeyStorePath"><Property name="jetty.base" default="."
>> />/<Property name="jetty.sslContext.keyStorePath"
>> deprecated="jetty.keystore" default="etc/keystore"/></Set>
>> <Set name="KeyStorePassword"><Property
>> name="jetty.sslContext.keyStorePassword"
>> deprecated="jetty.keystore.password" />MyPassword</Set>
>> <Set name="KeyStoreType"><Property
>> name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
>> <Set name="KeyStoreProvider"><Property
>> name="jetty.sslContext.keyStoreProvider"/></Set>
>> <Set name="KeyManagerPassword"><Property
>> name="jetty.sslContext.keyManagerPassword"
>> deprecated="jetty.keymanager.password" />MyPassword</Set>
>> <Set name="TrustStorePath"><Property name="jetty.base" default="."
>> />/<Property name="jetty.sslContext.trustStorePath"
>> deprecated="jetty.truststore" default="etc/keystore"/></Set>
>> <Set name="TrustStorePassword"><Property
>> name="jetty.sslContext.trustStorePassword"
>> deprecated="jetty.truststore.password" />MyPassword</Set>
>> <Set name="TrustStoreType"><Property
>> name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
>> <Set name="TrustStoreProvider"><Property
>> name="jetty.sslContext.trustStoreProvider"/></Set>
>> <Set name="EndpointIdentificationAlgorithm"></Set>
>> <Set name="NeedClientAuth"><Property
>> name="jetty.sslContext.needClientAuth"
>> deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
>> <Set name="WantClientAuth"><Property
>> name="jetty.sslContext.wantClientAuth"
>> deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
>> <Set name="ExcludeCipherSuites">
>> <Array type="String">
>> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
>> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
>> </Array>
>> </Set>
>> <Set name="useCipherSuitesOrder"><Property
>> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
>> </Configure>
>>
>> ================
>>
>> On Wed, Sep 2, 2015 at 8:18 AM, Andy Seaborne <an...@apache.org> wrote:
>>> Hi Jason,
>>>
>>> I have made some progress with your config.
>>>
>>> 1/ I switched the development code to 9.3.3 so we have one target and
>>> because I got that version to work with your config
>>>
>>> 9.3.3. was release 27/Aug/2015.
>>>
>>> Don't know if your working from the source or not so I did a development
>>> build of Fuseki2 with 9.3.3.
>>>
>>> https://repository.apache.org/content/repositories/snapshots/org/apache/jena/apache-jena-fuseki/2.3.1-SNAPSHOT/
>>>
>>> NB There are 2 builds for today - latest with Jetty 9.3.3 is
>>>
>>> 20150902.121407-19
>>>
>>> 2/ Fix for your config file below.
>>> Needs some details from jetty.xml copied into it.
>>>
>>> Andy
>>>
>>> On 01/09/15 20:36, Jason Levitt wrote:
>>>>
>>>> Back to square one.
>>>>
>>>> This Jetty config file works fine with Jetty 9:
>>>
>>>
>>> Which jetty version? I'm seeing differences between 9.1.1 and 9.3.3
>>>
>>> With 9.3.2 I get a different error, more useful error (yes, I was using
>>> 9.3.2 at that point)
>>>
>>> [2015-09-02 12:24:37] Server ERROR SPARQLServer: Failed to configure
>>> server: null
>>> java.lang.reflect.InvocationTargetException
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>> java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>> org.eclipse.jetty.util.TypeUtil.construct(TypeUtil.java:627)
>>> org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:782)
>>>
>>> which looks to be caused by:
>>>
>>>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>>>> </New>
>>>
>>> and httpConfig is not defined. (I debug traced the Jetty code).
>>>
>>> It says higher up:
>>>
>>> <!-- HttpConnectionFactory instance using the common httpConfig -->
>>> <!-- instance defined in jetty.xml
>>>
>>>
>>> I copied the block from jetty.xml 9.3.3 into you configuration:
>>> <New id="httpConfig"
>>> </New>
>>>
>>> Full copy below.
>>>
>>> This is for 9.3.3 only - I tried the same approach with 9.1.1 and it didn't
>>> work. Maybe my user error, maybe because your config makes a 9.3 specific
>>> call. Rather than worry about that, I switched the development code base to
>>> 9.3.3.
>>>
>>> Hey presto - server runs for me. Confirmed it is using the config by
>>> changing the port but that's all the testing I have time for ATM. (Looking
>>> for a job (= employment) can be quite time consuming!)
>>>
>>> Andy
>>>
>>>
>>> ------------------------------------------------------------
>>> Copy of new section, reformatted for email :-| , inserted before <Call>
>>>
>>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>> <New
>>> ....
>>> </New>
>>>
>>> <Call name="addConnector">
>>> </Call>
>>>
>>>
>>> </Configure>
>>>
>>> --------- Full insert
>>>
>>>
>>> <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
>>> <Set name="secureScheme">
>>> <Property name="jetty.httpConfig.secureScheme"
>>> default="https" />
>>> </Set>
>>> <Set name="securePort">
>>> <Property name="jetty.httpConfig.securePort"
>>> deprecated="jetty.secure.port"
>>> default="8443" />
>>> </Set>
>>> <Set name="outputBufferSize">
>>> <Property name="jetty.httpConfig.outputBufferSize"
>>> deprecated="jetty.output.buffer.size"
>>> default="32768" />
>>> </Set>
>>> <Set name="outputAggregationSize">
>>> <Property name="jetty.httpConfig.outputAggregationSize"
>>> deprecated="jetty.output.aggregation.size"
>>> default="8192" />
>>> </Set>
>>> <Set name="requestHeaderSize">
>>> <Property name="jetty.httpConfig.requestHeaderSize"
>>> deprecated="jetty.request.header.size"
>>> default="8192" />
>>> </Set>
>>> <Set name="responseHeaderSize">
>>> <Property name="jetty.httpConfig.responseHeaderSize"
>>> deprecated="jetty.response.header.size"
>>> default="8192" />
>>> </Set>
>>> <Set name="sendServerVersion">
>>> <Property name="jetty.httpConfig.sendServerVersion"
>>> deprecated="jetty.send.server.version"
>>> default="true" />
>>> </Set>
>>> <Set name="sendDateHeader">
>>> <Property name="jetty.httpConfig.sendDateHeader"
>>> deprecated="jetty.send.date.header"
>>> default="false" />
>>> </Set>
>>> <Set name="headerCacheSize">
>>> <Property name="jetty.httpConfig.headerCacheSize"
>>> default="512" />
>>> </Set>
>>> <Set name="delayDispatchUntilContent">
>>> <Property name="jetty.httpConfig.delayDispatchUntilContent"
>>> deprecated="jetty.delayDispatchUntilContent"
>>> default="true"/>
>>> </Set>
>>> <Set name="maxErrorDispatches">
>>> <Property name="jetty.httpConfig.maxErrorDispatches"
>>> default="10"/>
>>> </Set>
>>> <!-- Uncomment to enable handling of X-Forwarded- style headers
>>> <Call name="addCustomizer">
>>> <Arg><New
>>> class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
>>> </Call>
>>> -->
>>> </New>
>>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
Below is the combined XML config file I'm trying to use. Fuseki (your
Jetty v9.3.3 build) spits this error out (also below).
The combined config files, separately, provide SSL fine in Jetty
v9.3.3 but I can't get it to work in Fuseki. The only change I had to
make, for XML
syntax purposes, was changing:
<Configure id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
To this:
<New id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
====================================
[2015-09-02 22:36:24] Server INFO Jetty server config file =
/home/ec2-user/fuseki/jettyconfig/jettyall.xml
[2015-09-02 22:36:24] XmlConfiguration WARN Config error at <Call
name="addIfAbsentConnectionFactory"><Arg>
<New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
refid="sslContextFactory"/></Arg></New>
</Arg></Call>
[2015-09-02 22:36:24] Server ERROR SPARQLServer: Failed to
configure server: No Method: <Call
name="addIfAbsentConnectionFactory"><Arg>
<New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
refid="sslContextFactory"/></Arg></New>
</Arg></Call> on class org.eclipse.jetty.server.Server
java.lang.IllegalStateException: No Method: <Call
name="addIfAbsentConnectionFactory"><Arg>
<New class="org.eclipse.jetty.server.SslConnectionFactory"><Arg
name="next">http/1.1</Arg><Arg name="sslContextFactory"><Ref
refid="sslContextFactory"/></Arg></New>
</Arg></Call> on class org.eclipse.jetty.server.Server
at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:734)
at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:417)
at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:300)
at org.eclipse.jetty.xml.XmlConfiguration.configure(XmlConfiguration.java:245)
at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:265)
at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
Caused by: java.lang.NoSuchMethodException: addIfAbsentConnectionFactory
at org.eclipse.jetty.util.TypeUtil.call(TypeUtil.java:552)
at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:726)
... 13 more
org.apache.jena.fuseki.FusekiException: Failed to configure a server
using configuration file
'/home/ec2-user/fuseki/jettyconfig/jettyall.xml'
at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
============================
jettyall.xml file:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Get name="ThreadPool">
<Set name="minThreads" type="int"><Property
name="jetty.threadPool.minThreads" deprecated="threads.min"
default="10"/></Set>
<Set name="maxThreads" type="int"><Property
name="jetty.threadPool.maxThreads" deprecated="threads.max"
default="200"/></Set>
<Set name="idleTimeout" type="int"><Property
name="jetty.threadPool.idleTimeout" deprecated="threads.timeout"
default="60000"/></Set>
<Set name="detailedDump">false</Set>
</Get>
<!-- =========================================================== -->
<!-- Add shared Scheduler instance -->
<!-- =========================================================== -->
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.util.thread.ScheduledExecutorScheduler"/>
</Arg>
</Call>
<!-- =========================================================== -->
<!-- Http Configuration. -->
<!-- This is a common configuration instance used by all -->
<!-- connectors that can carry HTTP semantics (HTTP, HTTPS, etc.)-->
<!-- It configures the non wire protocol aspects of the HTTP -->
<!-- semantic. -->
<!-- -->
<!-- This configuration is only defined here and is used by -->
<!-- reference from other XML files such as jetty-http.xml, -->
<!-- jetty-https.xml and other configuration files which -->
<!-- instantiate the connectors. -->
<!-- -->
<!-- Consult the javadoc of o.e.j.server.HttpConfiguration -->
<!-- for all configuration that may be set here. -->
<!-- =========================================================== -->
<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme"><Property
name="jetty.httpConfig.secureScheme" default="https" /></Set>
<Set name="securePort"><Property
name="jetty.httpConfig.securePort" deprecated="jetty.secure.port"
default="8443" /></Set>
<Set name="outputBufferSize"><Property
name="jetty.httpConfig.outputBufferSize"
deprecated="jetty.output.buffer.size" default="32768" /></Set>
<Set name="outputAggregationSize"><Property
name="jetty.httpConfig.outputAggregationSize"
deprecated="jetty.output.aggregation.size" default="8192" /></Set>
<Set name="requestHeaderSize"><Property
name="jetty.httpConfig.requestHeaderSize"
deprecated="jetty.request.header.size" default="8192" /></Set>
<Set name="responseHeaderSize"><Property
name="jetty.httpConfig.responseHeaderSize"
deprecated="jetty.response.header.size" default="8192" /></Set>
<Set name="sendServerVersion"><Property
name="jetty.httpConfig.sendServerVersion"
deprecated="jetty.send.server.version" default="true" /></Set>
<Set name="sendDateHeader"><Property
name="jetty.httpConfig.sendDateHeader"
deprecated="jetty.send.date.header" default="false" /></Set>
<Set name="headerCacheSize"><Property
name="jetty.httpConfig.headerCacheSize" default="512" /></Set>
<Set name="delayDispatchUntilContent"><Property
name="jetty.httpConfig.delayDispatchUntilContent"
deprecated="jetty.delayDispatchUntilContent" default="true"/></Set>
<!-- Uncomment to enable handling of X-Forwarded- style headers
<Call name="addCustomizer">
<Arg><New
class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
</Call>
-->
</New>
<!-- =========================================================== -->
<!-- Set the default handler structure for the Server -->
<!-- A handler collection is used to pass received requests to -->
<!-- both the ContextHandlerCollection, which selects the next -->
<!-- handler by context path and virtual host, and the -->
<!-- DefaultHandler, which handles any requests not handled by -->
<!-- the context handlers. -->
<!-- Other handlers may be added to the "Handlers" collection, -->
<!-- for example the jetty-requestlog.xml file adds the -->
<!-- RequestLogHandler after the default handler -->
<!-- =========================================================== -->
<Set name="handler">
<New id="Handlers"
class="org.eclipse.jetty.server.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
<New id="Contexts"
class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
</Item>
<Item>
<New id="DefaultHandler"
class="org.eclipse.jetty.server.handler.DefaultHandler"/>
</Item>
</Array>
</Set>
</New>
</Set>
<!-- =========================================================== -->
<!-- extra server options -->
<!-- =========================================================== -->
<Set name="stopAtShutdown"><Property
name="jetty.server.stopAtShutdown" default="true"/></Set>
<Set name="stopTimeout">5000</Set>
<Set name="dumpAfterStart"><Property
name="jetty.server.dumpAfterStart" deprecated="jetty.dump.start"
default="false"/></Set>
<Set name="dumpBeforeStop"><Property
name="jetty.server.dumpBeforeStop" deprecated="jetty.dump.stop"
default="false"/></Set>
<!-- ============================================================= -->
<!-- Configure the Jetty Server instance with an ID "Server" -->
<!-- by adding a HTTP connector. -->
<!-- This configuration must be used in conjunction with jetty.xml -->
<!-- ============================================================= -->
<!-- =========================================================== -->
<!-- Add a HTTP Connector. -->
<!-- Configure an o.e.j.server.ServerConnector with a single -->
<!-- HttpConnectionFactory instance using the common httpConfig -->
<!-- instance defined in jetty.xml -->
<!-- -->
<!-- Consult the javadoc of o.e.j.server.ServerConnector and -->
<!-- o.e.j.server.HttpConnectionFactory for all configuration -->
<!-- that may be set here. -->
<!-- =========================================================== -->
<Call name="addConnector">
<Arg>
<New id="httpConnector" class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="acceptors" type="int"><Property
name="jetty.http.acceptors" deprecated="http.acceptors"
default="-1"/></Arg>
<Arg name="selectors" type="int"><Property
name="jetty.http.selectors" deprecated="http.selectors"
default="-1"/></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<!-- uncomment to support proxy protocol
<Item>
<New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
</Item>-->
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="httpConfig" /></Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host"><Property name="jetty.http.host"
deprecated="jetty.host" /></Set>
<Set name="port"><Property name="jetty.http.port"
deprecated="jetty.port" default="8080" /></Set>
<Set name="idleTimeout"><Property
name="jetty.http.idleTimeout" deprecated="http.timeout"
default="30000"/></Set>
<Set name="soLingerTime"><Property
name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
default="-1"/></Set>
<Set name="acceptorPriorityDelta"><Property
name="jetty.http.acceptorPriorityDelta"
deprecated="http.acceptorPriorityDelta" default="0"/></Set>
<Set name="acceptQueueSize"><Property
name="jetty.http.acceptQueueSize" deprecated="http.acceptQueueSize"
default="0"/></Set>
</New>
</Arg>
</Call>
<!-- ============================================================= -->
<!-- Configure a HTTPS connector. -->
<!-- This configuration must be used in conjunction with jetty.xml -->
<!-- and jetty-ssl.xml. -->
<!-- ============================================================= -->
<Call name="addIfAbsentConnectionFactory">
<Arg>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
</New>
</Arg>
</Call>
<Call name="addConnectionFactory">
<Arg>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
</New>
</Arg>
</Call>
<!-- ============================================================= -->
<!-- Base SSL configuration -->
<!-- This configuration needs to be used together with 1 or more -->
<!-- of jetty-https.xml or jetty-http2.xml -->
<!-- ============================================================= -->
<!-- =========================================================== -->
<!-- Add a SSL Connector with no protocol factories -->
<!-- =========================================================== -->
<Call name="addConnector">
<Arg>
<New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="acceptors" type="int"><Property
name="jetty.ssl.acceptors" deprecated="ssl.acceptors"
default="-1"/></Arg>
<Arg name="selectors" type="int"><Property
name="jetty.ssl.selectors" deprecated="ssl.selectors"
default="-1"/></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<!-- uncomment to support proxy protocol
<Item>
<New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
</Item>-->
</Array>
</Arg>
<Set name="host"><Property name="jetty.ssl.host"
deprecated="jetty.host" /></Set>
<Set name="port"><Property name="jetty.ssl.port"
deprecated="ssl.port" default="8443" /></Set>
<Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout"
deprecated="ssl.timeout" default="30000"/></Set>
<Set name="soLingerTime"><Property
name="jetty.ssl.soLingerTime" deprecated="ssl.soLingerTime"
default="-1"/></Set>
<Set name="acceptorPriorityDelta"><Property
name="jetty.ssl.acceptorPriorityDelta"
deprecated="ssl.acceptorPriorityDelta" default="0"/></Set>
<Set name="acceptQueueSize"><Property
name="jetty.ssl.acceptQueueSize" deprecated="ssl.acceptQueueSize"
default="0"/></Set>
</New>
</Arg>
</Call>
<!-- =========================================================== -->
<!-- Create a TLS specific HttpConfiguration based on the -->
<!-- common HttpConfiguration defined in jetty.xml -->
<!-- Add a SecureRequestCustomizer to extract certificate and -->
<!-- session information -->
<!-- =========================================================== -->
<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg><Ref refid="httpConfig"/></Arg>
<Call name="addCustomizer">
<Arg>
<New class="org.eclipse.jetty.server.SecureRequestCustomizer">
<Arg type="boolean"><Property name="jetty.ssl.sniHostCheck"
default="true"/></Arg>
</New>
</Arg>
</Call>
</New>
<!-- ============================================================= -->
<!-- SSL ContextFactory configuration -->
<!-- ============================================================= -->
<!-- Configure id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory" -->
<New id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base" default="."
/>/<Property name="jetty.sslContext.keyStorePath"
deprecated="jetty.keystore" default="etc/keystore"/></Set>
<Set name="KeyStorePassword"><Property
name="jetty.sslContext.keyStorePassword"
deprecated="jetty.keystore.password" default="MyPassword" /></Set>
<Set name="KeyStoreType"><Property
name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
<Set name="KeyStoreProvider"><Property
name="jetty.sslContext.keyStoreProvider"/></Set>
<Set name="KeyManagerPassword"><Property
name="jetty.sslContext.keyManagerPassword"
deprecated="jetty.keymanager.password" default="MyPassword" /></Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="."
/>/<Property name="jetty.sslContext.trustStorePath"
deprecated="jetty.truststore" default="etc/keystore"/></Set>
<Set name="TrustStorePassword"><Property
name="jetty.sslContext.trustStorePassword"
deprecated="jetty.truststore.password" default="MyPassword" /></Set>
<Set name="TrustStoreType"><Property
name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
<Set name="TrustStoreProvider"><Property
name="jetty.sslContext.trustStoreProvider"/></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth"><Property
name="jetty.sslContext.needClientAuth"
deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property
name="jetty.sslContext.wantClientAuth"
deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>
<Set name="useCipherSuitesOrder"><Property
name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</New>
</Configure>
===================================
On Wed, Sep 2, 2015 at 2:46 PM, Jason Levitt <sl...@gmail.com> wrote:
> I can get Jetty 9.3.3 to work over SSL with these four files, but I
> cannot figure out a way to
> put them into one file (required by fuseki) to get SSL working with fuseki:
>
> jetty.xml
>
> <?xml version="1.0"?>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>
> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>
> <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
> <Set name="secureScheme"><Property
> name="jetty.httpConfig.secureScheme" default="https" /></Set>
> <Set name="securePort"><Property
> name="jetty.httpConfig.securePort" deprecated="jetty.secure.port"
> default="8443" /></Set>
> <Set name="outputBufferSize"><Property
> name="jetty.httpConfig.outputBufferSize"
> deprecated="jetty.output.buffer.size" default="32768" /></Set>
> <Set name="outputAggregationSize"><Property
> name="jetty.httpConfig.outputAggregationSize"
> deprecated="jetty.output.aggregation.size" default="8192" /></Set>
> <Set name="requestHeaderSize"><Property
> name="jetty.httpConfig.requestHeaderSize"
> deprecated="jetty.request.header.size" default="8192" /></Set>
> <Set name="responseHeaderSize"><Property
> name="jetty.httpConfig.responseHeaderSize"
> deprecated="jetty.response.header.size" default="8192" /></Set>
> <Set name="sendServerVersion"><Property
> name="jetty.httpConfig.sendServerVersion"
> deprecated="jetty.send.server.version" default="true" /></Set>
> <Set name="sendDateHeader"><Property
> name="jetty.httpConfig.sendDateHeader"
> deprecated="jetty.send.date.header" default="false" /></Set>
> <Set name="headerCacheSize"><Property
> name="jetty.httpConfig.headerCacheSize" default="512" /></Set>
> <Set name="delayDispatchUntilContent"><Property
> name="jetty.httpConfig.delayDispatchUntilContent"
> deprecated="jetty.delayDispatchUntilContent" default="true"/></Set>
> </New>
>
> </Configure>
>
> jetty-http.xml
>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>
> <Call name="addConnector">
> <Arg>
> <New id="httpConnector" class="org.eclipse.jetty.server.ServerConnector">
> <Arg name="server"><Ref refid="Server" /></Arg>
> <Arg name="acceptors" type="int"><Property
> name="jetty.http.acceptors" deprecated="http.acceptors"
> default="-1"/></Arg>
> <Arg name="selectors" type="int"><Property
> name="jetty.http.selectors" deprecated="http.selectors"
> default="-1"/></Arg>
> <Arg name="factories">
> <Array type="org.eclipse.jetty.server.ConnectionFactory">
> <!-- uncomment to support proxy protocol
> <Item>
> <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
> </Item>-->
> <Item>
> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
> <Arg name="config"><Ref refid="httpConfig" /></Arg>
> </New>
> </Item>
> </Array>
> </Arg>
> <Set name="host"><Property name="jetty.http.host"
> deprecated="jetty.host" /></Set>
> <Set name="port"><Property name="jetty.http.port"
> deprecated="jetty.port" default="8080" /></Set>
> <Set name="idleTimeout"><Property
> name="jetty.http.idleTimeout" deprecated="http.timeout"
> default="30000"/></Set>
> <Set name="soLingerTime"><Property
> name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
> default="-1"/></Set>
> <Set name="acceptorPriorityDelta"><Property
> name="jetty.http.acceptorPriorityDelta"
> deprecated="http.acceptorPriorityDelta" default="0"/></Set>
> <Set name="acceptQueueSize"><Property
> name="jetty.http.acceptQueueSize" deprecated="http.acceptQueueSize"
> default="0"/></Set>
> </New>
> </Arg>
> </Call>
>
> </Configure>
>
>
> jetty-https.xml
>
> <?xml version="1.0"?>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>
> <Configure id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
>
> <Call name="addIfAbsentConnectionFactory">
> <Arg>
> <New class="org.eclipse.jetty.server.SslConnectionFactory">
> <Arg name="next">http/1.1</Arg>
> <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
> </New>
> </Arg>
> </Call>
>
> <Call name="addConnectionFactory">
> <Arg>
> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
> <Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
> </New>
> </Arg>
> </Call>
>
> </Configure>
>
> jetty-ssl-context.xml
>
> <?xml version="1.0"?>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>
> <Configure id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>
> <Set name="KeyStorePath"><Property name="jetty.base" default="."
> />/<Property name="jetty.sslContext.keyStorePath"
> deprecated="jetty.keystore" default="etc/keystore"/></Set>
> <Set name="KeyStorePassword"><Property
> name="jetty.sslContext.keyStorePassword"
> deprecated="jetty.keystore.password" />MyPassword</Set>
> <Set name="KeyStoreType"><Property
> name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
> <Set name="KeyStoreProvider"><Property
> name="jetty.sslContext.keyStoreProvider"/></Set>
> <Set name="KeyManagerPassword"><Property
> name="jetty.sslContext.keyManagerPassword"
> deprecated="jetty.keymanager.password" />MyPassword</Set>
> <Set name="TrustStorePath"><Property name="jetty.base" default="."
> />/<Property name="jetty.sslContext.trustStorePath"
> deprecated="jetty.truststore" default="etc/keystore"/></Set>
> <Set name="TrustStorePassword"><Property
> name="jetty.sslContext.trustStorePassword"
> deprecated="jetty.truststore.password" />MyPassword</Set>
> <Set name="TrustStoreType"><Property
> name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
> <Set name="TrustStoreProvider"><Property
> name="jetty.sslContext.trustStoreProvider"/></Set>
> <Set name="EndpointIdentificationAlgorithm"></Set>
> <Set name="NeedClientAuth"><Property
> name="jetty.sslContext.needClientAuth"
> deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
> <Set name="WantClientAuth"><Property
> name="jetty.sslContext.wantClientAuth"
> deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
> <Set name="ExcludeCipherSuites">
> <Array type="String">
> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
> </Array>
> </Set>
> <Set name="useCipherSuitesOrder"><Property
> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
> </Configure>
>
> ================
>
> On Wed, Sep 2, 2015 at 8:18 AM, Andy Seaborne <an...@apache.org> wrote:
>> Hi Jason,
>>
>> I have made some progress with your config.
>>
>> 1/ I switched the development code to 9.3.3 so we have one target and
>> because I got that version to work with your config
>>
>> 9.3.3. was release 27/Aug/2015.
>>
>> Don't know if your working from the source or not so I did a development
>> build of Fuseki2 with 9.3.3.
>>
>> https://repository.apache.org/content/repositories/snapshots/org/apache/jena/apache-jena-fuseki/2.3.1-SNAPSHOT/
>>
>> NB There are 2 builds for today - latest with Jetty 9.3.3 is
>>
>> 20150902.121407-19
>>
>> 2/ Fix for your config file below.
>> Needs some details from jetty.xml copied into it.
>>
>> Andy
>>
>> On 01/09/15 20:36, Jason Levitt wrote:
>>>
>>> Back to square one.
>>>
>>> This Jetty config file works fine with Jetty 9:
>>
>>
>> Which jetty version? I'm seeing differences between 9.1.1 and 9.3.3
>>
>> With 9.3.2 I get a different error, more useful error (yes, I was using
>> 9.3.2 at that point)
>>
>> [2015-09-02 12:24:37] Server ERROR SPARQLServer: Failed to configure
>> server: null
>> java.lang.reflect.InvocationTargetException
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>> java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>> org.eclipse.jetty.util.TypeUtil.construct(TypeUtil.java:627)
>> org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:782)
>>
>> which looks to be caused by:
>>
>>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>>> </New>
>>
>> and httpConfig is not defined. (I debug traced the Jetty code).
>>
>> It says higher up:
>>
>> <!-- HttpConnectionFactory instance using the common httpConfig -->
>> <!-- instance defined in jetty.xml
>>
>>
>> I copied the block from jetty.xml 9.3.3 into you configuration:
>> <New id="httpConfig"
>> </New>
>>
>> Full copy below.
>>
>> This is for 9.3.3 only - I tried the same approach with 9.1.1 and it didn't
>> work. Maybe my user error, maybe because your config makes a 9.3 specific
>> call. Rather than worry about that, I switched the development code base to
>> 9.3.3.
>>
>> Hey presto - server runs for me. Confirmed it is using the config by
>> changing the port but that's all the testing I have time for ATM. (Looking
>> for a job (= employment) can be quite time consuming!)
>>
>> Andy
>>
>>
>> ------------------------------------------------------------
>> Copy of new section, reformatted for email :-| , inserted before <Call>
>>
>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>> <New
>> ....
>> </New>
>>
>> <Call name="addConnector">
>> </Call>
>>
>>
>> </Configure>
>>
>> --------- Full insert
>>
>>
>> <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
>> <Set name="secureScheme">
>> <Property name="jetty.httpConfig.secureScheme"
>> default="https" />
>> </Set>
>> <Set name="securePort">
>> <Property name="jetty.httpConfig.securePort"
>> deprecated="jetty.secure.port"
>> default="8443" />
>> </Set>
>> <Set name="outputBufferSize">
>> <Property name="jetty.httpConfig.outputBufferSize"
>> deprecated="jetty.output.buffer.size"
>> default="32768" />
>> </Set>
>> <Set name="outputAggregationSize">
>> <Property name="jetty.httpConfig.outputAggregationSize"
>> deprecated="jetty.output.aggregation.size"
>> default="8192" />
>> </Set>
>> <Set name="requestHeaderSize">
>> <Property name="jetty.httpConfig.requestHeaderSize"
>> deprecated="jetty.request.header.size"
>> default="8192" />
>> </Set>
>> <Set name="responseHeaderSize">
>> <Property name="jetty.httpConfig.responseHeaderSize"
>> deprecated="jetty.response.header.size"
>> default="8192" />
>> </Set>
>> <Set name="sendServerVersion">
>> <Property name="jetty.httpConfig.sendServerVersion"
>> deprecated="jetty.send.server.version"
>> default="true" />
>> </Set>
>> <Set name="sendDateHeader">
>> <Property name="jetty.httpConfig.sendDateHeader"
>> deprecated="jetty.send.date.header"
>> default="false" />
>> </Set>
>> <Set name="headerCacheSize">
>> <Property name="jetty.httpConfig.headerCacheSize"
>> default="512" />
>> </Set>
>> <Set name="delayDispatchUntilContent">
>> <Property name="jetty.httpConfig.delayDispatchUntilContent"
>> deprecated="jetty.delayDispatchUntilContent"
>> default="true"/>
>> </Set>
>> <Set name="maxErrorDispatches">
>> <Property name="jetty.httpConfig.maxErrorDispatches"
>> default="10"/>
>> </Set>
>> <!-- Uncomment to enable handling of X-Forwarded- style headers
>> <Call name="addCustomizer">
>> <Arg><New
>> class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
>> </Call>
>> -->
>> </New>
>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
I can get Jetty 9.3.3 to work over SSL with these four files, but I
cannot figure out a way to
put them into one file (required by fuseki) to get SSL working with fuseki:
jetty.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme"><Property
name="jetty.httpConfig.secureScheme" default="https" /></Set>
<Set name="securePort"><Property
name="jetty.httpConfig.securePort" deprecated="jetty.secure.port"
default="8443" /></Set>
<Set name="outputBufferSize"><Property
name="jetty.httpConfig.outputBufferSize"
deprecated="jetty.output.buffer.size" default="32768" /></Set>
<Set name="outputAggregationSize"><Property
name="jetty.httpConfig.outputAggregationSize"
deprecated="jetty.output.aggregation.size" default="8192" /></Set>
<Set name="requestHeaderSize"><Property
name="jetty.httpConfig.requestHeaderSize"
deprecated="jetty.request.header.size" default="8192" /></Set>
<Set name="responseHeaderSize"><Property
name="jetty.httpConfig.responseHeaderSize"
deprecated="jetty.response.header.size" default="8192" /></Set>
<Set name="sendServerVersion"><Property
name="jetty.httpConfig.sendServerVersion"
deprecated="jetty.send.server.version" default="true" /></Set>
<Set name="sendDateHeader"><Property
name="jetty.httpConfig.sendDateHeader"
deprecated="jetty.send.date.header" default="false" /></Set>
<Set name="headerCacheSize"><Property
name="jetty.httpConfig.headerCacheSize" default="512" /></Set>
<Set name="delayDispatchUntilContent"><Property
name="jetty.httpConfig.delayDispatchUntilContent"
deprecated="jetty.delayDispatchUntilContent" default="true"/></Set>
</New>
</Configure>
jetty-http.xml
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd">
<Call name="addConnector">
<Arg>
<New id="httpConnector" class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="acceptors" type="int"><Property
name="jetty.http.acceptors" deprecated="http.acceptors"
default="-1"/></Arg>
<Arg name="selectors" type="int"><Property
name="jetty.http.selectors" deprecated="http.selectors"
default="-1"/></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<!-- uncomment to support proxy protocol
<Item>
<New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
</Item>-->
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="httpConfig" /></Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host"><Property name="jetty.http.host"
deprecated="jetty.host" /></Set>
<Set name="port"><Property name="jetty.http.port"
deprecated="jetty.port" default="8080" /></Set>
<Set name="idleTimeout"><Property
name="jetty.http.idleTimeout" deprecated="http.timeout"
default="30000"/></Set>
<Set name="soLingerTime"><Property
name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
default="-1"/></Set>
<Set name="acceptorPriorityDelta"><Property
name="jetty.http.acceptorPriorityDelta"
deprecated="http.acceptorPriorityDelta" default="0"/></Set>
<Set name="acceptQueueSize"><Property
name="jetty.http.acceptQueueSize" deprecated="http.acceptQueueSize"
default="0"/></Set>
</New>
</Arg>
</Call>
</Configure>
jetty-https.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd">
<Configure id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
<Call name="addIfAbsentConnectionFactory">
<Arg>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
</New>
</Arg>
</Call>
<Call name="addConnectionFactory">
<Arg>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
</New>
</Arg>
</Call>
</Configure>
jetty-ssl-context.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd">
<Configure id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base" default="."
/>/<Property name="jetty.sslContext.keyStorePath"
deprecated="jetty.keystore" default="etc/keystore"/></Set>
<Set name="KeyStorePassword"><Property
name="jetty.sslContext.keyStorePassword"
deprecated="jetty.keystore.password" />MyPassword</Set>
<Set name="KeyStoreType"><Property
name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
<Set name="KeyStoreProvider"><Property
name="jetty.sslContext.keyStoreProvider"/></Set>
<Set name="KeyManagerPassword"><Property
name="jetty.sslContext.keyManagerPassword"
deprecated="jetty.keymanager.password" />MyPassword</Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="."
/>/<Property name="jetty.sslContext.trustStorePath"
deprecated="jetty.truststore" default="etc/keystore"/></Set>
<Set name="TrustStorePassword"><Property
name="jetty.sslContext.trustStorePassword"
deprecated="jetty.truststore.password" />MyPassword</Set>
<Set name="TrustStoreType"><Property
name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
<Set name="TrustStoreProvider"><Property
name="jetty.sslContext.trustStoreProvider"/></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth"><Property
name="jetty.sslContext.needClientAuth"
deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property
name="jetty.sslContext.wantClientAuth"
deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>
<Set name="useCipherSuitesOrder"><Property
name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>
================
On Wed, Sep 2, 2015 at 8:18 AM, Andy Seaborne <an...@apache.org> wrote:
> Hi Jason,
>
> I have made some progress with your config.
>
> 1/ I switched the development code to 9.3.3 so we have one target and
> because I got that version to work with your config
>
> 9.3.3. was release 27/Aug/2015.
>
> Don't know if your working from the source or not so I did a development
> build of Fuseki2 with 9.3.3.
>
> https://repository.apache.org/content/repositories/snapshots/org/apache/jena/apache-jena-fuseki/2.3.1-SNAPSHOT/
>
> NB There are 2 builds for today - latest with Jetty 9.3.3 is
>
> 20150902.121407-19
>
> 2/ Fix for your config file below.
> Needs some details from jetty.xml copied into it.
>
> Andy
>
> On 01/09/15 20:36, Jason Levitt wrote:
>>
>> Back to square one.
>>
>> This Jetty config file works fine with Jetty 9:
>
>
> Which jetty version? I'm seeing differences between 9.1.1 and 9.3.3
>
> With 9.3.2 I get a different error, more useful error (yes, I was using
> 9.3.2 at that point)
>
> [2015-09-02 12:24:37] Server ERROR SPARQLServer: Failed to configure
> server: null
> java.lang.reflect.InvocationTargetException
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> org.eclipse.jetty.util.TypeUtil.construct(TypeUtil.java:627)
> org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:782)
>
> which looks to be caused by:
>
>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>> </New>
>
> and httpConfig is not defined. (I debug traced the Jetty code).
>
> It says higher up:
>
> <!-- HttpConnectionFactory instance using the common httpConfig -->
> <!-- instance defined in jetty.xml
>
>
> I copied the block from jetty.xml 9.3.3 into you configuration:
> <New id="httpConfig"
> </New>
>
> Full copy below.
>
> This is for 9.3.3 only - I tried the same approach with 9.1.1 and it didn't
> work. Maybe my user error, maybe because your config makes a 9.3 specific
> call. Rather than worry about that, I switched the development code base to
> 9.3.3.
>
> Hey presto - server runs for me. Confirmed it is using the config by
> changing the port but that's all the testing I have time for ATM. (Looking
> for a job (= employment) can be quite time consuming!)
>
> Andy
>
>
> ------------------------------------------------------------
> Copy of new section, reformatted for email :-| , inserted before <Call>
>
> <Configure id="Server" class="org.eclipse.jetty.server.Server">
> <New
> ....
> </New>
>
> <Call name="addConnector">
> </Call>
>
>
> </Configure>
>
> --------- Full insert
>
>
> <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
> <Set name="secureScheme">
> <Property name="jetty.httpConfig.secureScheme"
> default="https" />
> </Set>
> <Set name="securePort">
> <Property name="jetty.httpConfig.securePort"
> deprecated="jetty.secure.port"
> default="8443" />
> </Set>
> <Set name="outputBufferSize">
> <Property name="jetty.httpConfig.outputBufferSize"
> deprecated="jetty.output.buffer.size"
> default="32768" />
> </Set>
> <Set name="outputAggregationSize">
> <Property name="jetty.httpConfig.outputAggregationSize"
> deprecated="jetty.output.aggregation.size"
> default="8192" />
> </Set>
> <Set name="requestHeaderSize">
> <Property name="jetty.httpConfig.requestHeaderSize"
> deprecated="jetty.request.header.size"
> default="8192" />
> </Set>
> <Set name="responseHeaderSize">
> <Property name="jetty.httpConfig.responseHeaderSize"
> deprecated="jetty.response.header.size"
> default="8192" />
> </Set>
> <Set name="sendServerVersion">
> <Property name="jetty.httpConfig.sendServerVersion"
> deprecated="jetty.send.server.version"
> default="true" />
> </Set>
> <Set name="sendDateHeader">
> <Property name="jetty.httpConfig.sendDateHeader"
> deprecated="jetty.send.date.header"
> default="false" />
> </Set>
> <Set name="headerCacheSize">
> <Property name="jetty.httpConfig.headerCacheSize"
> default="512" />
> </Set>
> <Set name="delayDispatchUntilContent">
> <Property name="jetty.httpConfig.delayDispatchUntilContent"
> deprecated="jetty.delayDispatchUntilContent"
> default="true"/>
> </Set>
> <Set name="maxErrorDispatches">
> <Property name="jetty.httpConfig.maxErrorDispatches"
> default="10"/>
> </Set>
> <!-- Uncomment to enable handling of X-Forwarded- style headers
> <Call name="addCustomizer">
> <Arg><New
> class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
> </Call>
> -->
> </New>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
Hi Jason,
I have made some progress with your config.
1/ I switched the development code to 9.3.3 so we have one target and
because I got that version to work with your config
9.3.3. was release 27/Aug/2015.
Don't know if your working from the source or not so I did a development
build of Fuseki2 with 9.3.3.
https://repository.apache.org/content/repositories/snapshots/org/apache/jena/apache-jena-fuseki/2.3.1-SNAPSHOT/
NB There are 2 builds for today - latest with Jetty 9.3.3 is
20150902.121407-19
2/ Fix for your config file below.
Needs some details from jetty.xml copied into it.
Andy
On 01/09/15 20:36, Jason Levitt wrote:
> Back to square one.
>
> This Jetty config file works fine with Jetty 9:
Which jetty version? I'm seeing differences between 9.1.1 and 9.3.3
With 9.3.2 I get a different error, more useful error (yes, I was using
9.3.2 at that point)
[2015-09-02 12:24:37] Server ERROR SPARQLServer: Failed to configure
server: null
java.lang.reflect.InvocationTargetException
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
java.lang.reflect.Constructor.newInstance(Constructor.java:422)
org.eclipse.jetty.util.TypeUtil.construct(TypeUtil.java:627)
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:782)
which looks to be caused by:
> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
> <Arg name="config"><Ref refid="httpConfig" /></Arg>
> </New>
and httpConfig is not defined. (I debug traced the Jetty code).
It says higher up:
<!-- HttpConnectionFactory instance using the common httpConfig -->
<!-- instance defined in jetty.xml
I copied the block from jetty.xml 9.3.3 into you configuration:
<New id="httpConfig"
</New>
Full copy below.
This is for 9.3.3 only - I tried the same approach with 9.1.1 and it
didn't work. Maybe my user error, maybe because your config makes a 9.3
specific call. Rather than worry about that, I switched the development
code base to 9.3.3.
Hey presto - server runs for me. Confirmed it is using the config by
changing the port but that's all the testing I have time for ATM.
(Looking for a job (= employment) can be quite time consuming!)
Andy
------------------------------------------------------------
Copy of new section, reformatted for email :-| , inserted before <Call>
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<New
....
</New>
<Call name="addConnector">
</Call>
</Configure>
--------- Full insert
<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">
<Property name="jetty.httpConfig.secureScheme"
default="https" />
</Set>
<Set name="securePort">
<Property name="jetty.httpConfig.securePort"
deprecated="jetty.secure.port"
default="8443" />
</Set>
<Set name="outputBufferSize">
<Property name="jetty.httpConfig.outputBufferSize"
deprecated="jetty.output.buffer.size"
default="32768" />
</Set>
<Set name="outputAggregationSize">
<Property name="jetty.httpConfig.outputAggregationSize"
deprecated="jetty.output.aggregation.size"
default="8192" />
</Set>
<Set name="requestHeaderSize">
<Property name="jetty.httpConfig.requestHeaderSize"
deprecated="jetty.request.header.size"
default="8192" />
</Set>
<Set name="responseHeaderSize">
<Property name="jetty.httpConfig.responseHeaderSize"
deprecated="jetty.response.header.size"
default="8192" />
</Set>
<Set name="sendServerVersion">
<Property name="jetty.httpConfig.sendServerVersion"
deprecated="jetty.send.server.version"
default="true" />
</Set>
<Set name="sendDateHeader">
<Property name="jetty.httpConfig.sendDateHeader"
deprecated="jetty.send.date.header"
default="false" />
</Set>
<Set name="headerCacheSize">
<Property name="jetty.httpConfig.headerCacheSize"
default="512" />
</Set>
<Set name="delayDispatchUntilContent">
<Property name="jetty.httpConfig.delayDispatchUntilContent"
deprecated="jetty.delayDispatchUntilContent"
default="true"/>
</Set>
<Set name="maxErrorDispatches">
<Property name="jetty.httpConfig.maxErrorDispatches"
default="10"/>
</Set>
<!-- Uncomment to enable handling of X-Forwarded- style headers
<Call name="addCustomizer">
<Arg><New
class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
</Call>
-->
</New>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
Back to square one.
This Jetty config file works fine with Jetty 9:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd">
<!-- ============================================================= -->
<!-- Configure the Jetty Server instance with an ID "Server" -->
<!-- by adding a HTTP connector. -->
<!-- This configuration must be used in conjunction with jetty.xml -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- =========================================================== -->
<!-- Add a HTTP Connector. -->
<!-- Configure an o.e.j.server.ServerConnector with a single -->
<!-- HttpConnectionFactory instance using the common httpConfig -->
<!-- instance defined in jetty.xml -->
<!-- -->
<!-- Consult the javadoc of o.e.j.server.ServerConnector and -->
<!-- o.e.j.server.HttpConnectionFactory for all configuration -->
<!-- that may be set here. -->
<!-- =========================================================== -->
<Call name="addConnector">
<Arg>
<New id="httpConnector" class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="acceptors" type="int"><Property
name="jetty.http.acceptors" deprecated="http.acceptors"
default="-1"/></Arg>
<Arg name="selectors" type="int"><Property
name="jetty.http.selectors" deprecated="http.selectors"
default="-1"/></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="httpConfig" /></Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host"><Property name="jetty.http.host"
deprecated="jetty.host" /></Set>
<Set name="port"><Property name="jetty.http.port"
deprecated="jetty.port" default="3030" /></Set>
<Set name="idleTimeout"><Property
name="jetty.http.idleTimeout" deprecated="http.timeout"
default="30000"/></Set>
<Set name="soLingerTime"><Property
name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
default="-1"/></Set>
<Set name="acceptorPriorityDelta"><Property
name="jetty.http.acceptorPriorityDelta"
deprecated="http.acceptorPriorityDelta" default="0"/></Set>
<Set name="acceptQueueSize"><Property
name="jetty.http.acceptQueueSize" deprecated="http.acceptQueueSize"
default="0"/></Set>
</New>
</Arg>
</Call>
</Configure>
But when I feed it to fuseki:
$ ./fuseki-server --update --jetty-config=jetty-http.xml --loc=ds /ds
I get this:
[2015-09-01 19:32:39] Server INFO Jetty server config file =
/home/ec2-user/fuseki/etc/jetty-http.xml
[2015-09-01 19:32:39] XmlConfiguration WARN Config error at <Call
name="addConnector"><Arg>
<New id="httpConnector"
class="org.eclipse.jetty.server.ServerConnector"><Arg
name="server"><Ref refid="Server"/></Arg><Arg name="acceptors"
type="int"><Property name="jetty.http.acceptors"
deprecated="http.acceptors" default="-1"/></Arg><Arg name="selectors"
type="int"><Property name="jetty.http.selectors"
deprecated="http.selectors" default="-1"/></Arg><Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory"><Item>
<New
class="org.eclipse.jetty.server.HttpConnectionFactory"><Arg
name="config"><Ref refid="httpConfig"/></Arg></New>
</Item></Array>
</Arg><Set name="host"><Property name="jetty.http.host"
deprecated="jetty.host"/></Set><Set name="port"><Property
name="jetty.http.port" deprecated="jetty.port"
default="3030"/></Set><Set name="idleTimeout"><Property
name="jetty.http.idleTimeout" deprecated="http.timeout"
default="30000"/></Set><Set name="soLingerTime"><Property
name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
default="-1"/></Set><Set name="acceptorPriorityDelta"><Property
name="jetty.http.acceptorPriorityDelta"
deprecated="http.acceptorPriorityDelta" default="0"/></Set><Set
name="acceptQueueSize"><Property name="jetty.http.acceptQueueSize"
deprecated="http.acceptQueueSize" default="0"/></Set></New>
</Arg></Call>
[2015-09-01 19:32:39] Server ERROR SPARQLServer: Failed to
configure server: No suitable constructor: <New id="httpConnector"
class="org.eclipse.jetty.server.ServerConnector"><Arg
name="server"><Ref refid="Server"/></Arg><Arg name="acceptors"
type="int"><Property name="jetty.http.acceptors"
deprecated="http.acceptors" default="-1"/></Arg><Arg name="selectors"
type="int"><Property name="jetty.http.selectors"
deprecated="http.selectors" default="-1"/></Arg><Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory"><Item>
<New
class="org.eclipse.jetty.server.HttpConnectionFactory"><Arg
name="config"><Ref refid="httpConfig"/></Arg></New>
</Item></Array>
</Arg><Set name="host"><Property name="jetty.http.host"
deprecated="jetty.host"/></Set><Set name="port"><Property
name="jetty.http.port" deprecated="jetty.port"
default="3030"/></Set><Set name="idleTimeout"><Property
name="jetty.http.idleTimeout" deprecated="http.timeout"
default="30000"/></Set><Set name="soLingerTime"><Property
name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
default="-1"/></Set><Set name="acceptorPriorityDelta"><Property
name="jetty.http.acceptorPriorityDelta"
deprecated="http.acceptorPriorityDelta" default="0"/></Set><Set
name="acceptQueueSize"><Property name="jetty.http.acceptQueueSize"
deprecated="http.acceptQueueSize" default="0"/></Set></New> on
org.eclipse.jetty.server.Server@9b0314
java.lang.IllegalStateException: No suitable constructor: <New
id="httpConnector"
class="org.eclipse.jetty.server.ServerConnector"><Arg
name="server"><Ref refid="Server"/></Arg><Arg name="acceptors"
type="int"><Property name="jetty.http.acceptors"
deprecated="http.acceptors" default="-1"/></Arg><Arg name="selectors"
type="int"><Property name="jetty.http.selectors"
deprecated="http.selectors" default="-1"/></Arg><Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory"><Item>
<New
class="org.eclipse.jetty.server.HttpConnectionFactory"><Arg
name="config"><Ref refid="httpConfig"/></Arg></New>
</Item></Array>
</Arg><Set name="host"><Property name="jetty.http.host"
deprecated="jetty.host"/></Set><Set name="port"><Property
name="jetty.http.port" deprecated="jetty.port"
default="3030"/></Set><Set name="idleTimeout"><Property
name="jetty.http.idleTimeout" deprecated="http.timeout"
default="30000"/></Set><Set name="soLingerTime"><Property
name="jetty.http.soLingerTime" deprecated="http.soLingerTime"
default="-1"/></Set><Set name="acceptorPriorityDelta"><Property
name="jetty.http.acceptorPriorityDelta"
deprecated="http.acceptorPriorityDelta" default="0"/></Set><Set
name="acceptQueueSize"><Property name="jetty.http.acceptQueueSize"
deprecated="http.acceptQueueSize" default="0"/></Set></New> on
org.eclipse.jetty.server.Server@9b0314
at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:811)
at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.itemValue(XmlConfiguration.java:1125)
at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.value(XmlConfiguration.java:1030)
at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:721)
at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:417)
at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:298)
at org.eclipse.jetty.xml.XmlConfiguration.configure(XmlConfiguration.java:248)
at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:265)
at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
org.apache.jena.fuseki.FusekiException: Failed to configure a server
using configuration file '/home/ec2-user/fuseki/etc/jetty-http.xml'
at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
On Tue, Sep 1, 2015 at 4:47 AM, Rob Vesse <rv...@dotnetrdf.org> wrote:
> I would suggest it is worth turning on DEBUG level logging for Jetty and
> reviewing the output carefully
>
> This is especially true if you are specifying a Jetty configuration where
> you are locking down the SSL configuration to disable the older insecure
> SSL protocols.
>
> I recently had an issue where on one JVM excluding the older protocols
> left only the newer secure protocols whereas on another JVM it removed all
> protocols and I needed to explicitly include the newer secure protocols to
> get things to work. This manifested as a very similar error about the SSL
> handshake failing.
>
> The other thing to watch out for if you are getting this kind of error and
> you are limiting the set of SSL protocls and ciphers is that depending on
> your system the libraries and tools installed may be outdated enough to
> not support the more recent protocols and ciphers (I ran into an ancient
> curl version on some systems that didn't support TLS 1.1 or TLS 1.2)
>
> Rob
>
> On 01/09/2015 10:12, "Andy Seaborne" <an...@apache.org> wrote:
>
>>On 27/08/15 16:56, Jason Levitt wrote:
>>> If I remove that line from my config file:
>>>
>>> <Set name="host">mysite.com</Set>
>>>
>>> And then run fuseki and try to connect, using openssl, I get:
>>>
>>> $ openssl s_client -connect mysite.com:8443
>>> CONNECTED(00000003)
>>> 5546:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>>
>>>failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_lib.c:185:
>>>
>>> I have no idea what this means -- probably a certificate mismatch(?).
>>
>>That could be what's happening - if the handshake is failing, I think it
>>means the operation hasn't got near the level of dispatching to the
>>index page.
>>
>> Andy
>>
>>>
>>> J
>>>
>>> On Thu, Aug 27, 2015 at 10:46 AM, Andy Seaborne <an...@apache.org> wrote:
>>>> On 27/08/15 15:20, Jason Levitt wrote:
>>>>>
>>>>> Hi Andy,
>>>>>
>>>>> Not only is Jetty 9.1 fairly different than Jetty 8, but the
>>>>>current
>>>>> version of Jetty, 9.3 is somewhat different
>>>>> than 9.1. I will investigate further.
>>>>
>>>>
>>>> I just tried out 9.3 by flipping the version to 9.3.2.v20150730 and it
>>>>seem
>>>> OK (after 5 mins playing with it....). So looks like the codebase can
>>>> switch if that helps simplifies things.
>>>>
>>>> Andy
>>>>
>>>>
>>>>
>>>>>
>>>>> J
>>>>>
>>>>> On Thu, Aug 27, 2015 at 6:42 AM, Andy Seaborne <an...@apache.org>
>>>>>wrote:
>>>>>>
>>>>>> Jason - thank you for pushing on with this. It seems a lot of Jetty
>>>>>>has
>>>>>> changed Jetty8->Jetty9.1 in this area which is all news to me.
>>>>>>
>>>>>> On 27/08/15 06:09, Jason Levitt wrote:
>>>>>>>
>>>>>>>
>>>>>>> Making some progress but things still don't work.
>>>>>>>
>>>>>>> The startup log (edited) looks like this (domain name changed to
>>>>>>> mysite.com):
>>>>>>
>>>>>>
>>>>>>
>>>>>> This looks like it is because its asking to run on an address that
>>>>>>isn't
>>>>>> the
>>>>>> local machine for some reason. It does not look like something on
>>>>>>the
>>>>>> same
>>>>>> port because it is (usually)
>>>>>>
>>>>>> "java.net.BindException: Address already in use"
>>>>>>
>>>>>> but it's might be worth checking. On Linux, "sudo lsof -i:8443"
>>>>>>
>>>>>> Your config does not set the host but maybe the IP config is getting
>>>>>>in
>>>>>> the
>>>>>> way. This is EC2 so does the real DNS name resolve to the IP address
>>>>>>of a
>>>>>> local interface? Does using "localhost" work (= do something
>>>>>>different)?
>>>>>>
>>>>>> That's the best clue I could find on StackOverflow. I haven't found
>>>>>>a
>>>>>> way
>>>>>> to get the same error message using plan HTTP on a non-EC2 machine
>>>>>> though.
>>>>>>
>>>>>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>>>>>> to start server: Cannot assign requested address
>>>>>>
>>>>>>
>>>>>> port=0 looks weird though if you are taking control with the config
>>>>>>file
>>>>>> that is possible due to the earlier error.
>>>>>>
>>>>>> What is printed is serverConnector.getPort() and serverConnector is
>>>>>>the
>>>>>> first/only configured ServerConnector.
>>>>>>
>>>>>> Andy
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> [2015-08-27 03:56:03] Server INFO Jetty server config file =
>>>>>>> myconfig.xml
>>>>>>> [2015-08-27 03:56:03] Server INFO Fuseki 2.3.0
>>>>>>> 2015-07-25T17:11:28+0000
>>>>>>> [2015-08-27 03:56:03] Config INFO
>>>>>>>FUSEKI_HOME=/home/ec2-user/fuseki
>>>>>>> [2015-08-27 03:56:03] Config INFO
>>>>>>> FUSEKI_BASE=/home/ec2-user/fuseki/run
>>>>>>> [2015-08-27 03:56:03] Servlet INFO Initializing Shiro
>>>>>>>environment
>>>>>>> [2015-08-27 03:56:03] Config INFO Shiro file:
>>>>>>> file:///home/ec2-user/fuseki/run/shiro.ini
>>>>>>> [2015-08-27 03:56:03] Config INFO Template file:
>>>>>>> templates/config-tdb-dir
>>>>>>> [2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
>>>>>>> [2015-08-27 03:56:03] Config INFO Register: /ds
>>>>>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>>>>>> ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
>>>>>>> java.net.BindException: Cannot assign requested address
>>>>>>> java.net.BindException: Cannot assign requested address
>>>>>>> at sun.nio.ch.Net.bind0(Native Method)
>>>>>>> at sun.nio.ch.Net.bind(Net.java:433)
>>>>>>> at sun.nio.ch.Net.bind(Net.java:425)
>>>>>>> ....
>>>>>>> ....
>>>>>>> ....
>>>>>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>>>>>> org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException:
>>>>>>>Cannot
>>>>>>> assign requested address
>>>>>>> java.net.BindException: Cannot assign requested address
>>>>>>> at sun.nio.ch.Net.bind0(Native Method)
>>>>>>> at sun.nio.ch.Net.bind(Net.java:433)
>>>>>>> at sun.nio.ch.Net.bind(Net.java:425)
>>>>>>> ....
>>>>>>> ....
>>>>>>> ....
>>>>>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>>>>>> to start server: Cannot assign requested address
>>>>>>>
>>>>>>>
>>>>>>> And I'm running fuseki 2.3.0 with this command:
>>>>>>>
>>>>>>> nohup ./fuseki-server --port 8443 --update
>>>>>>> --jetty-config=myconfig.xml --loc=ds /ds
>>>>>>>
>>>>>>>
>>>>>>> The "myconfig.xml" file is below (I've already added my certificate
>>>>>>> and key to the Java 8 JSSE):
>>>>>>>
>>>>>>> <?xml version="1.0"?>
>>>>>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>>>>>>> "http://www.eclipse.org/jetty/configure.dtd">
>>>>>>>
>>>>>>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>>>>>> <Call name="addConnector">
>>>>>>> <Arg>
>>>>>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>>>>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>>>>>> <Arg name="factories">
>>>>>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>>>>>> <Item>
>>>>>>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>>>>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>>>>>>> </New>
>>>>>>> </Item>
>>>>>>> </Array>
>>>>>>> </Arg>
>>>>>>> </New>
>>>>>>> </Arg>
>>>>>>> </Call>
>>>>>>>
>>>>>>> <New id="sslContextFactory"
>>>>>>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>>>>>> <Set name="KeyStorePath">/home/ec2-user/keystore</Set>
>>>>>>> <Set name="KeyStorePassword">somepassword</Set>
>>>>>>> <Set name="KeyManagerPassword">somepassword</Set>
>>>>>>> <Set name="TrustStorePath">/home/ec2-user/keystore</Set>
>>>>>>> <Set name="TrustStorePassword">somepassword</Set>
>>>>>>> </New>
>>>>>>>
>>>>>>> <Call id="sslConnector" name="addConnector">
>>>>>>> <Arg>
>>>>>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>>>>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>>>>>> <Arg name="factories">
>>>>>>> <Array
>>>>>>>type="org.eclipse.jetty.server.ConnectionFactory">
>>>>>>> <Item>
>>>>>>> <New
>>>>>>> class="org.eclipse.jetty.server.SslConnectionFactory">
>>>>>>> <Arg name="next">http/1.1</Arg>
>>>>>>> <Arg name="sslContextFactory"><Ref
>>>>>>> refid="sslContextFactory"/></Arg>
>>>>>>> </New>
>>>>>>> </Item>
>>>>>>> <Item>
>>>>>>> <New
>>>>>>> class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>>>>> <Arg name="config"><Ref
>>>>>>>refid="tlsHttpConfig"/></Arg>
>>>>>>> </New>
>>>>>>> </Item>
>>>>>>> </Array>
>>>>>>> </Arg>
>>>>>>> <Set name="host"><Property name="jetty.host"/></Set>
>>>>>>> <Set name="port"><Property name="jetty.tls.port"
>>>>>>> default="8443"
>>>>>>> /></Set>
>>>>>>> <Set name="idleTimeout">30000</Set>
>>>>>>> <Set name="host">mysite.com</Set>
>>>>>>> </New>
>>>>>>> </Arg>
>>>>>>> </Call>
>>>>>>>
>>>>>>> </Configure>
>>>>>>>
>>>>>>> ===================================
>>>>>>>
>>>>>>> On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt
>>>>>>><sl...@gmail.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> I can't find any examples of the file that you hand to
>>>>>>>> "--jetty-config"
>>>>>>>>
>>>>>>>> The "official" jetty docs for configuring SSL imply that there are
>>>>>>>>two
>>>>>>>> configuration files,
>>>>>>>> jetty-ssl-context.xml and jetty-https.xml.
>>>>>>>>
>>>>>>>>
>>>>>>>>(http://www.eclipse.org/jetty/documentation/current/configuring-ssl.
>>>>>>>>html)
>>>>>>>>
>>>>>>>> The example that you cite:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/j
>>>>>>>>etty-server/src/main/config/etc/jetty-https.xml
>>>>>>>>
>>>>>>>> says that: "This configuration must be used in conjunction with
>>>>>>>> jetty.xml and jetty-ssl.xml"
>>>>>>>>
>>>>>>>> Where do these files go? The Fuseki download does not have any
>>>>>>>>"etc"
>>>>>>>> directory or
>>>>>>>> any xml configuration files at all.
>>>>>>>>
>>>>>>>> So, I tried handing some XML config files to Fuseki using
>>>>>>>> --jetty-config and it gives very little
>>>>>>>> info in the error (see below). Has anyone actually successfully run
>>>>>>>> Fuseki over SSL?
>>>>>>>>
>>>>>>>> [2015-08-25 22:13:34] Server INFO Jetty server config file =
>>>>>>>> ./jetty-https.xml
>>>>>>>> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
>>>>>>>> configure server: Unknown configuration type: Call in
>>>>>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>>>>>> java.lang.IllegalStateException: Unknown configuration type: Call
>>>>>>>>in
>>>>>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.ja
>>>>>>>>va:198)
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:
>>>>>>>>177)
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.ja
>>>>>>>>va:264)
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuse
>>>>>>>>ki.java:222)
>>>>>>>> at
>>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFusek
>>>>>>>>i.java:86)
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.j
>>>>>>>>ava:335)
>>>>>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(Fuseki
>>>>>>>>Cmd.java:96)
>>>>>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>>>>> org.apache.jena.fuseki.FusekiException: Failed to configure a
>>>>>>>>server
>>>>>>>> using configuration file './jetty-https.xml'
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.ja
>>>>>>>>va:269)
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuse
>>>>>>>>ki.java:222)
>>>>>>>> at
>>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFusek
>>>>>>>>i.java:86)
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.j
>>>>>>>>ava:335)
>>>>>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(Fuseki
>>>>>>>>Cmd.java:96)
>>>>>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>>>>>
>>>>>>>> J
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org>
>>>>>>>>wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 20/08/15 22:37, Jason Levitt wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks. So I can still use the "--jetty-config" option with
>>>>>>>>>>Fuseki
>>>>>>>>>> v2.30 ?
>>>>>>>>>>
>>>>>>>>>> J
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Yes, should work to pass in the file. There was a major jetty
>>>>>>>>>version
>>>>>>>>> change (8 to 9) and what effect that has had on that option is
>>>>>>>>>unclear
>>>>>>>>> to
>>>>>>>>> me. Connector changed Jetty 8->9
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>http://www.eclipse.org/jetty/documentation/current/configuring-ssl.
>>>>>>>>>html
>>>>>>>>>
>>>>>>>>> and their example:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/
>>>>>>>>>jetty-server/src/main/config/etc/jetty-https.xml
>>>>>>>>>
>>>>>>>>> It would be good to add this to the distribution - if you or
>>>>>>>>>anyone
>>>>>>>>> else
>>>>>>>>> has
>>>>>>>>> a working version, I'd be very grateful to get a copy.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Andy
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Which version of Jetty does Fuseki 2.30 (the latest version)
>>>>>>>>>>>>use?
>>>>>>>>>>>>
>>>>>>>>>>>> J
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0
>>>>>>>>>>>/jena-fuseki-2.3.0.pom
>>>>>>>>>>>
>>>>>>>>>>> ==> Jetty 9.1.1.v20140108
>>>>>>>>>>>
>>>>>>>>>>> Andy
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne
>>>>>>>>>>>><an...@apache.org>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> The Jetty documentation is the best place to go for details of
>>>>>>>>>>>>> setting
>>>>>>>>>>>>> up
>>>>>>>>>>>>> Jetty.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here's one in the examples/ area but as far as I can tell it's
>>>>>>>>>>>>> more
>>>>>>>>>>>>> int
>>>>>>>>>>>>> he
>>>>>>>>>>>>> category of "should work" (it is from Fuseki1 and that was a
>>>>>>>>>>>>> different
>>>>>>>>>>>>> version of Jetty) rather than tested.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>https://github.com/apache/jena/blob/master/jena-fuseki2/example
>>>>>>>>>>>>>s/jetty-fuseki.xml
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Andy
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> We're in an AWS environment using Fuseki 2 with built-in
>>>>>>>>>>>>>>Jetty.
>>>>>>>>>>>>>> It
>>>>>>>>>>>>>> only talks to internal machines so there
>>>>>>>>>>>>>> is no need to protect it from external exposure. So that
>>>>>>>>>>>>>>means
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>> the easiest way is to use the
>>>>>>>>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any
>>>>>>>>>>>>>> docs
>>>>>>>>>>>>>> on
>>>>>>>>>>>>>> what the options are for that
>>>>>>>>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> J
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne
>>>>>>>>>>>>>><an...@apache.org>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Right. In a production environment, a reverse proxy is
>>>>>>>>>>>>>>>useful
>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>> several
>>>>>>>>>>>>>>> things and while there is nothing that force a reverse
>>>>>>>>>>>>>>>proxy,
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> weight
>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>> features can mean it's a useful and flexible thing to put
>>>>>>>>>>>>>>>into a
>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>> system.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>>>>>>>>> Java web containers just aren't as good under
>>>>>>>>>>>>>>>silly load
>>>>>>>>>>>>>>> conditions.
>>>>>>>>>>>>>>> 3/ URL rewrite
>>>>>>>>>>>>>>> E.g don't need /dataset/query - can be any URL you
>>>>>>>>>>>>>>>like.
>>>>>>>>>>>>>>> 4/ Security
>>>>>>>>>>>>>>> integrate with local systems; rich choice of
>>>>>>>>>>>>>>>controls.
>>>>>>>>>>>>>>> Control who and what can update
>>>>>>>>>>>>>>> No need to restart for shiro chnages.
>>>>>>>>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fuseki has "--localhost" to only talk to the machine's
>>>>>>>>>>>>>>>localhost
>>>>>>>>>>>>>>> network
>>>>>>>>>>>>>>> interface. In an environment like AWS, where port control is
>>>>>>>>>>>>>>> easily,
>>>>>>>>>>>>>>> it's
>>>>>>>>>>>>>>> trivial to secure the Fuseki server to only talk to the
>>>>>>>>>>>>>>>local
>>>>>>>>>>>>>>> reverse
>>>>>>>>>>>>>>> proxy
>>>>>>>>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Andy
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I checked more carefully (should have done that before
>>>>>>>>>>>>>>>> replying)
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag
>>>>>>>>>>>>>>>>for
>>>>>>>>>>>>>>>> using
>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --jetty-config=FILE Set up the server (not services)
>>>>>>>>>>>>>>>>with a
>>>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>>>> XML
>>>>>>>>>>>>>>>> file
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>>>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Are you deploying Fuseki to your own servlet container
>>>>>>>>>>>>>>>>>(e.g.
>>>>>>>>>>>>>>>>> Tomcat
>>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>>> Jetty) or using the server included with Fuseki and is it
>>>>>>>>>>>>>>>>> Fuskei
>>>>>>>>>>>>>>>>> 1
>>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>>> 2?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If the former, you will need to supply configuration
>>>>>>>>>>>>>>>>>specific
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a
>>>>>>>>>>>>>>>>>Stack
>>>>>>>>>>>>>>>>> Overflow
>>>>>>>>>>>>>>>>> answer for it:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>https://stackoverflow.com/questions/28310045/enable-https-s
>>>>>>>>>>>>>>>>>sl-on-fuseki-server
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> but the links seems to be dead. The idea is to supply
>>>>>>>>>>>>>>>>>your own
>>>>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>>>>> configuration (Jetty is the servlet container that the
>>>>>>>>>>>>>>>>>Fuseki
>>>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>>>> uses).
>>>>>>>>>>>>>>>>> For Fuseki 2, I think it is still under development? You
>>>>>>>>>>>>>>>>>could
>>>>>>>>>>>>>>>>> use
>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>> reverse
>>>>>>>>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt
>>>>>>>>>>>>>>>>> <sl...@gmail.com>
>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Jason
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>
>>>>
>>
>
>
>
>
Re: Fuseki over HTTPS?
Posted by Rob Vesse <rv...@dotnetrdf.org>.
I would suggest it is worth turning on DEBUG level logging for Jetty and
reviewing the output carefully
This is especially true if you are specifying a Jetty configuration where
you are locking down the SSL configuration to disable the older insecure
SSL protocols.
I recently had an issue where on one JVM excluding the older protocols
left only the newer secure protocols whereas on another JVM it removed all
protocols and I needed to explicitly include the newer secure protocols to
get things to work. This manifested as a very similar error about the SSL
handshake failing.
The other thing to watch out for if you are getting this kind of error and
you are limiting the set of SSL protocls and ciphers is that depending on
your system the libraries and tools installed may be outdated enough to
not support the more recent protocols and ciphers (I ran into an ancient
curl version on some systems that didn't support TLS 1.1 or TLS 1.2)
Rob
On 01/09/2015 10:12, "Andy Seaborne" <an...@apache.org> wrote:
>On 27/08/15 16:56, Jason Levitt wrote:
>> If I remove that line from my config file:
>>
>> <Set name="host">mysite.com</Set>
>>
>> And then run fuseki and try to connect, using openssl, I get:
>>
>> $ openssl s_client -connect mysite.com:8443
>> CONNECTED(00000003)
>> 5546:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>
>>failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_lib.c:185:
>>
>> I have no idea what this means -- probably a certificate mismatch(?).
>
>That could be what's happening - if the handshake is failing, I think it
>means the operation hasn't got near the level of dispatching to the
>index page.
>
> Andy
>
>>
>> J
>>
>> On Thu, Aug 27, 2015 at 10:46 AM, Andy Seaborne <an...@apache.org> wrote:
>>> On 27/08/15 15:20, Jason Levitt wrote:
>>>>
>>>> Hi Andy,
>>>>
>>>> Not only is Jetty 9.1 fairly different than Jetty 8, but the
>>>>current
>>>> version of Jetty, 9.3 is somewhat different
>>>> than 9.1. I will investigate further.
>>>
>>>
>>> I just tried out 9.3 by flipping the version to 9.3.2.v20150730 and it
>>>seem
>>> OK (after 5 mins playing with it....). So looks like the codebase can
>>> switch if that helps simplifies things.
>>>
>>> Andy
>>>
>>>
>>>
>>>>
>>>> J
>>>>
>>>> On Thu, Aug 27, 2015 at 6:42 AM, Andy Seaborne <an...@apache.org>
>>>>wrote:
>>>>>
>>>>> Jason - thank you for pushing on with this. It seems a lot of Jetty
>>>>>has
>>>>> changed Jetty8->Jetty9.1 in this area which is all news to me.
>>>>>
>>>>> On 27/08/15 06:09, Jason Levitt wrote:
>>>>>>
>>>>>>
>>>>>> Making some progress but things still don't work.
>>>>>>
>>>>>> The startup log (edited) looks like this (domain name changed to
>>>>>> mysite.com):
>>>>>
>>>>>
>>>>>
>>>>> This looks like it is because its asking to run on an address that
>>>>>isn't
>>>>> the
>>>>> local machine for some reason. It does not look like something on
>>>>>the
>>>>> same
>>>>> port because it is (usually)
>>>>>
>>>>> "java.net.BindException: Address already in use"
>>>>>
>>>>> but it's might be worth checking. On Linux, "sudo lsof -i:8443"
>>>>>
>>>>> Your config does not set the host but maybe the IP config is getting
>>>>>in
>>>>> the
>>>>> way. This is EC2 so does the real DNS name resolve to the IP address
>>>>>of a
>>>>> local interface? Does using "localhost" work (= do something
>>>>>different)?
>>>>>
>>>>> That's the best clue I could find on StackOverflow. I haven't found
>>>>>a
>>>>> way
>>>>> to get the same error message using plan HTTP on a non-EC2 machine
>>>>> though.
>>>>>
>>>>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>>>>> to start server: Cannot assign requested address
>>>>>
>>>>>
>>>>> port=0 looks weird though if you are taking control with the config
>>>>>file
>>>>> that is possible due to the earlier error.
>>>>>
>>>>> What is printed is serverConnector.getPort() and serverConnector is
>>>>>the
>>>>> first/only configured ServerConnector.
>>>>>
>>>>> Andy
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> [2015-08-27 03:56:03] Server INFO Jetty server config file =
>>>>>> myconfig.xml
>>>>>> [2015-08-27 03:56:03] Server INFO Fuseki 2.3.0
>>>>>> 2015-07-25T17:11:28+0000
>>>>>> [2015-08-27 03:56:03] Config INFO
>>>>>>FUSEKI_HOME=/home/ec2-user/fuseki
>>>>>> [2015-08-27 03:56:03] Config INFO
>>>>>> FUSEKI_BASE=/home/ec2-user/fuseki/run
>>>>>> [2015-08-27 03:56:03] Servlet INFO Initializing Shiro
>>>>>>environment
>>>>>> [2015-08-27 03:56:03] Config INFO Shiro file:
>>>>>> file:///home/ec2-user/fuseki/run/shiro.ini
>>>>>> [2015-08-27 03:56:03] Config INFO Template file:
>>>>>> templates/config-tdb-dir
>>>>>> [2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
>>>>>> [2015-08-27 03:56:03] Config INFO Register: /ds
>>>>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>>>>> ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
>>>>>> java.net.BindException: Cannot assign requested address
>>>>>> java.net.BindException: Cannot assign requested address
>>>>>> at sun.nio.ch.Net.bind0(Native Method)
>>>>>> at sun.nio.ch.Net.bind(Net.java:433)
>>>>>> at sun.nio.ch.Net.bind(Net.java:425)
>>>>>> ....
>>>>>> ....
>>>>>> ....
>>>>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>>>>> org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException:
>>>>>>Cannot
>>>>>> assign requested address
>>>>>> java.net.BindException: Cannot assign requested address
>>>>>> at sun.nio.ch.Net.bind0(Native Method)
>>>>>> at sun.nio.ch.Net.bind(Net.java:433)
>>>>>> at sun.nio.ch.Net.bind(Net.java:425)
>>>>>> ....
>>>>>> ....
>>>>>> ....
>>>>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>>>>> to start server: Cannot assign requested address
>>>>>>
>>>>>>
>>>>>> And I'm running fuseki 2.3.0 with this command:
>>>>>>
>>>>>> nohup ./fuseki-server --port 8443 --update
>>>>>> --jetty-config=myconfig.xml --loc=ds /ds
>>>>>>
>>>>>>
>>>>>> The "myconfig.xml" file is below (I've already added my certificate
>>>>>> and key to the Java 8 JSSE):
>>>>>>
>>>>>> <?xml version="1.0"?>
>>>>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>>>>>> "http://www.eclipse.org/jetty/configure.dtd">
>>>>>>
>>>>>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>>>>> <Call name="addConnector">
>>>>>> <Arg>
>>>>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>>>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>>>>> <Arg name="factories">
>>>>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>>>>> <Item>
>>>>>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>>>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>>>>>> </New>
>>>>>> </Item>
>>>>>> </Array>
>>>>>> </Arg>
>>>>>> </New>
>>>>>> </Arg>
>>>>>> </Call>
>>>>>>
>>>>>> <New id="sslContextFactory"
>>>>>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>>>>> <Set name="KeyStorePath">/home/ec2-user/keystore</Set>
>>>>>> <Set name="KeyStorePassword">somepassword</Set>
>>>>>> <Set name="KeyManagerPassword">somepassword</Set>
>>>>>> <Set name="TrustStorePath">/home/ec2-user/keystore</Set>
>>>>>> <Set name="TrustStorePassword">somepassword</Set>
>>>>>> </New>
>>>>>>
>>>>>> <Call id="sslConnector" name="addConnector">
>>>>>> <Arg>
>>>>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>>>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>>>>> <Arg name="factories">
>>>>>> <Array
>>>>>>type="org.eclipse.jetty.server.ConnectionFactory">
>>>>>> <Item>
>>>>>> <New
>>>>>> class="org.eclipse.jetty.server.SslConnectionFactory">
>>>>>> <Arg name="next">http/1.1</Arg>
>>>>>> <Arg name="sslContextFactory"><Ref
>>>>>> refid="sslContextFactory"/></Arg>
>>>>>> </New>
>>>>>> </Item>
>>>>>> <Item>
>>>>>> <New
>>>>>> class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>>>> <Arg name="config"><Ref
>>>>>>refid="tlsHttpConfig"/></Arg>
>>>>>> </New>
>>>>>> </Item>
>>>>>> </Array>
>>>>>> </Arg>
>>>>>> <Set name="host"><Property name="jetty.host"/></Set>
>>>>>> <Set name="port"><Property name="jetty.tls.port"
>>>>>> default="8443"
>>>>>> /></Set>
>>>>>> <Set name="idleTimeout">30000</Set>
>>>>>> <Set name="host">mysite.com</Set>
>>>>>> </New>
>>>>>> </Arg>
>>>>>> </Call>
>>>>>>
>>>>>> </Configure>
>>>>>>
>>>>>> ===================================
>>>>>>
>>>>>> On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt
>>>>>><sl...@gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>> I can't find any examples of the file that you hand to
>>>>>>> "--jetty-config"
>>>>>>>
>>>>>>> The "official" jetty docs for configuring SSL imply that there are
>>>>>>>two
>>>>>>> configuration files,
>>>>>>> jetty-ssl-context.xml and jetty-https.xml.
>>>>>>>
>>>>>>>
>>>>>>>(http://www.eclipse.org/jetty/documentation/current/configuring-ssl.
>>>>>>>html)
>>>>>>>
>>>>>>> The example that you cite:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/j
>>>>>>>etty-server/src/main/config/etc/jetty-https.xml
>>>>>>>
>>>>>>> says that: "This configuration must be used in conjunction with
>>>>>>> jetty.xml and jetty-ssl.xml"
>>>>>>>
>>>>>>> Where do these files go? The Fuseki download does not have any
>>>>>>>"etc"
>>>>>>> directory or
>>>>>>> any xml configuration files at all.
>>>>>>>
>>>>>>> So, I tried handing some XML config files to Fuseki using
>>>>>>> --jetty-config and it gives very little
>>>>>>> info in the error (see below). Has anyone actually successfully run
>>>>>>> Fuseki over SSL?
>>>>>>>
>>>>>>> [2015-08-25 22:13:34] Server INFO Jetty server config file =
>>>>>>> ./jetty-https.xml
>>>>>>> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
>>>>>>> configure server: Unknown configuration type: Call in
>>>>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>>>>> java.lang.IllegalStateException: Unknown configuration type: Call
>>>>>>>in
>>>>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.ja
>>>>>>>va:198)
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:
>>>>>>>177)
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.ja
>>>>>>>va:264)
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuse
>>>>>>>ki.java:222)
>>>>>>> at
>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFusek
>>>>>>>i.java:86)
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.j
>>>>>>>ava:335)
>>>>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(Fuseki
>>>>>>>Cmd.java:96)
>>>>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>>>> org.apache.jena.fuseki.FusekiException: Failed to configure a
>>>>>>>server
>>>>>>> using configuration file './jetty-https.xml'
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.ja
>>>>>>>va:269)
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuse
>>>>>>>ki.java:222)
>>>>>>> at
>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFusek
>>>>>>>i.java:86)
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.j
>>>>>>>ava:335)
>>>>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>>org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(Fuseki
>>>>>>>Cmd.java:96)
>>>>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>>>>
>>>>>>> J
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org>
>>>>>>>wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 20/08/15 22:37, Jason Levitt wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks. So I can still use the "--jetty-config" option with
>>>>>>>>>Fuseki
>>>>>>>>> v2.30 ?
>>>>>>>>>
>>>>>>>>> J
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Yes, should work to pass in the file. There was a major jetty
>>>>>>>>version
>>>>>>>> change (8 to 9) and what effect that has had on that option is
>>>>>>>>unclear
>>>>>>>> to
>>>>>>>> me. Connector changed Jetty 8->9
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>http://www.eclipse.org/jetty/documentation/current/configuring-ssl.
>>>>>>>>html
>>>>>>>>
>>>>>>>> and their example:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/
>>>>>>>>jetty-server/src/main/config/etc/jetty-https.xml
>>>>>>>>
>>>>>>>> It would be good to add this to the distribution - if you or
>>>>>>>>anyone
>>>>>>>> else
>>>>>>>> has
>>>>>>>> a working version, I'd be very grateful to get a copy.
>>>>>>>>
>>>>>>>>
>>>>>>>> Andy
>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Which version of Jetty does Fuseki 2.30 (the latest version)
>>>>>>>>>>>use?
>>>>>>>>>>>
>>>>>>>>>>> J
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0
>>>>>>>>>>/jena-fuseki-2.3.0.pom
>>>>>>>>>>
>>>>>>>>>> ==> Jetty 9.1.1.v20140108
>>>>>>>>>>
>>>>>>>>>> Andy
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne
>>>>>>>>>>><an...@apache.org>
>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> The Jetty documentation is the best place to go for details of
>>>>>>>>>>>> setting
>>>>>>>>>>>> up
>>>>>>>>>>>> Jetty.
>>>>>>>>>>>>
>>>>>>>>>>>> Here's one in the examples/ area but as far as I can tell it's
>>>>>>>>>>>> more
>>>>>>>>>>>> int
>>>>>>>>>>>> he
>>>>>>>>>>>> category of "should work" (it is from Fuseki1 and that was a
>>>>>>>>>>>> different
>>>>>>>>>>>> version of Jetty) rather than tested.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>https://github.com/apache/jena/blob/master/jena-fuseki2/example
>>>>>>>>>>>>s/jetty-fuseki.xml
>>>>>>>>>>>>
>>>>>>>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>>>>>>>
>>>>>>>>>>>> Andy
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> We're in an AWS environment using Fuseki 2 with built-in
>>>>>>>>>>>>>Jetty.
>>>>>>>>>>>>> It
>>>>>>>>>>>>> only talks to internal machines so there
>>>>>>>>>>>>> is no need to protect it from external exposure. So that
>>>>>>>>>>>>>means
>>>>>>>>>>>>> that
>>>>>>>>>>>>> the easiest way is to use the
>>>>>>>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any
>>>>>>>>>>>>> docs
>>>>>>>>>>>>> on
>>>>>>>>>>>>> what the options are for that
>>>>>>>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>>>>>>>
>>>>>>>>>>>>> J
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne
>>>>>>>>>>>>><an...@apache.org>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Right. In a production environment, a reverse proxy is
>>>>>>>>>>>>>>useful
>>>>>>>>>>>>>> for
>>>>>>>>>>>>>> several
>>>>>>>>>>>>>> things and while there is nothing that force a reverse
>>>>>>>>>>>>>>proxy,
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> weight
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> features can mean it's a useful and flexible thing to put
>>>>>>>>>>>>>>into a
>>>>>>>>>>>>>> production
>>>>>>>>>>>>>> system.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>>>>>>>> Java web containers just aren't as good under
>>>>>>>>>>>>>>silly load
>>>>>>>>>>>>>> conditions.
>>>>>>>>>>>>>> 3/ URL rewrite
>>>>>>>>>>>>>> E.g don't need /dataset/query - can be any URL you
>>>>>>>>>>>>>>like.
>>>>>>>>>>>>>> 4/ Security
>>>>>>>>>>>>>> integrate with local systems; rich choice of
>>>>>>>>>>>>>>controls.
>>>>>>>>>>>>>> Control who and what can update
>>>>>>>>>>>>>> No need to restart for shiro chnages.
>>>>>>>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fuseki has "--localhost" to only talk to the machine's
>>>>>>>>>>>>>>localhost
>>>>>>>>>>>>>> network
>>>>>>>>>>>>>> interface. In an environment like AWS, where port control is
>>>>>>>>>>>>>> easily,
>>>>>>>>>>>>>> it's
>>>>>>>>>>>>>> trivial to secure the Fuseki server to only talk to the
>>>>>>>>>>>>>>local
>>>>>>>>>>>>>> reverse
>>>>>>>>>>>>>> proxy
>>>>>>>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Andy
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I checked more carefully (should have done that before
>>>>>>>>>>>>>>> replying)
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag
>>>>>>>>>>>>>>>for
>>>>>>>>>>>>>>> using
>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --jetty-config=FILE Set up the server (not services)
>>>>>>>>>>>>>>>with a
>>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>>> XML
>>>>>>>>>>>>>>> file
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Are you deploying Fuseki to your own servlet container
>>>>>>>>>>>>>>>>(e.g.
>>>>>>>>>>>>>>>> Tomcat
>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>> Jetty) or using the server included with Fuseki and is it
>>>>>>>>>>>>>>>> Fuskei
>>>>>>>>>>>>>>>> 1
>>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>>> 2?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If the former, you will need to supply configuration
>>>>>>>>>>>>>>>>specific
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a
>>>>>>>>>>>>>>>>Stack
>>>>>>>>>>>>>>>> Overflow
>>>>>>>>>>>>>>>> answer for it:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>https://stackoverflow.com/questions/28310045/enable-https-s
>>>>>>>>>>>>>>>>sl-on-fuseki-server
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> but the links seems to be dead. The idea is to supply
>>>>>>>>>>>>>>>>your own
>>>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>>>> configuration (Jetty is the servlet container that the
>>>>>>>>>>>>>>>>Fuseki
>>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>>> uses).
>>>>>>>>>>>>>>>> For Fuseki 2, I think it is still under development? You
>>>>>>>>>>>>>>>>could
>>>>>>>>>>>>>>>> use
>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>> reverse
>>>>>>>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt
>>>>>>>>>>>>>>>> <sl...@gmail.com>
>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Jason
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>
>>>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
On 27/08/15 16:56, Jason Levitt wrote:
> If I remove that line from my config file:
>
> <Set name="host">mysite.com</Set>
>
> And then run fuseki and try to connect, using openssl, I get:
>
> $ openssl s_client -connect mysite.com:8443
> CONNECTED(00000003)
> 5546:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_lib.c:185:
>
> I have no idea what this means -- probably a certificate mismatch(?).
That could be what's happening - if the handshake is failing, I think it
means the operation hasn't got near the level of dispatching to the
index page.
Andy
>
> J
>
> On Thu, Aug 27, 2015 at 10:46 AM, Andy Seaborne <an...@apache.org> wrote:
>> On 27/08/15 15:20, Jason Levitt wrote:
>>>
>>> Hi Andy,
>>>
>>> Not only is Jetty 9.1 fairly different than Jetty 8, but the current
>>> version of Jetty, 9.3 is somewhat different
>>> than 9.1. I will investigate further.
>>
>>
>> I just tried out 9.3 by flipping the version to 9.3.2.v20150730 and it seem
>> OK (after 5 mins playing with it....). So looks like the codebase can
>> switch if that helps simplifies things.
>>
>> Andy
>>
>>
>>
>>>
>>> J
>>>
>>> On Thu, Aug 27, 2015 at 6:42 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>
>>>> Jason - thank you for pushing on with this. It seems a lot of Jetty has
>>>> changed Jetty8->Jetty9.1 in this area which is all news to me.
>>>>
>>>> On 27/08/15 06:09, Jason Levitt wrote:
>>>>>
>>>>>
>>>>> Making some progress but things still don't work.
>>>>>
>>>>> The startup log (edited) looks like this (domain name changed to
>>>>> mysite.com):
>>>>
>>>>
>>>>
>>>> This looks like it is because its asking to run on an address that isn't
>>>> the
>>>> local machine for some reason. It does not look like something on the
>>>> same
>>>> port because it is (usually)
>>>>
>>>> "java.net.BindException: Address already in use"
>>>>
>>>> but it's might be worth checking. On Linux, "sudo lsof -i:8443"
>>>>
>>>> Your config does not set the host but maybe the IP config is getting in
>>>> the
>>>> way. This is EC2 so does the real DNS name resolve to the IP address of a
>>>> local interface? Does using "localhost" work (= do something different)?
>>>>
>>>> That's the best clue I could find on StackOverflow. I haven't found a
>>>> way
>>>> to get the same error message using plan HTTP on a non-EC2 machine
>>>> though.
>>>>
>>>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>>>> to start server: Cannot assign requested address
>>>>
>>>>
>>>> port=0 looks weird though if you are taking control with the config file
>>>> that is possible due to the earlier error.
>>>>
>>>> What is printed is serverConnector.getPort() and serverConnector is the
>>>> first/only configured ServerConnector.
>>>>
>>>> Andy
>>>>
>>>>
>>>>
>>>>>
>>>>> [2015-08-27 03:56:03] Server INFO Jetty server config file =
>>>>> myconfig.xml
>>>>> [2015-08-27 03:56:03] Server INFO Fuseki 2.3.0
>>>>> 2015-07-25T17:11:28+0000
>>>>> [2015-08-27 03:56:03] Config INFO FUSEKI_HOME=/home/ec2-user/fuseki
>>>>> [2015-08-27 03:56:03] Config INFO
>>>>> FUSEKI_BASE=/home/ec2-user/fuseki/run
>>>>> [2015-08-27 03:56:03] Servlet INFO Initializing Shiro environment
>>>>> [2015-08-27 03:56:03] Config INFO Shiro file:
>>>>> file:///home/ec2-user/fuseki/run/shiro.ini
>>>>> [2015-08-27 03:56:03] Config INFO Template file:
>>>>> templates/config-tdb-dir
>>>>> [2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
>>>>> [2015-08-27 03:56:03] Config INFO Register: /ds
>>>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>>>> ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
>>>>> java.net.BindException: Cannot assign requested address
>>>>> java.net.BindException: Cannot assign requested address
>>>>> at sun.nio.ch.Net.bind0(Native Method)
>>>>> at sun.nio.ch.Net.bind(Net.java:433)
>>>>> at sun.nio.ch.Net.bind(Net.java:425)
>>>>> ....
>>>>> ....
>>>>> ....
>>>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>>>> org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException: Cannot
>>>>> assign requested address
>>>>> java.net.BindException: Cannot assign requested address
>>>>> at sun.nio.ch.Net.bind0(Native Method)
>>>>> at sun.nio.ch.Net.bind(Net.java:433)
>>>>> at sun.nio.ch.Net.bind(Net.java:425)
>>>>> ....
>>>>> ....
>>>>> ....
>>>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>>>> to start server: Cannot assign requested address
>>>>>
>>>>>
>>>>> And I'm running fuseki 2.3.0 with this command:
>>>>>
>>>>> nohup ./fuseki-server --port 8443 --update
>>>>> --jetty-config=myconfig.xml --loc=ds /ds
>>>>>
>>>>>
>>>>> The "myconfig.xml" file is below (I've already added my certificate
>>>>> and key to the Java 8 JSSE):
>>>>>
>>>>> <?xml version="1.0"?>
>>>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>>>>> "http://www.eclipse.org/jetty/configure.dtd">
>>>>>
>>>>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>>>> <Call name="addConnector">
>>>>> <Arg>
>>>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>>>> <Arg name="factories">
>>>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>>>> <Item>
>>>>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>>>>> </New>
>>>>> </Item>
>>>>> </Array>
>>>>> </Arg>
>>>>> </New>
>>>>> </Arg>
>>>>> </Call>
>>>>>
>>>>> <New id="sslContextFactory"
>>>>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>>>> <Set name="KeyStorePath">/home/ec2-user/keystore</Set>
>>>>> <Set name="KeyStorePassword">somepassword</Set>
>>>>> <Set name="KeyManagerPassword">somepassword</Set>
>>>>> <Set name="TrustStorePath">/home/ec2-user/keystore</Set>
>>>>> <Set name="TrustStorePassword">somepassword</Set>
>>>>> </New>
>>>>>
>>>>> <Call id="sslConnector" name="addConnector">
>>>>> <Arg>
>>>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>>>> <Arg name="factories">
>>>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>>>> <Item>
>>>>> <New
>>>>> class="org.eclipse.jetty.server.SslConnectionFactory">
>>>>> <Arg name="next">http/1.1</Arg>
>>>>> <Arg name="sslContextFactory"><Ref
>>>>> refid="sslContextFactory"/></Arg>
>>>>> </New>
>>>>> </Item>
>>>>> <Item>
>>>>> <New
>>>>> class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>>> <Arg name="config"><Ref refid="tlsHttpConfig"/></Arg>
>>>>> </New>
>>>>> </Item>
>>>>> </Array>
>>>>> </Arg>
>>>>> <Set name="host"><Property name="jetty.host"/></Set>
>>>>> <Set name="port"><Property name="jetty.tls.port"
>>>>> default="8443"
>>>>> /></Set>
>>>>> <Set name="idleTimeout">30000</Set>
>>>>> <Set name="host">mysite.com</Set>
>>>>> </New>
>>>>> </Arg>
>>>>> </Call>
>>>>>
>>>>> </Configure>
>>>>>
>>>>> ===================================
>>>>>
>>>>> On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt <sl...@gmail.com>
>>>>> wrote:
>>>>>>
>>>>>>
>>>>>> I can't find any examples of the file that you hand to
>>>>>> "--jetty-config"
>>>>>>
>>>>>> The "official" jetty docs for configuring SSL imply that there are two
>>>>>> configuration files,
>>>>>> jetty-ssl-context.xml and jetty-https.xml.
>>>>>>
>>>>>> (http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)
>>>>>>
>>>>>> The example that you cite:
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>>>>
>>>>>> says that: "This configuration must be used in conjunction with
>>>>>> jetty.xml and jetty-ssl.xml"
>>>>>>
>>>>>> Where do these files go? The Fuseki download does not have any "etc"
>>>>>> directory or
>>>>>> any xml configuration files at all.
>>>>>>
>>>>>> So, I tried handing some XML config files to Fuseki using
>>>>>> --jetty-config and it gives very little
>>>>>> info in the error (see below). Has anyone actually successfully run
>>>>>> Fuseki over SSL?
>>>>>>
>>>>>> [2015-08-25 22:13:34] Server INFO Jetty server config file =
>>>>>> ./jetty-https.xml
>>>>>> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
>>>>>> configure server: Unknown configuration type: Call in
>>>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>>>> java.lang.IllegalStateException: Unknown configuration type: Call in
>>>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>>>> at
>>>>>>
>>>>>> org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.java:198)
>>>>>> at
>>>>>>
>>>>>> org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:177)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:264)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>>>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>>> org.apache.jena.fuseki.FusekiException: Failed to configure a server
>>>>>> using configuration file './jetty-https.xml'
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>>>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>>>
>>>>>> J
>>>>>>
>>>>>>
>>>>>> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 20/08/15 22:37, Jason Levitt wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks. So I can still use the "--jetty-config" option with Fuseki
>>>>>>>> v2.30 ?
>>>>>>>>
>>>>>>>> J
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Yes, should work to pass in the file. There was a major jetty version
>>>>>>> change (8 to 9) and what effect that has had on that option is unclear
>>>>>>> to
>>>>>>> me. Connector changed Jetty 8->9
>>>>>>>
>>>>>>>
>>>>>>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
>>>>>>>
>>>>>>> and their example:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>>>>>
>>>>>>> It would be good to add this to the distribution - if you or anyone
>>>>>>> else
>>>>>>> has
>>>>>>> a working version, I'd be very grateful to get a copy.
>>>>>>>
>>>>>>>
>>>>>>> Andy
>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>>>>>>>>
>>>>>>>>>> J
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>>>>>>>>
>>>>>>>>> ==> Jetty 9.1.1.v20140108
>>>>>>>>>
>>>>>>>>> Andy
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> The Jetty documentation is the best place to go for details of
>>>>>>>>>>> setting
>>>>>>>>>>> up
>>>>>>>>>>> Jetty.
>>>>>>>>>>>
>>>>>>>>>>> Here's one in the examples/ area but as far as I can tell it's
>>>>>>>>>>> more
>>>>>>>>>>> int
>>>>>>>>>>> he
>>>>>>>>>>> category of "should work" (it is from Fuseki1 and that was a
>>>>>>>>>>> different
>>>>>>>>>>> version of Jetty) rather than tested.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>>>>>>>>
>>>>>>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>>>>>>
>>>>>>>>>>> Andy
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty.
>>>>>>>>>>>> It
>>>>>>>>>>>> only talks to internal machines so there
>>>>>>>>>>>> is no need to protect it from external exposure. So that means
>>>>>>>>>>>> that
>>>>>>>>>>>> the easiest way is to use the
>>>>>>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any
>>>>>>>>>>>> docs
>>>>>>>>>>>> on
>>>>>>>>>>>> what the options are for that
>>>>>>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>>>>>>
>>>>>>>>>>>> J
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Right. In a production environment, a reverse proxy is useful
>>>>>>>>>>>>> for
>>>>>>>>>>>>> several
>>>>>>>>>>>>> things and while there is nothing that force a reverse proxy,
>>>>>>>>>>>>> the
>>>>>>>>>>>>> weight
>>>>>>>>>>>>> of
>>>>>>>>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>>>>>>>>> production
>>>>>>>>>>>>> system.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>>>>>>> Java web containers just aren't as good under silly load
>>>>>>>>>>>>> conditions.
>>>>>>>>>>>>> 3/ URL rewrite
>>>>>>>>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>>>>>>>>> 4/ Security
>>>>>>>>>>>>> integrate with local systems; rich choice of controls.
>>>>>>>>>>>>> Control who and what can update
>>>>>>>>>>>>> No need to restart for shiro chnages.
>>>>>>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>>>>>>>>> network
>>>>>>>>>>>>> interface. In an environment like AWS, where port control is
>>>>>>>>>>>>> easily,
>>>>>>>>>>>>> it's
>>>>>>>>>>>>> trivial to secure the Fuseki server to only talk to the local
>>>>>>>>>>>>> reverse
>>>>>>>>>>>>> proxy
>>>>>>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Andy
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I checked more carefully (should have done that before
>>>>>>>>>>>>>> replying)
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> it
>>>>>>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for
>>>>>>>>>>>>>> using
>>>>>>>>>>>>>> a
>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --jetty-config=FILE Set up the server (not services) with a
>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>> XML
>>>>>>>>>>>>>> file
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g.
>>>>>>>>>>>>>>> Tomcat
>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>> Jetty) or using the server included with Fuseki and is it
>>>>>>>>>>>>>>> Fuskei
>>>>>>>>>>>>>>> 1
>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>> 2?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If the former, you will need to supply configuration specific
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>>>>>>>>> Overflow
>>>>>>>>>>>>>>> answer for it:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> but the links seems to be dead. The idea is to supply your own
>>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>>> configuration (Jetty is the servlet container that the Fuseki
>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>> uses).
>>>>>>>>>>>>>>> For Fuseki 2, I think it is still under development? You could
>>>>>>>>>>>>>>> use
>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>> reverse
>>>>>>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt
>>>>>>>>>>>>>>> <sl...@gmail.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Jason
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>
>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
It seems that there might be some modifications to fuseki's shiro.ini file
that could help things, but I'm just not sure.
J
On Thu, Aug 27, 2015 at 10:56 AM, Jason Levitt <sl...@gmail.com> wrote:
> If I remove that line from my config file:
>
> <Set name="host">mysite.com</Set>
>
> And then run fuseki and try to connect, using openssl, I get:
>
> $ openssl s_client -connect mysite.com:8443
> CONNECTED(00000003)
> 5546:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_lib.c:185:
>
> I have no idea what this means -- probably a certificate mismatch(?).
>
> J
>
> On Thu, Aug 27, 2015 at 10:46 AM, Andy Seaborne <an...@apache.org> wrote:
>> On 27/08/15 15:20, Jason Levitt wrote:
>>>
>>> Hi Andy,
>>>
>>> Not only is Jetty 9.1 fairly different than Jetty 8, but the current
>>> version of Jetty, 9.3 is somewhat different
>>> than 9.1. I will investigate further.
>>
>>
>> I just tried out 9.3 by flipping the version to 9.3.2.v20150730 and it seem
>> OK (after 5 mins playing with it....). So looks like the codebase can
>> switch if that helps simplifies things.
>>
>> Andy
>>
>>
>>
>>>
>>> J
>>>
>>> On Thu, Aug 27, 2015 at 6:42 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>
>>>> Jason - thank you for pushing on with this. It seems a lot of Jetty has
>>>> changed Jetty8->Jetty9.1 in this area which is all news to me.
>>>>
>>>> On 27/08/15 06:09, Jason Levitt wrote:
>>>>>
>>>>>
>>>>> Making some progress but things still don't work.
>>>>>
>>>>> The startup log (edited) looks like this (domain name changed to
>>>>> mysite.com):
>>>>
>>>>
>>>>
>>>> This looks like it is because its asking to run on an address that isn't
>>>> the
>>>> local machine for some reason. It does not look like something on the
>>>> same
>>>> port because it is (usually)
>>>>
>>>> "java.net.BindException: Address already in use"
>>>>
>>>> but it's might be worth checking. On Linux, "sudo lsof -i:8443"
>>>>
>>>> Your config does not set the host but maybe the IP config is getting in
>>>> the
>>>> way. This is EC2 so does the real DNS name resolve to the IP address of a
>>>> local interface? Does using "localhost" work (= do something different)?
>>>>
>>>> That's the best clue I could find on StackOverflow. I haven't found a
>>>> way
>>>> to get the same error message using plan HTTP on a non-EC2 machine
>>>> though.
>>>>
>>>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>>>> to start server: Cannot assign requested address
>>>>
>>>>
>>>> port=0 looks weird though if you are taking control with the config file
>>>> that is possible due to the earlier error.
>>>>
>>>> What is printed is serverConnector.getPort() and serverConnector is the
>>>> first/only configured ServerConnector.
>>>>
>>>> Andy
>>>>
>>>>
>>>>
>>>>>
>>>>> [2015-08-27 03:56:03] Server INFO Jetty server config file =
>>>>> myconfig.xml
>>>>> [2015-08-27 03:56:03] Server INFO Fuseki 2.3.0
>>>>> 2015-07-25T17:11:28+0000
>>>>> [2015-08-27 03:56:03] Config INFO FUSEKI_HOME=/home/ec2-user/fuseki
>>>>> [2015-08-27 03:56:03] Config INFO
>>>>> FUSEKI_BASE=/home/ec2-user/fuseki/run
>>>>> [2015-08-27 03:56:03] Servlet INFO Initializing Shiro environment
>>>>> [2015-08-27 03:56:03] Config INFO Shiro file:
>>>>> file:///home/ec2-user/fuseki/run/shiro.ini
>>>>> [2015-08-27 03:56:03] Config INFO Template file:
>>>>> templates/config-tdb-dir
>>>>> [2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
>>>>> [2015-08-27 03:56:03] Config INFO Register: /ds
>>>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>>>> ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
>>>>> java.net.BindException: Cannot assign requested address
>>>>> java.net.BindException: Cannot assign requested address
>>>>> at sun.nio.ch.Net.bind0(Native Method)
>>>>> at sun.nio.ch.Net.bind(Net.java:433)
>>>>> at sun.nio.ch.Net.bind(Net.java:425)
>>>>> ....
>>>>> ....
>>>>> ....
>>>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>>>> org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException: Cannot
>>>>> assign requested address
>>>>> java.net.BindException: Cannot assign requested address
>>>>> at sun.nio.ch.Net.bind0(Native Method)
>>>>> at sun.nio.ch.Net.bind(Net.java:433)
>>>>> at sun.nio.ch.Net.bind(Net.java:425)
>>>>> ....
>>>>> ....
>>>>> ....
>>>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>>>> to start server: Cannot assign requested address
>>>>>
>>>>>
>>>>> And I'm running fuseki 2.3.0 with this command:
>>>>>
>>>>> nohup ./fuseki-server --port 8443 --update
>>>>> --jetty-config=myconfig.xml --loc=ds /ds
>>>>>
>>>>>
>>>>> The "myconfig.xml" file is below (I've already added my certificate
>>>>> and key to the Java 8 JSSE):
>>>>>
>>>>> <?xml version="1.0"?>
>>>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>>>>> "http://www.eclipse.org/jetty/configure.dtd">
>>>>>
>>>>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>>>> <Call name="addConnector">
>>>>> <Arg>
>>>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>>>> <Arg name="factories">
>>>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>>>> <Item>
>>>>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>>>>> </New>
>>>>> </Item>
>>>>> </Array>
>>>>> </Arg>
>>>>> </New>
>>>>> </Arg>
>>>>> </Call>
>>>>>
>>>>> <New id="sslContextFactory"
>>>>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>>>> <Set name="KeyStorePath">/home/ec2-user/keystore</Set>
>>>>> <Set name="KeyStorePassword">somepassword</Set>
>>>>> <Set name="KeyManagerPassword">somepassword</Set>
>>>>> <Set name="TrustStorePath">/home/ec2-user/keystore</Set>
>>>>> <Set name="TrustStorePassword">somepassword</Set>
>>>>> </New>
>>>>>
>>>>> <Call id="sslConnector" name="addConnector">
>>>>> <Arg>
>>>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>>>> <Arg name="factories">
>>>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>>>> <Item>
>>>>> <New
>>>>> class="org.eclipse.jetty.server.SslConnectionFactory">
>>>>> <Arg name="next">http/1.1</Arg>
>>>>> <Arg name="sslContextFactory"><Ref
>>>>> refid="sslContextFactory"/></Arg>
>>>>> </New>
>>>>> </Item>
>>>>> <Item>
>>>>> <New
>>>>> class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>>> <Arg name="config"><Ref refid="tlsHttpConfig"/></Arg>
>>>>> </New>
>>>>> </Item>
>>>>> </Array>
>>>>> </Arg>
>>>>> <Set name="host"><Property name="jetty.host"/></Set>
>>>>> <Set name="port"><Property name="jetty.tls.port"
>>>>> default="8443"
>>>>> /></Set>
>>>>> <Set name="idleTimeout">30000</Set>
>>>>> <Set name="host">mysite.com</Set>
>>>>> </New>
>>>>> </Arg>
>>>>> </Call>
>>>>>
>>>>> </Configure>
>>>>>
>>>>> ===================================
>>>>>
>>>>> On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt <sl...@gmail.com>
>>>>> wrote:
>>>>>>
>>>>>>
>>>>>> I can't find any examples of the file that you hand to
>>>>>> "--jetty-config"
>>>>>>
>>>>>> The "official" jetty docs for configuring SSL imply that there are two
>>>>>> configuration files,
>>>>>> jetty-ssl-context.xml and jetty-https.xml.
>>>>>>
>>>>>> (http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)
>>>>>>
>>>>>> The example that you cite:
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>>>>
>>>>>> says that: "This configuration must be used in conjunction with
>>>>>> jetty.xml and jetty-ssl.xml"
>>>>>>
>>>>>> Where do these files go? The Fuseki download does not have any "etc"
>>>>>> directory or
>>>>>> any xml configuration files at all.
>>>>>>
>>>>>> So, I tried handing some XML config files to Fuseki using
>>>>>> --jetty-config and it gives very little
>>>>>> info in the error (see below). Has anyone actually successfully run
>>>>>> Fuseki over SSL?
>>>>>>
>>>>>> [2015-08-25 22:13:34] Server INFO Jetty server config file =
>>>>>> ./jetty-https.xml
>>>>>> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
>>>>>> configure server: Unknown configuration type: Call in
>>>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>>>> java.lang.IllegalStateException: Unknown configuration type: Call in
>>>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>>>> at
>>>>>>
>>>>>> org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.java:198)
>>>>>> at
>>>>>>
>>>>>> org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:177)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:264)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>>>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>>> org.apache.jena.fuseki.FusekiException: Failed to configure a server
>>>>>> using configuration file './jetty-https.xml'
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>>>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>>>> at
>>>>>>
>>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>>>
>>>>>> J
>>>>>>
>>>>>>
>>>>>> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 20/08/15 22:37, Jason Levitt wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks. So I can still use the "--jetty-config" option with Fuseki
>>>>>>>> v2.30 ?
>>>>>>>>
>>>>>>>> J
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Yes, should work to pass in the file. There was a major jetty version
>>>>>>> change (8 to 9) and what effect that has had on that option is unclear
>>>>>>> to
>>>>>>> me. Connector changed Jetty 8->9
>>>>>>>
>>>>>>>
>>>>>>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
>>>>>>>
>>>>>>> and their example:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>>>>>
>>>>>>> It would be good to add this to the distribution - if you or anyone
>>>>>>> else
>>>>>>> has
>>>>>>> a working version, I'd be very grateful to get a copy.
>>>>>>>
>>>>>>>
>>>>>>> Andy
>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>>>>>>>>
>>>>>>>>>> J
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>>>>>>>>
>>>>>>>>> ==> Jetty 9.1.1.v20140108
>>>>>>>>>
>>>>>>>>> Andy
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> The Jetty documentation is the best place to go for details of
>>>>>>>>>>> setting
>>>>>>>>>>> up
>>>>>>>>>>> Jetty.
>>>>>>>>>>>
>>>>>>>>>>> Here's one in the examples/ area but as far as I can tell it's
>>>>>>>>>>> more
>>>>>>>>>>> int
>>>>>>>>>>> he
>>>>>>>>>>> category of "should work" (it is from Fuseki1 and that was a
>>>>>>>>>>> different
>>>>>>>>>>> version of Jetty) rather than tested.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>>>>>>>>
>>>>>>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>>>>>>
>>>>>>>>>>> Andy
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty.
>>>>>>>>>>>> It
>>>>>>>>>>>> only talks to internal machines so there
>>>>>>>>>>>> is no need to protect it from external exposure. So that means
>>>>>>>>>>>> that
>>>>>>>>>>>> the easiest way is to use the
>>>>>>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any
>>>>>>>>>>>> docs
>>>>>>>>>>>> on
>>>>>>>>>>>> what the options are for that
>>>>>>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>>>>>>
>>>>>>>>>>>> J
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Right. In a production environment, a reverse proxy is useful
>>>>>>>>>>>>> for
>>>>>>>>>>>>> several
>>>>>>>>>>>>> things and while there is nothing that force a reverse proxy,
>>>>>>>>>>>>> the
>>>>>>>>>>>>> weight
>>>>>>>>>>>>> of
>>>>>>>>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>>>>>>>>> production
>>>>>>>>>>>>> system.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>>>>>>> Java web containers just aren't as good under silly load
>>>>>>>>>>>>> conditions.
>>>>>>>>>>>>> 3/ URL rewrite
>>>>>>>>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>>>>>>>>> 4/ Security
>>>>>>>>>>>>> integrate with local systems; rich choice of controls.
>>>>>>>>>>>>> Control who and what can update
>>>>>>>>>>>>> No need to restart for shiro chnages.
>>>>>>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>>>>>>>>> network
>>>>>>>>>>>>> interface. In an environment like AWS, where port control is
>>>>>>>>>>>>> easily,
>>>>>>>>>>>>> it's
>>>>>>>>>>>>> trivial to secure the Fuseki server to only talk to the local
>>>>>>>>>>>>> reverse
>>>>>>>>>>>>> proxy
>>>>>>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Andy
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I checked more carefully (should have done that before
>>>>>>>>>>>>>> replying)
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> it
>>>>>>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for
>>>>>>>>>>>>>> using
>>>>>>>>>>>>>> a
>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --jetty-config=FILE Set up the server (not services) with a
>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>> XML
>>>>>>>>>>>>>> file
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g.
>>>>>>>>>>>>>>> Tomcat
>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>> Jetty) or using the server included with Fuseki and is it
>>>>>>>>>>>>>>> Fuskei
>>>>>>>>>>>>>>> 1
>>>>>>>>>>>>>>> or
>>>>>>>>>>>>>>> 2?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If the former, you will need to supply configuration specific
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>>>>>>>>> Overflow
>>>>>>>>>>>>>>> answer for it:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> but the links seems to be dead. The idea is to supply your own
>>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>>> configuration (Jetty is the servlet container that the Fuseki
>>>>>>>>>>>>>>> command
>>>>>>>>>>>>>>> uses).
>>>>>>>>>>>>>>> For Fuseki 2, I think it is still under development? You could
>>>>>>>>>>>>>>> use
>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>> reverse
>>>>>>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt
>>>>>>>>>>>>>>> <sl...@gmail.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Jason
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>
>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
If I remove that line from my config file:
<Set name="host">mysite.com</Set>
And then run fuseki and try to connect, using openssl, I get:
$ openssl s_client -connect mysite.com:8443
CONNECTED(00000003)
5546:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_lib.c:185:
I have no idea what this means -- probably a certificate mismatch(?).
J
On Thu, Aug 27, 2015 at 10:46 AM, Andy Seaborne <an...@apache.org> wrote:
> On 27/08/15 15:20, Jason Levitt wrote:
>>
>> Hi Andy,
>>
>> Not only is Jetty 9.1 fairly different than Jetty 8, but the current
>> version of Jetty, 9.3 is somewhat different
>> than 9.1. I will investigate further.
>
>
> I just tried out 9.3 by flipping the version to 9.3.2.v20150730 and it seem
> OK (after 5 mins playing with it....). So looks like the codebase can
> switch if that helps simplifies things.
>
> Andy
>
>
>
>>
>> J
>>
>> On Thu, Aug 27, 2015 at 6:42 AM, Andy Seaborne <an...@apache.org> wrote:
>>>
>>> Jason - thank you for pushing on with this. It seems a lot of Jetty has
>>> changed Jetty8->Jetty9.1 in this area which is all news to me.
>>>
>>> On 27/08/15 06:09, Jason Levitt wrote:
>>>>
>>>>
>>>> Making some progress but things still don't work.
>>>>
>>>> The startup log (edited) looks like this (domain name changed to
>>>> mysite.com):
>>>
>>>
>>>
>>> This looks like it is because its asking to run on an address that isn't
>>> the
>>> local machine for some reason. It does not look like something on the
>>> same
>>> port because it is (usually)
>>>
>>> "java.net.BindException: Address already in use"
>>>
>>> but it's might be worth checking. On Linux, "sudo lsof -i:8443"
>>>
>>> Your config does not set the host but maybe the IP config is getting in
>>> the
>>> way. This is EC2 so does the real DNS name resolve to the IP address of a
>>> local interface? Does using "localhost" work (= do something different)?
>>>
>>> That's the best clue I could find on StackOverflow. I haven't found a
>>> way
>>> to get the same error message using plan HTTP on a non-EC2 machine
>>> though.
>>>
>>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>>> to start server: Cannot assign requested address
>>>
>>>
>>> port=0 looks weird though if you are taking control with the config file
>>> that is possible due to the earlier error.
>>>
>>> What is printed is serverConnector.getPort() and serverConnector is the
>>> first/only configured ServerConnector.
>>>
>>> Andy
>>>
>>>
>>>
>>>>
>>>> [2015-08-27 03:56:03] Server INFO Jetty server config file =
>>>> myconfig.xml
>>>> [2015-08-27 03:56:03] Server INFO Fuseki 2.3.0
>>>> 2015-07-25T17:11:28+0000
>>>> [2015-08-27 03:56:03] Config INFO FUSEKI_HOME=/home/ec2-user/fuseki
>>>> [2015-08-27 03:56:03] Config INFO
>>>> FUSEKI_BASE=/home/ec2-user/fuseki/run
>>>> [2015-08-27 03:56:03] Servlet INFO Initializing Shiro environment
>>>> [2015-08-27 03:56:03] Config INFO Shiro file:
>>>> file:///home/ec2-user/fuseki/run/shiro.ini
>>>> [2015-08-27 03:56:03] Config INFO Template file:
>>>> templates/config-tdb-dir
>>>> [2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
>>>> [2015-08-27 03:56:03] Config INFO Register: /ds
>>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>>> ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
>>>> java.net.BindException: Cannot assign requested address
>>>> java.net.BindException: Cannot assign requested address
>>>> at sun.nio.ch.Net.bind0(Native Method)
>>>> at sun.nio.ch.Net.bind(Net.java:433)
>>>> at sun.nio.ch.Net.bind(Net.java:425)
>>>> ....
>>>> ....
>>>> ....
>>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>>> org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException: Cannot
>>>> assign requested address
>>>> java.net.BindException: Cannot assign requested address
>>>> at sun.nio.ch.Net.bind0(Native Method)
>>>> at sun.nio.ch.Net.bind(Net.java:433)
>>>> at sun.nio.ch.Net.bind(Net.java:425)
>>>> ....
>>>> ....
>>>> ....
>>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>>> to start server: Cannot assign requested address
>>>>
>>>>
>>>> And I'm running fuseki 2.3.0 with this command:
>>>>
>>>> nohup ./fuseki-server --port 8443 --update
>>>> --jetty-config=myconfig.xml --loc=ds /ds
>>>>
>>>>
>>>> The "myconfig.xml" file is below (I've already added my certificate
>>>> and key to the Java 8 JSSE):
>>>>
>>>> <?xml version="1.0"?>
>>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>>>> "http://www.eclipse.org/jetty/configure.dtd">
>>>>
>>>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>>> <Call name="addConnector">
>>>> <Arg>
>>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>>> <Arg name="factories">
>>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>>> <Item>
>>>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>>>> </New>
>>>> </Item>
>>>> </Array>
>>>> </Arg>
>>>> </New>
>>>> </Arg>
>>>> </Call>
>>>>
>>>> <New id="sslContextFactory"
>>>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>>> <Set name="KeyStorePath">/home/ec2-user/keystore</Set>
>>>> <Set name="KeyStorePassword">somepassword</Set>
>>>> <Set name="KeyManagerPassword">somepassword</Set>
>>>> <Set name="TrustStorePath">/home/ec2-user/keystore</Set>
>>>> <Set name="TrustStorePassword">somepassword</Set>
>>>> </New>
>>>>
>>>> <Call id="sslConnector" name="addConnector">
>>>> <Arg>
>>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>>> <Arg name="factories">
>>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>>> <Item>
>>>> <New
>>>> class="org.eclipse.jetty.server.SslConnectionFactory">
>>>> <Arg name="next">http/1.1</Arg>
>>>> <Arg name="sslContextFactory"><Ref
>>>> refid="sslContextFactory"/></Arg>
>>>> </New>
>>>> </Item>
>>>> <Item>
>>>> <New
>>>> class="org.eclipse.jetty.server.HttpConnectionFactory">
>>>> <Arg name="config"><Ref refid="tlsHttpConfig"/></Arg>
>>>> </New>
>>>> </Item>
>>>> </Array>
>>>> </Arg>
>>>> <Set name="host"><Property name="jetty.host"/></Set>
>>>> <Set name="port"><Property name="jetty.tls.port"
>>>> default="8443"
>>>> /></Set>
>>>> <Set name="idleTimeout">30000</Set>
>>>> <Set name="host">mysite.com</Set>
>>>> </New>
>>>> </Arg>
>>>> </Call>
>>>>
>>>> </Configure>
>>>>
>>>> ===================================
>>>>
>>>> On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt <sl...@gmail.com>
>>>> wrote:
>>>>>
>>>>>
>>>>> I can't find any examples of the file that you hand to
>>>>> "--jetty-config"
>>>>>
>>>>> The "official" jetty docs for configuring SSL imply that there are two
>>>>> configuration files,
>>>>> jetty-ssl-context.xml and jetty-https.xml.
>>>>>
>>>>> (http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)
>>>>>
>>>>> The example that you cite:
>>>>>
>>>>>
>>>>>
>>>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>>>
>>>>> says that: "This configuration must be used in conjunction with
>>>>> jetty.xml and jetty-ssl.xml"
>>>>>
>>>>> Where do these files go? The Fuseki download does not have any "etc"
>>>>> directory or
>>>>> any xml configuration files at all.
>>>>>
>>>>> So, I tried handing some XML config files to Fuseki using
>>>>> --jetty-config and it gives very little
>>>>> info in the error (see below). Has anyone actually successfully run
>>>>> Fuseki over SSL?
>>>>>
>>>>> [2015-08-25 22:13:34] Server INFO Jetty server config file =
>>>>> ./jetty-https.xml
>>>>> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
>>>>> configure server: Unknown configuration type: Call in
>>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>>> java.lang.IllegalStateException: Unknown configuration type: Call in
>>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>>> at
>>>>>
>>>>> org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.java:198)
>>>>> at
>>>>>
>>>>> org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:177)
>>>>> at
>>>>>
>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:264)
>>>>> at
>>>>>
>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>>> at
>>>>>
>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>>>> at
>>>>>
>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>>> at
>>>>>
>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>> org.apache.jena.fuseki.FusekiException: Failed to configure a server
>>>>> using configuration file './jetty-https.xml'
>>>>> at
>>>>>
>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
>>>>> at
>>>>>
>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>>> at
>>>>>
>>>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>>>> at
>>>>>
>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>>> at
>>>>>
>>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>>
>>>>> J
>>>>>
>>>>>
>>>>> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>>>
>>>>>>
>>>>>> On 20/08/15 22:37, Jason Levitt wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks. So I can still use the "--jetty-config" option with Fuseki
>>>>>>> v2.30 ?
>>>>>>>
>>>>>>> J
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Yes, should work to pass in the file. There was a major jetty version
>>>>>> change (8 to 9) and what effect that has had on that option is unclear
>>>>>> to
>>>>>> me. Connector changed Jetty 8->9
>>>>>>
>>>>>>
>>>>>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
>>>>>>
>>>>>> and their example:
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>>>>
>>>>>> It would be good to add this to the distribution - if you or anyone
>>>>>> else
>>>>>> has
>>>>>> a working version, I'd be very grateful to get a copy.
>>>>>>
>>>>>>
>>>>>> Andy
>>>>>>
>>>>>>>
>>>>>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>>>>>>>
>>>>>>>>> J
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>>>>>>>
>>>>>>>> ==> Jetty 9.1.1.v20140108
>>>>>>>>
>>>>>>>> Andy
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> The Jetty documentation is the best place to go for details of
>>>>>>>>>> setting
>>>>>>>>>> up
>>>>>>>>>> Jetty.
>>>>>>>>>>
>>>>>>>>>> Here's one in the examples/ area but as far as I can tell it's
>>>>>>>>>> more
>>>>>>>>>> int
>>>>>>>>>> he
>>>>>>>>>> category of "should work" (it is from Fuseki1 and that was a
>>>>>>>>>> different
>>>>>>>>>> version of Jetty) rather than tested.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>>>>>>>
>>>>>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>>>>>
>>>>>>>>>> Andy
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty.
>>>>>>>>>>> It
>>>>>>>>>>> only talks to internal machines so there
>>>>>>>>>>> is no need to protect it from external exposure. So that means
>>>>>>>>>>> that
>>>>>>>>>>> the easiest way is to use the
>>>>>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any
>>>>>>>>>>> docs
>>>>>>>>>>> on
>>>>>>>>>>> what the options are for that
>>>>>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>>>>>
>>>>>>>>>>> J
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org>
>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Right. In a production environment, a reverse proxy is useful
>>>>>>>>>>>> for
>>>>>>>>>>>> several
>>>>>>>>>>>> things and while there is nothing that force a reverse proxy,
>>>>>>>>>>>> the
>>>>>>>>>>>> weight
>>>>>>>>>>>> of
>>>>>>>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>>>>>>>> production
>>>>>>>>>>>> system.
>>>>>>>>>>>>
>>>>>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>>>>>> Java web containers just aren't as good under silly load
>>>>>>>>>>>> conditions.
>>>>>>>>>>>> 3/ URL rewrite
>>>>>>>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>>>>>>>> 4/ Security
>>>>>>>>>>>> integrate with local systems; rich choice of controls.
>>>>>>>>>>>> Control who and what can update
>>>>>>>>>>>> No need to restart for shiro chnages.
>>>>>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>>>>>
>>>>>>>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>>>>>>>> network
>>>>>>>>>>>> interface. In an environment like AWS, where port control is
>>>>>>>>>>>> easily,
>>>>>>>>>>>> it's
>>>>>>>>>>>> trivial to secure the Fuseki server to only talk to the local
>>>>>>>>>>>> reverse
>>>>>>>>>>>> proxy
>>>>>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>>>>>
>>>>>>>>>>>> Andy
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I checked more carefully (should have done that before
>>>>>>>>>>>>> replying)
>>>>>>>>>>>>> and
>>>>>>>>>>>>> it
>>>>>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for
>>>>>>>>>>>>> using
>>>>>>>>>>>>> a
>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>>>>>
>>>>>>>>>>>>> --jetty-config=FILE Set up the server (not services) with a
>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>> XML
>>>>>>>>>>>>> file
>>>>>>>>>>>>>
>>>>>>>>>>>>> ---
>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g.
>>>>>>>>>>>>>> Tomcat
>>>>>>>>>>>>>> or
>>>>>>>>>>>>>> Jetty) or using the server included with Fuseki and is it
>>>>>>>>>>>>>> Fuskei
>>>>>>>>>>>>>> 1
>>>>>>>>>>>>>> or
>>>>>>>>>>>>>> 2?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If the former, you will need to supply configuration specific
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>>>>>>>> Overflow
>>>>>>>>>>>>>> answer for it:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> but the links seems to be dead. The idea is to supply your own
>>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>>> configuration (Jetty is the servlet container that the Fuseki
>>>>>>>>>>>>>> command
>>>>>>>>>>>>>> uses).
>>>>>>>>>>>>>> For Fuseki 2, I think it is still under development? You could
>>>>>>>>>>>>>> use
>>>>>>>>>>>>>> a
>>>>>>>>>>>>>> reverse
>>>>>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt
>>>>>>>>>>>>>> <sl...@gmail.com>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jason
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
On 27/08/15 15:20, Jason Levitt wrote:
> Hi Andy,
>
> Not only is Jetty 9.1 fairly different than Jetty 8, but the current
> version of Jetty, 9.3 is somewhat different
> than 9.1. I will investigate further.
I just tried out 9.3 by flipping the version to 9.3.2.v20150730 and it
seem OK (after 5 mins playing with it....). So looks like the codebase
can switch if that helps simplifies things.
Andy
>
> J
>
> On Thu, Aug 27, 2015 at 6:42 AM, Andy Seaborne <an...@apache.org> wrote:
>> Jason - thank you for pushing on with this. It seems a lot of Jetty has
>> changed Jetty8->Jetty9.1 in this area which is all news to me.
>>
>> On 27/08/15 06:09, Jason Levitt wrote:
>>>
>>> Making some progress but things still don't work.
>>>
>>> The startup log (edited) looks like this (domain name changed to
>>> mysite.com):
>>
>>
>> This looks like it is because its asking to run on an address that isn't the
>> local machine for some reason. It does not look like something on the same
>> port because it is (usually)
>>
>> "java.net.BindException: Address already in use"
>>
>> but it's might be worth checking. On Linux, "sudo lsof -i:8443"
>>
>> Your config does not set the host but maybe the IP config is getting in the
>> way. This is EC2 so does the real DNS name resolve to the IP address of a
>> local interface? Does using "localhost" work (= do something different)?
>>
>> That's the best clue I could find on StackOverflow. I haven't found a way
>> to get the same error message using plan HTTP on a non-EC2 machine though.
>>
>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>> to start server: Cannot assign requested address
>>
>> port=0 looks weird though if you are taking control with the config file
>> that is possible due to the earlier error.
>>
>> What is printed is serverConnector.getPort() and serverConnector is the
>> first/only configured ServerConnector.
>>
>> Andy
>>
>>
>>
>>>
>>> [2015-08-27 03:56:03] Server INFO Jetty server config file =
>>> myconfig.xml
>>> [2015-08-27 03:56:03] Server INFO Fuseki 2.3.0
>>> 2015-07-25T17:11:28+0000
>>> [2015-08-27 03:56:03] Config INFO FUSEKI_HOME=/home/ec2-user/fuseki
>>> [2015-08-27 03:56:03] Config INFO
>>> FUSEKI_BASE=/home/ec2-user/fuseki/run
>>> [2015-08-27 03:56:03] Servlet INFO Initializing Shiro environment
>>> [2015-08-27 03:56:03] Config INFO Shiro file:
>>> file:///home/ec2-user/fuseki/run/shiro.ini
>>> [2015-08-27 03:56:03] Config INFO Template file:
>>> templates/config-tdb-dir
>>> [2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
>>> [2015-08-27 03:56:03] Config INFO Register: /ds
>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>> ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
>>> java.net.BindException: Cannot assign requested address
>>> java.net.BindException: Cannot assign requested address
>>> at sun.nio.ch.Net.bind0(Native Method)
>>> at sun.nio.ch.Net.bind(Net.java:433)
>>> at sun.nio.ch.Net.bind(Net.java:425)
>>> ....
>>> ....
>>> ....
>>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>>> org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException: Cannot
>>> assign requested address
>>> java.net.BindException: Cannot assign requested address
>>> at sun.nio.ch.Net.bind0(Native Method)
>>> at sun.nio.ch.Net.bind(Net.java:433)
>>> at sun.nio.ch.Net.bind(Net.java:425)
>>> ....
>>> ....
>>> ....
>>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>>> to start server: Cannot assign requested address
>>>
>>>
>>> And I'm running fuseki 2.3.0 with this command:
>>>
>>> nohup ./fuseki-server --port 8443 --update
>>> --jetty-config=myconfig.xml --loc=ds /ds
>>>
>>>
>>> The "myconfig.xml" file is below (I've already added my certificate
>>> and key to the Java 8 JSSE):
>>>
>>> <?xml version="1.0"?>
>>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>>> "http://www.eclipse.org/jetty/configure.dtd">
>>>
>>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>>> <Call name="addConnector">
>>> <Arg>
>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>> <Arg name="factories">
>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>> <Item>
>>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>>> </New>
>>> </Item>
>>> </Array>
>>> </Arg>
>>> </New>
>>> </Arg>
>>> </Call>
>>>
>>> <New id="sslContextFactory"
>>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>> <Set name="KeyStorePath">/home/ec2-user/keystore</Set>
>>> <Set name="KeyStorePassword">somepassword</Set>
>>> <Set name="KeyManagerPassword">somepassword</Set>
>>> <Set name="TrustStorePath">/home/ec2-user/keystore</Set>
>>> <Set name="TrustStorePassword">somepassword</Set>
>>> </New>
>>>
>>> <Call id="sslConnector" name="addConnector">
>>> <Arg>
>>> <New class="org.eclipse.jetty.server.ServerConnector">
>>> <Arg name="server"><Ref refid="Server" /></Arg>
>>> <Arg name="factories">
>>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>>> <Item>
>>> <New class="org.eclipse.jetty.server.SslConnectionFactory">
>>> <Arg name="next">http/1.1</Arg>
>>> <Arg name="sslContextFactory"><Ref
>>> refid="sslContextFactory"/></Arg>
>>> </New>
>>> </Item>
>>> <Item>
>>> <New
>>> class="org.eclipse.jetty.server.HttpConnectionFactory">
>>> <Arg name="config"><Ref refid="tlsHttpConfig"/></Arg>
>>> </New>
>>> </Item>
>>> </Array>
>>> </Arg>
>>> <Set name="host"><Property name="jetty.host"/></Set>
>>> <Set name="port"><Property name="jetty.tls.port" default="8443"
>>> /></Set>
>>> <Set name="idleTimeout">30000</Set>
>>> <Set name="host">mysite.com</Set>
>>> </New>
>>> </Arg>
>>> </Call>
>>>
>>> </Configure>
>>>
>>> ===================================
>>>
>>> On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt <sl...@gmail.com>
>>> wrote:
>>>>
>>>> I can't find any examples of the file that you hand to "--jetty-config"
>>>>
>>>> The "official" jetty docs for configuring SSL imply that there are two
>>>> configuration files,
>>>> jetty-ssl-context.xml and jetty-https.xml.
>>>> (http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)
>>>>
>>>> The example that you cite:
>>>>
>>>>
>>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>>
>>>> says that: "This configuration must be used in conjunction with
>>>> jetty.xml and jetty-ssl.xml"
>>>>
>>>> Where do these files go? The Fuseki download does not have any "etc"
>>>> directory or
>>>> any xml configuration files at all.
>>>>
>>>> So, I tried handing some XML config files to Fuseki using
>>>> --jetty-config and it gives very little
>>>> info in the error (see below). Has anyone actually successfully run
>>>> Fuseki over SSL?
>>>>
>>>> [2015-08-25 22:13:34] Server INFO Jetty server config file =
>>>> ./jetty-https.xml
>>>> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
>>>> configure server: Unknown configuration type: Call in
>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>> java.lang.IllegalStateException: Unknown configuration type: Call in
>>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>>> at
>>>> org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.java:198)
>>>> at
>>>> org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:177)
>>>> at
>>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:264)
>>>> at
>>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>> at
>>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>>> at
>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>> at
>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>> org.apache.jena.fuseki.FusekiException: Failed to configure a server
>>>> using configuration file './jetty-https.xml'
>>>> at
>>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
>>>> at
>>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>>> at
>>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>>> at
>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>>> at
>>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>>
>>>> J
>>>>
>>>>
>>>> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>>
>>>>> On 20/08/15 22:37, Jason Levitt wrote:
>>>>>>
>>>>>>
>>>>>> Thanks. So I can still use the "--jetty-config" option with Fuseki
>>>>>> v2.30 ?
>>>>>>
>>>>>> J
>>>>>
>>>>>
>>>>>
>>>>> Yes, should work to pass in the file. There was a major jetty version
>>>>> change (8 to 9) and what effect that has had on that option is unclear
>>>>> to
>>>>> me. Connector changed Jetty 8->9
>>>>>
>>>>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
>>>>>
>>>>> and their example:
>>>>>
>>>>>
>>>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>>>
>>>>> It would be good to add this to the distribution - if you or anyone else
>>>>> has
>>>>> a working version, I'd be very grateful to get a copy.
>>>>>
>>>>>
>>>>> Andy
>>>>>
>>>>>>
>>>>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org> wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>>>>>>
>>>>>>>> J
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>>>>>>
>>>>>>> ==> Jetty 9.1.1.v20140108
>>>>>>>
>>>>>>> Andy
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The Jetty documentation is the best place to go for details of
>>>>>>>>> setting
>>>>>>>>> up
>>>>>>>>> Jetty.
>>>>>>>>>
>>>>>>>>> Here's one in the examples/ area but as far as I can tell it's more
>>>>>>>>> int
>>>>>>>>> he
>>>>>>>>> category of "should work" (it is from Fuseki1 and that was a
>>>>>>>>> different
>>>>>>>>> version of Jetty) rather than tested.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>>>>>>
>>>>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>>>>
>>>>>>>>> Andy
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>>>>>>>>>> only talks to internal machines so there
>>>>>>>>>> is no need to protect it from external exposure. So that means
>>>>>>>>>> that
>>>>>>>>>> the easiest way is to use the
>>>>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs
>>>>>>>>>> on
>>>>>>>>>> what the options are for that
>>>>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>>>>
>>>>>>>>>> J
>>>>>>>>>>
>>>>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Right. In a production environment, a reverse proxy is useful for
>>>>>>>>>>> several
>>>>>>>>>>> things and while there is nothing that force a reverse proxy, the
>>>>>>>>>>> weight
>>>>>>>>>>> of
>>>>>>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>>>>>>> production
>>>>>>>>>>> system.
>>>>>>>>>>>
>>>>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>>>>> Java web containers just aren't as good under silly load
>>>>>>>>>>> conditions.
>>>>>>>>>>> 3/ URL rewrite
>>>>>>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>>>>>>> 4/ Security
>>>>>>>>>>> integrate with local systems; rich choice of controls.
>>>>>>>>>>> Control who and what can update
>>>>>>>>>>> No need to restart for shiro chnages.
>>>>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>>>>
>>>>>>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>>>>>>> network
>>>>>>>>>>> interface. In an environment like AWS, where port control is
>>>>>>>>>>> easily,
>>>>>>>>>>> it's
>>>>>>>>>>> trivial to secure the Fuseki server to only talk to the local
>>>>>>>>>>> reverse
>>>>>>>>>>> proxy
>>>>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>>>>
>>>>>>>>>>> Andy
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I checked more carefully (should have done that before replying)
>>>>>>>>>>>> and
>>>>>>>>>>>> it
>>>>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for
>>>>>>>>>>>> using
>>>>>>>>>>>> a
>>>>>>>>>>>> Jetty
>>>>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>>>>
>>>>>>>>>>>> --jetty-config=FILE Set up the server (not services) with a
>>>>>>>>>>>> Jetty
>>>>>>>>>>>> XML
>>>>>>>>>>>> file
>>>>>>>>>>>>
>>>>>>>>>>>> ---
>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>
>>>>>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g.
>>>>>>>>>>>>> Tomcat
>>>>>>>>>>>>> or
>>>>>>>>>>>>> Jetty) or using the server included with Fuseki and is it Fuskei
>>>>>>>>>>>>> 1
>>>>>>>>>>>>> or
>>>>>>>>>>>>> 2?
>>>>>>>>>>>>>
>>>>>>>>>>>>> If the former, you will need to supply configuration specific to
>>>>>>>>>>>>> that
>>>>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>>>>>>> Overflow
>>>>>>>>>>>>> answer for it:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>>>>>>
>>>>>>>>>>>>> but the links seems to be dead. The idea is to supply your own
>>>>>>>>>>>>> Jetty
>>>>>>>>>>>>> configuration (Jetty is the servlet container that the Fuseki
>>>>>>>>>>>>> command
>>>>>>>>>>>>> uses).
>>>>>>>>>>>>> For Fuseki 2, I think it is still under development? You could
>>>>>>>>>>>>> use
>>>>>>>>>>>>> a
>>>>>>>>>>>>> reverse
>>>>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>>>>
>>>>>>>>>>>>> ---
>>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt
>>>>>>>>>>>>> <sl...@gmail.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jason
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
Hi Andy,
Not only is Jetty 9.1 fairly different than Jetty 8, but the current
version of Jetty, 9.3 is somewhat different
than 9.1. I will investigate further.
J
On Thu, Aug 27, 2015 at 6:42 AM, Andy Seaborne <an...@apache.org> wrote:
> Jason - thank you for pushing on with this. It seems a lot of Jetty has
> changed Jetty8->Jetty9.1 in this area which is all news to me.
>
> On 27/08/15 06:09, Jason Levitt wrote:
>>
>> Making some progress but things still don't work.
>>
>> The startup log (edited) looks like this (domain name changed to
>> mysite.com):
>
>
> This looks like it is because its asking to run on an address that isn't the
> local machine for some reason. It does not look like something on the same
> port because it is (usually)
>
> "java.net.BindException: Address already in use"
>
> but it's might be worth checking. On Linux, "sudo lsof -i:8443"
>
> Your config does not set the host but maybe the IP config is getting in the
> way. This is EC2 so does the real DNS name resolve to the IP address of a
> local interface? Does using "localhost" work (= do something different)?
>
> That's the best clue I could find on StackOverflow. I haven't found a way
> to get the same error message using plan HTTP on a non-EC2 machine though.
>
>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>> to start server: Cannot assign requested address
>
> port=0 looks weird though if you are taking control with the config file
> that is possible due to the earlier error.
>
> What is printed is serverConnector.getPort() and serverConnector is the
> first/only configured ServerConnector.
>
> Andy
>
>
>
>>
>> [2015-08-27 03:56:03] Server INFO Jetty server config file =
>> myconfig.xml
>> [2015-08-27 03:56:03] Server INFO Fuseki 2.3.0
>> 2015-07-25T17:11:28+0000
>> [2015-08-27 03:56:03] Config INFO FUSEKI_HOME=/home/ec2-user/fuseki
>> [2015-08-27 03:56:03] Config INFO
>> FUSEKI_BASE=/home/ec2-user/fuseki/run
>> [2015-08-27 03:56:03] Servlet INFO Initializing Shiro environment
>> [2015-08-27 03:56:03] Config INFO Shiro file:
>> file:///home/ec2-user/fuseki/run/shiro.ini
>> [2015-08-27 03:56:03] Config INFO Template file:
>> templates/config-tdb-dir
>> [2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
>> [2015-08-27 03:56:03] Config INFO Register: /ds
>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>> ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
>> java.net.BindException: Cannot assign requested address
>> java.net.BindException: Cannot assign requested address
>> at sun.nio.ch.Net.bind0(Native Method)
>> at sun.nio.ch.Net.bind(Net.java:433)
>> at sun.nio.ch.Net.bind(Net.java:425)
>> ....
>> ....
>> ....
>> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
>> org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException: Cannot
>> assign requested address
>> java.net.BindException: Cannot assign requested address
>> at sun.nio.ch.Net.bind0(Native Method)
>> at sun.nio.ch.Net.bind(Net.java:433)
>> at sun.nio.ch.Net.bind(Net.java:425)
>> ....
>> ....
>> ....
>> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
>> to start server: Cannot assign requested address
>>
>>
>> And I'm running fuseki 2.3.0 with this command:
>>
>> nohup ./fuseki-server --port 8443 --update
>> --jetty-config=myconfig.xml --loc=ds /ds
>>
>>
>> The "myconfig.xml" file is below (I've already added my certificate
>> and key to the Java 8 JSSE):
>>
>> <?xml version="1.0"?>
>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> "http://www.eclipse.org/jetty/configure.dtd">
>>
>> <Configure id="Server" class="org.eclipse.jetty.server.Server">
>> <Call name="addConnector">
>> <Arg>
>> <New class="org.eclipse.jetty.server.ServerConnector">
>> <Arg name="server"><Ref refid="Server" /></Arg>
>> <Arg name="factories">
>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>> <Item>
>> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
>> <Arg name="config"><Ref refid="httpConfig" /></Arg>
>> </New>
>> </Item>
>> </Array>
>> </Arg>
>> </New>
>> </Arg>
>> </Call>
>>
>> <New id="sslContextFactory"
>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>> <Set name="KeyStorePath">/home/ec2-user/keystore</Set>
>> <Set name="KeyStorePassword">somepassword</Set>
>> <Set name="KeyManagerPassword">somepassword</Set>
>> <Set name="TrustStorePath">/home/ec2-user/keystore</Set>
>> <Set name="TrustStorePassword">somepassword</Set>
>> </New>
>>
>> <Call id="sslConnector" name="addConnector">
>> <Arg>
>> <New class="org.eclipse.jetty.server.ServerConnector">
>> <Arg name="server"><Ref refid="Server" /></Arg>
>> <Arg name="factories">
>> <Array type="org.eclipse.jetty.server.ConnectionFactory">
>> <Item>
>> <New class="org.eclipse.jetty.server.SslConnectionFactory">
>> <Arg name="next">http/1.1</Arg>
>> <Arg name="sslContextFactory"><Ref
>> refid="sslContextFactory"/></Arg>
>> </New>
>> </Item>
>> <Item>
>> <New
>> class="org.eclipse.jetty.server.HttpConnectionFactory">
>> <Arg name="config"><Ref refid="tlsHttpConfig"/></Arg>
>> </New>
>> </Item>
>> </Array>
>> </Arg>
>> <Set name="host"><Property name="jetty.host"/></Set>
>> <Set name="port"><Property name="jetty.tls.port" default="8443"
>> /></Set>
>> <Set name="idleTimeout">30000</Set>
>> <Set name="host">mysite.com</Set>
>> </New>
>> </Arg>
>> </Call>
>>
>> </Configure>
>>
>> ===================================
>>
>> On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt <sl...@gmail.com>
>> wrote:
>>>
>>> I can't find any examples of the file that you hand to "--jetty-config"
>>>
>>> The "official" jetty docs for configuring SSL imply that there are two
>>> configuration files,
>>> jetty-ssl-context.xml and jetty-https.xml.
>>> (http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)
>>>
>>> The example that you cite:
>>>
>>>
>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>
>>> says that: "This configuration must be used in conjunction with
>>> jetty.xml and jetty-ssl.xml"
>>>
>>> Where do these files go? The Fuseki download does not have any "etc"
>>> directory or
>>> any xml configuration files at all.
>>>
>>> So, I tried handing some XML config files to Fuseki using
>>> --jetty-config and it gives very little
>>> info in the error (see below). Has anyone actually successfully run
>>> Fuseki over SSL?
>>>
>>> [2015-08-25 22:13:34] Server INFO Jetty server config file =
>>> ./jetty-https.xml
>>> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
>>> configure server: Unknown configuration type: Call in
>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>> java.lang.IllegalStateException: Unknown configuration type: Call in
>>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>>> at
>>> org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.java:198)
>>> at
>>> org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:177)
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:264)
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>> at
>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>> at
>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>> org.apache.jena.fuseki.FusekiException: Failed to configure a server
>>> using configuration file './jetty-https.xml'
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>>> at
>>> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>>> at
>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>>> at
>>> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>>
>>> J
>>>
>>>
>>> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>
>>>> On 20/08/15 22:37, Jason Levitt wrote:
>>>>>
>>>>>
>>>>> Thanks. So I can still use the "--jetty-config" option with Fuseki
>>>>> v2.30 ?
>>>>>
>>>>> J
>>>>
>>>>
>>>>
>>>> Yes, should work to pass in the file. There was a major jetty version
>>>> change (8 to 9) and what effect that has had on that option is unclear
>>>> to
>>>> me. Connector changed Jetty 8->9
>>>>
>>>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
>>>>
>>>> and their example:
>>>>
>>>>
>>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>>
>>>> It would be good to add this to the distribution - if you or anyone else
>>>> has
>>>> a working version, I'd be very grateful to get a copy.
>>>>
>>>>
>>>> Andy
>>>>
>>>>>
>>>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org> wrote:
>>>>>>
>>>>>>
>>>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>>>>>
>>>>>>> J
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>>>>>
>>>>>> ==> Jetty 9.1.1.v20140108
>>>>>>
>>>>>> Andy
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> The Jetty documentation is the best place to go for details of
>>>>>>>> setting
>>>>>>>> up
>>>>>>>> Jetty.
>>>>>>>>
>>>>>>>> Here's one in the examples/ area but as far as I can tell it's more
>>>>>>>> int
>>>>>>>> he
>>>>>>>> category of "should work" (it is from Fuseki1 and that was a
>>>>>>>> different
>>>>>>>> version of Jetty) rather than tested.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>>>>>
>>>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>>>
>>>>>>>> Andy
>>>>>>>>
>>>>>>>>
>>>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>>>>>>>>> only talks to internal machines so there
>>>>>>>>> is no need to protect it from external exposure. So that means
>>>>>>>>> that
>>>>>>>>> the easiest way is to use the
>>>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs
>>>>>>>>> on
>>>>>>>>> what the options are for that
>>>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>>>
>>>>>>>>> J
>>>>>>>>>
>>>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Right. In a production environment, a reverse proxy is useful for
>>>>>>>>>> several
>>>>>>>>>> things and while there is nothing that force a reverse proxy, the
>>>>>>>>>> weight
>>>>>>>>>> of
>>>>>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>>>>>> production
>>>>>>>>>> system.
>>>>>>>>>>
>>>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>>>> Java web containers just aren't as good under silly load
>>>>>>>>>> conditions.
>>>>>>>>>> 3/ URL rewrite
>>>>>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>>>>>> 4/ Security
>>>>>>>>>> integrate with local systems; rich choice of controls.
>>>>>>>>>> Control who and what can update
>>>>>>>>>> No need to restart for shiro chnages.
>>>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>>>
>>>>>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>>>>>> network
>>>>>>>>>> interface. In an environment like AWS, where port control is
>>>>>>>>>> easily,
>>>>>>>>>> it's
>>>>>>>>>> trivial to secure the Fuseki server to only talk to the local
>>>>>>>>>> reverse
>>>>>>>>>> proxy
>>>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>>>
>>>>>>>>>> Andy
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I checked more carefully (should have done that before replying)
>>>>>>>>>>> and
>>>>>>>>>>> it
>>>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for
>>>>>>>>>>> using
>>>>>>>>>>> a
>>>>>>>>>>> Jetty
>>>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>>>
>>>>>>>>>>> --jetty-config=FILE Set up the server (not services) with a
>>>>>>>>>>> Jetty
>>>>>>>>>>> XML
>>>>>>>>>>> file
>>>>>>>>>>>
>>>>>>>>>>> ---
>>>>>>>>>>> A. Soroka
>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>
>>>>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g.
>>>>>>>>>>>> Tomcat
>>>>>>>>>>>> or
>>>>>>>>>>>> Jetty) or using the server included with Fuseki and is it Fuskei
>>>>>>>>>>>> 1
>>>>>>>>>>>> or
>>>>>>>>>>>> 2?
>>>>>>>>>>>>
>>>>>>>>>>>> If the former, you will need to supply configuration specific to
>>>>>>>>>>>> that
>>>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>>>>>> Overflow
>>>>>>>>>>>> answer for it:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>>>>>
>>>>>>>>>>>> but the links seems to be dead. The idea is to supply your own
>>>>>>>>>>>> Jetty
>>>>>>>>>>>> configuration (Jetty is the servlet container that the Fuseki
>>>>>>>>>>>> command
>>>>>>>>>>>> uses).
>>>>>>>>>>>> For Fuseki 2, I think it is still under development? You could
>>>>>>>>>>>> use
>>>>>>>>>>>> a
>>>>>>>>>>>> reverse
>>>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>>>
>>>>>>>>>>>> ---
>>>>>>>>>>>> A. Soroka
>>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>>
>>>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt
>>>>>>>>>>>> <sl...@gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jason
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
Jason - thank you for pushing on with this. It seems a lot of Jetty has
changed Jetty8->Jetty9.1 in this area which is all news to me.
On 27/08/15 06:09, Jason Levitt wrote:
> Making some progress but things still don't work.
>
> The startup log (edited) looks like this (domain name changed to mysite.com):
This looks like it is because its asking to run on an address that isn't
the local machine for some reason. It does not look like something on
the same port because it is (usually)
"java.net.BindException: Address already in use"
but it's might be worth checking. On Linux, "sudo lsof -i:8443"
Your config does not set the host but maybe the IP config is getting in
the way. This is EC2 so does the real DNS name resolve to the IP address
of a local interface? Does using "localhost" work (= do something
different)?
That's the best clue I could find on StackOverflow. I haven't found a
way to get the same error message using plan HTTP on a non-EC2 machine
though.
> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
> to start server: Cannot assign requested address
port=0 looks weird though if you are taking control with the config file
that is possible due to the earlier error.
What is printed is serverConnector.getPort() and serverConnector is the
first/only configured ServerConnector.
Andy
>
> [2015-08-27 03:56:03] Server INFO Jetty server config file = myconfig.xml
> [2015-08-27 03:56:03] Server INFO Fuseki 2.3.0 2015-07-25T17:11:28+0000
> [2015-08-27 03:56:03] Config INFO FUSEKI_HOME=/home/ec2-user/fuseki
> [2015-08-27 03:56:03] Config INFO FUSEKI_BASE=/home/ec2-user/fuseki/run
> [2015-08-27 03:56:03] Servlet INFO Initializing Shiro environment
> [2015-08-27 03:56:03] Config INFO Shiro file:
> file:///home/ec2-user/fuseki/run/shiro.ini
> [2015-08-27 03:56:03] Config INFO Template file: templates/config-tdb-dir
> [2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
> [2015-08-27 03:56:03] Config INFO Register: /ds
> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
> ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
> java.net.BindException: Cannot assign requested address
> java.net.BindException: Cannot assign requested address
> at sun.nio.ch.Net.bind0(Native Method)
> at sun.nio.ch.Net.bind(Net.java:433)
> at sun.nio.ch.Net.bind(Net.java:425)
> ....
> ....
> ....
> [2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
> org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException: Cannot
> assign requested address
> java.net.BindException: Cannot assign requested address
> at sun.nio.ch.Net.bind0(Native Method)
> at sun.nio.ch.Net.bind(Net.java:433)
> at sun.nio.ch.Net.bind(Net.java:425)
> ....
> ....
> ....
> [2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
> to start server: Cannot assign requested address
>
>
> And I'm running fuseki 2.3.0 with this command:
>
> nohup ./fuseki-server --port 8443 --update
> --jetty-config=myconfig.xml --loc=ds /ds
>
>
> The "myconfig.xml" file is below (I've already added my certificate
> and key to the Java 8 JSSE):
>
> <?xml version="1.0"?>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
> "http://www.eclipse.org/jetty/configure.dtd">
>
> <Configure id="Server" class="org.eclipse.jetty.server.Server">
> <Call name="addConnector">
> <Arg>
> <New class="org.eclipse.jetty.server.ServerConnector">
> <Arg name="server"><Ref refid="Server" /></Arg>
> <Arg name="factories">
> <Array type="org.eclipse.jetty.server.ConnectionFactory">
> <Item>
> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
> <Arg name="config"><Ref refid="httpConfig" /></Arg>
> </New>
> </Item>
> </Array>
> </Arg>
> </New>
> </Arg>
> </Call>
>
> <New id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
> <Set name="KeyStorePath">/home/ec2-user/keystore</Set>
> <Set name="KeyStorePassword">somepassword</Set>
> <Set name="KeyManagerPassword">somepassword</Set>
> <Set name="TrustStorePath">/home/ec2-user/keystore</Set>
> <Set name="TrustStorePassword">somepassword</Set>
> </New>
>
> <Call id="sslConnector" name="addConnector">
> <Arg>
> <New class="org.eclipse.jetty.server.ServerConnector">
> <Arg name="server"><Ref refid="Server" /></Arg>
> <Arg name="factories">
> <Array type="org.eclipse.jetty.server.ConnectionFactory">
> <Item>
> <New class="org.eclipse.jetty.server.SslConnectionFactory">
> <Arg name="next">http/1.1</Arg>
> <Arg name="sslContextFactory"><Ref
> refid="sslContextFactory"/></Arg>
> </New>
> </Item>
> <Item>
> <New class="org.eclipse.jetty.server.HttpConnectionFactory">
> <Arg name="config"><Ref refid="tlsHttpConfig"/></Arg>
> </New>
> </Item>
> </Array>
> </Arg>
> <Set name="host"><Property name="jetty.host"/></Set>
> <Set name="port"><Property name="jetty.tls.port" default="8443" /></Set>
> <Set name="idleTimeout">30000</Set>
> <Set name="host">mysite.com</Set>
> </New>
> </Arg>
> </Call>
>
> </Configure>
>
> ===================================
>
> On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt <sl...@gmail.com> wrote:
>> I can't find any examples of the file that you hand to "--jetty-config"
>>
>> The "official" jetty docs for configuring SSL imply that there are two
>> configuration files,
>> jetty-ssl-context.xml and jetty-https.xml.
>> (http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)
>>
>> The example that you cite:
>>
>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>
>> says that: "This configuration must be used in conjunction with
>> jetty.xml and jetty-ssl.xml"
>>
>> Where do these files go? The Fuseki download does not have any "etc"
>> directory or
>> any xml configuration files at all.
>>
>> So, I tried handing some XML config files to Fuseki using
>> --jetty-config and it gives very little
>> info in the error (see below). Has anyone actually successfully run
>> Fuseki over SSL?
>>
>> [2015-08-25 22:13:34] Server INFO Jetty server config file =
>> ./jetty-https.xml
>> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
>> configure server: Unknown configuration type: Call in
>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>> java.lang.IllegalStateException: Unknown configuration type: Call in
>> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
>> at org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.java:198)
>> at org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:177)
>> at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:264)
>> at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>> at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>> org.apache.jena.fuseki.FusekiException: Failed to configure a server
>> using configuration file './jetty-https.xml'
>> at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
>> at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
>> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
>> at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
>> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
>> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
>> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
>> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
>> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
>> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>>
>> J
>>
>>
>> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>> On 20/08/15 22:37, Jason Levitt wrote:
>>>>
>>>> Thanks. So I can still use the "--jetty-config" option with Fuseki v2.30 ?
>>>>
>>>> J
>>>
>>>
>>> Yes, should work to pass in the file. There was a major jetty version
>>> change (8 to 9) and what effect that has had on that option is unclear to
>>> me. Connector changed Jetty 8->9
>>>
>>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
>>>
>>> and their example:
>>>
>>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>>
>>> It would be good to add this to the distribution - if you or anyone else has
>>> a working version, I'd be very grateful to get a copy.
>>>
>>>
>>> Andy
>>>
>>>>
>>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org> wrote:
>>>>>
>>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>>
>>>>>>
>>>>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>>>>
>>>>>> J
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>>>>
>>>>> ==> Jetty 9.1.1.v20140108
>>>>>
>>>>> Andy
>>>>>
>>>>>
>>>>>>
>>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>>>>
>>>>>>>
>>>>>>> The Jetty documentation is the best place to go for details of setting
>>>>>>> up
>>>>>>> Jetty.
>>>>>>>
>>>>>>> Here's one in the examples/ area but as far as I can tell it's more int
>>>>>>> he
>>>>>>> category of "should work" (it is from Fuseki1 and that was a different
>>>>>>> version of Jetty) rather than tested.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>>>>
>>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>>
>>>>>>> Andy
>>>>>>>
>>>>>>>
>>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>>>>>>>> only talks to internal machines so there
>>>>>>>> is no need to protect it from external exposure. So that means that
>>>>>>>> the easiest way is to use the
>>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs on
>>>>>>>> what the options are for that
>>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>>
>>>>>>>> J
>>>>>>>>
>>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Right. In a production environment, a reverse proxy is useful for
>>>>>>>>> several
>>>>>>>>> things and while there is nothing that force a reverse proxy, the
>>>>>>>>> weight
>>>>>>>>> of
>>>>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>>>>> production
>>>>>>>>> system.
>>>>>>>>>
>>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>>> Java web containers just aren't as good under silly load
>>>>>>>>> conditions.
>>>>>>>>> 3/ URL rewrite
>>>>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>>>>> 4/ Security
>>>>>>>>> integrate with local systems; rich choice of controls.
>>>>>>>>> Control who and what can update
>>>>>>>>> No need to restart for shiro chnages.
>>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>>
>>>>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>>>>> network
>>>>>>>>> interface. In an environment like AWS, where port control is easily,
>>>>>>>>> it's
>>>>>>>>> trivial to secure the Fuseki server to only talk to the local reverse
>>>>>>>>> proxy
>>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>>
>>>>>>>>> Andy
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I checked more carefully (should have done that before replying) and
>>>>>>>>>> it
>>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for using
>>>>>>>>>> a
>>>>>>>>>> Jetty
>>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>>
>>>>>>>>>> --jetty-config=FILE Set up the server (not services) with a Jetty
>>>>>>>>>> XML
>>>>>>>>>> file
>>>>>>>>>>
>>>>>>>>>> ---
>>>>>>>>>> A. Soroka
>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>
>>>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>>>
>>>>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat
>>>>>>>>>>> or
>>>>>>>>>>> Jetty) or using the server included with Fuseki and is it Fuskei 1
>>>>>>>>>>> or
>>>>>>>>>>> 2?
>>>>>>>>>>>
>>>>>>>>>>> If the former, you will need to supply configuration specific to
>>>>>>>>>>> that
>>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>>>>> Overflow
>>>>>>>>>>> answer for it:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>>>>
>>>>>>>>>>> but the links seems to be dead. The idea is to supply your own
>>>>>>>>>>> Jetty
>>>>>>>>>>> configuration (Jetty is the servlet container that the Fuseki
>>>>>>>>>>> command
>>>>>>>>>>> uses).
>>>>>>>>>>> For Fuseki 2, I think it is still under development? You could use
>>>>>>>>>>> a
>>>>>>>>>>> reverse
>>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>>
>>>>>>>>>>> ---
>>>>>>>>>>> A. Soroka
>>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>>
>>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>>
>>>>>>>>>>>> Jason
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
Making some progress but things still don't work.
The startup log (edited) looks like this (domain name changed to mysite.com):
[2015-08-27 03:56:03] Server INFO Jetty server config file = myconfig.xml
[2015-08-27 03:56:03] Server INFO Fuseki 2.3.0 2015-07-25T17:11:28+0000
[2015-08-27 03:56:03] Config INFO FUSEKI_HOME=/home/ec2-user/fuseki
[2015-08-27 03:56:03] Config INFO FUSEKI_BASE=/home/ec2-user/fuseki/run
[2015-08-27 03:56:03] Servlet INFO Initializing Shiro environment
[2015-08-27 03:56:03] Config INFO Shiro file:
file:///home/ec2-user/fuseki/run/shiro.ini
[2015-08-27 03:56:03] Config INFO Template file: templates/config-tdb-dir
[2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
[2015-08-27 03:56:03] Config INFO Register: /ds
[2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
java.net.BindException: Cannot assign requested address
java.net.BindException: Cannot assign requested address
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Net.java:433)
at sun.nio.ch.Net.bind(Net.java:425)
....
....
....
[2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException: Cannot
assign requested address
java.net.BindException: Cannot assign requested address
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Net.java:433)
at sun.nio.ch.Net.bind(Net.java:425)
....
....
....
[2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
to start server: Cannot assign requested address
And I'm running fuseki 2.3.0 with this command:
nohup ./fuseki-server --port 8443 --update
--jetty-config=myconfig.xml --loc=ds /ds
The "myconfig.xml" file is below (I've already added my certificate
and key to the Java 8 JSSE):
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="httpConfig" /></Arg>
</New>
</Item>
</Array>
</Arg>
</New>
</Arg>
</Call>
<New id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath">/home/ec2-user/keystore</Set>
<Set name="KeyStorePassword">somepassword</Set>
<Set name="KeyManagerPassword">somepassword</Set>
<Set name="TrustStorePath">/home/ec2-user/keystore</Set>
<Set name="TrustStorePassword">somepassword</Set>
</New>
<Call id="sslConnector" name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory"><Ref
refid="sslContextFactory"/></Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="tlsHttpConfig"/></Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host"><Property name="jetty.host"/></Set>
<Set name="port"><Property name="jetty.tls.port" default="8443" /></Set>
<Set name="idleTimeout">30000</Set>
<Set name="host">mysite.com</Set>
</New>
</Arg>
</Call>
</Configure>
===================================
On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt <sl...@gmail.com> wrote:
> I can't find any examples of the file that you hand to "--jetty-config"
>
> The "official" jetty docs for configuring SSL imply that there are two
> configuration files,
> jetty-ssl-context.xml and jetty-https.xml.
> (http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)
>
> The example that you cite:
>
> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>
> says that: "This configuration must be used in conjunction with
> jetty.xml and jetty-ssl.xml"
>
> Where do these files go? The Fuseki download does not have any "etc"
> directory or
> any xml configuration files at all.
>
> So, I tried handing some XML config files to Fuseki using
> --jetty-config and it gives very little
> info in the error (see below). Has anyone actually successfully run
> Fuseki over SSL?
>
> [2015-08-25 22:13:34] Server INFO Jetty server config file =
> ./jetty-https.xml
> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
> configure server: Unknown configuration type: Call in
> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
> java.lang.IllegalStateException: Unknown configuration type: Call in
> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
> at org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.java:198)
> at org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:177)
> at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:264)
> at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
> at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
> org.apache.jena.fuseki.FusekiException: Failed to configure a server
> using configuration file './jetty-https.xml'
> at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
> at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
> at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
> at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>
> J
>
>
> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org> wrote:
>> On 20/08/15 22:37, Jason Levitt wrote:
>>>
>>> Thanks. So I can still use the "--jetty-config" option with Fuseki v2.30 ?
>>>
>>> J
>>
>>
>> Yes, should work to pass in the file. There was a major jetty version
>> change (8 to 9) and what effect that has had on that option is unclear to
>> me. Connector changed Jetty 8->9
>>
>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
>>
>> and their example:
>>
>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>
>> It would be good to add this to the distribution - if you or anyone else has
>> a working version, I'd be very grateful to get a copy.
>>
>>
>> Andy
>>
>>>
>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org> wrote:
>>>>
>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>
>>>>>
>>>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>>>
>>>>> J
>>>>
>>>>
>>>>
>>>>
>>>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>>>
>>>> ==> Jetty 9.1.1.v20140108
>>>>
>>>> Andy
>>>>
>>>>
>>>>>
>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>>>
>>>>>>
>>>>>> The Jetty documentation is the best place to go for details of setting
>>>>>> up
>>>>>> Jetty.
>>>>>>
>>>>>> Here's one in the examples/ area but as far as I can tell it's more int
>>>>>> he
>>>>>> category of "should work" (it is from Fuseki1 and that was a different
>>>>>> version of Jetty) rather than tested.
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>>>
>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>
>>>>>> Andy
>>>>>>
>>>>>>
>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>>>>>>> only talks to internal machines so there
>>>>>>> is no need to protect it from external exposure. So that means that
>>>>>>> the easiest way is to use the
>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs on
>>>>>>> what the options are for that
>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>
>>>>>>> J
>>>>>>>
>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Right. In a production environment, a reverse proxy is useful for
>>>>>>>> several
>>>>>>>> things and while there is nothing that force a reverse proxy, the
>>>>>>>> weight
>>>>>>>> of
>>>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>>>> production
>>>>>>>> system.
>>>>>>>>
>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>> Java web containers just aren't as good under silly load
>>>>>>>> conditions.
>>>>>>>> 3/ URL rewrite
>>>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>>>> 4/ Security
>>>>>>>> integrate with local systems; rich choice of controls.
>>>>>>>> Control who and what can update
>>>>>>>> No need to restart for shiro chnages.
>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>
>>>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>>>> network
>>>>>>>> interface. In an environment like AWS, where port control is easily,
>>>>>>>> it's
>>>>>>>> trivial to secure the Fuseki server to only talk to the local reverse
>>>>>>>> proxy
>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>
>>>>>>>> Andy
>>>>>>>>
>>>>>>>>
>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I checked more carefully (should have done that before replying) and
>>>>>>>>> it
>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for using
>>>>>>>>> a
>>>>>>>>> Jetty
>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>
>>>>>>>>> --jetty-config=FILE Set up the server (not services) with a Jetty
>>>>>>>>> XML
>>>>>>>>> file
>>>>>>>>>
>>>>>>>>> ---
>>>>>>>>> A. Soroka
>>>>>>>>> The University of Virginia Library
>>>>>>>>>
>>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>>
>>>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat
>>>>>>>>>> or
>>>>>>>>>> Jetty) or using the server included with Fuseki and is it Fuskei 1
>>>>>>>>>> or
>>>>>>>>>> 2?
>>>>>>>>>>
>>>>>>>>>> If the former, you will need to supply configuration specific to
>>>>>>>>>> that
>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>>>> Overflow
>>>>>>>>>> answer for it:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>>>
>>>>>>>>>> but the links seems to be dead. The idea is to supply your own
>>>>>>>>>> Jetty
>>>>>>>>>> configuration (Jetty is the servlet container that the Fuseki
>>>>>>>>>> command
>>>>>>>>>> uses).
>>>>>>>>>> For Fuseki 2, I think it is still under development? You could use
>>>>>>>>>> a
>>>>>>>>>> reverse
>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>
>>>>>>>>>> ---
>>>>>>>>>> A. Soroka
>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>
>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>
>>>>>>>>>>> Jason
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
I can't find any examples of the file that you hand to "--jetty-config"
The "official" jetty docs for configuring SSL imply that there are two
configuration files,
jetty-ssl-context.xml and jetty-https.xml.
(http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)
The example that you cite:
http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
says that: "This configuration must be used in conjunction with
jetty.xml and jetty-ssl.xml"
Where do these files go? The Fuseki download does not have any "etc"
directory or
any xml configuration files at all.
So, I tried handing some XML config files to Fuseki using
--jetty-config and it gives very little
info in the error (see below). Has anyone actually successfully run
Fuseki over SSL?
[2015-08-25 22:13:34] Server INFO Jetty server config file =
./jetty-https.xml
[2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
configure server: Unknown configuration type: Call in
org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
java.lang.IllegalStateException: Unknown configuration type: Call in
org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
at org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.java:198)
at org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:177)
at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:264)
at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
org.apache.jena.fuseki.FusekiException: Failed to configure a server
using configuration file './jetty-https.xml'
at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
at org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
at org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
at org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
J
On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <an...@apache.org> wrote:
> On 20/08/15 22:37, Jason Levitt wrote:
>>
>> Thanks. So I can still use the "--jetty-config" option with Fuseki v2.30 ?
>>
>> J
>
>
> Yes, should work to pass in the file. There was a major jetty version
> change (8 to 9) and what effect that has had on that option is unclear to
> me. Connector changed Jetty 8->9
>
> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
>
> and their example:
>
> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>
> It would be good to add this to the distribution - if you or anyone else has
> a working version, I'd be very grateful to get a copy.
>
>
> Andy
>
>>
>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org> wrote:
>>>
>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>
>>>>
>>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>>
>>>> J
>>>
>>>
>>>
>>>
>>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>>
>>> ==> Jetty 9.1.1.v20140108
>>>
>>> Andy
>>>
>>>
>>>>
>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>>
>>>>>
>>>>> The Jetty documentation is the best place to go for details of setting
>>>>> up
>>>>> Jetty.
>>>>>
>>>>> Here's one in the examples/ area but as far as I can tell it's more int
>>>>> he
>>>>> category of "should work" (it is from Fuseki1 and that was a different
>>>>> version of Jetty) rather than tested.
>>>>>
>>>>>
>>>>>
>>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>>
>>>>> If you, or anyone else, has a better example - please send it.
>>>>>
>>>>> Andy
>>>>>
>>>>>
>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>>>>>> only talks to internal machines so there
>>>>>> is no need to protect it from external exposure. So that means that
>>>>>> the easiest way is to use the
>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs on
>>>>>> what the options are for that
>>>>>> config file (e.g. what goes into the config file)?
>>>>>>
>>>>>> J
>>>>>>
>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org>
>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Right. In a production environment, a reverse proxy is useful for
>>>>>>> several
>>>>>>> things and while there is nothing that force a reverse proxy, the
>>>>>>> weight
>>>>>>> of
>>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>>> production
>>>>>>> system.
>>>>>>>
>>>>>>> 1/ Blocking undesirable clients
>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>> Java web containers just aren't as good under silly load
>>>>>>> conditions.
>>>>>>> 3/ URL rewrite
>>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>>> 4/ Security
>>>>>>> integrate with local systems; rich choice of controls.
>>>>>>> Control who and what can update
>>>>>>> No need to restart for shiro chnages.
>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>
>>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>>> network
>>>>>>> interface. In an environment like AWS, where port control is easily,
>>>>>>> it's
>>>>>>> trivial to secure the Fuseki server to only talk to the local reverse
>>>>>>> proxy
>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>
>>>>>>> Andy
>>>>>>>
>>>>>>>
>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I checked more carefully (should have done that before replying) and
>>>>>>>> it
>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for using
>>>>>>>> a
>>>>>>>> Jetty
>>>>>>>> configuration that supports HTTPS:
>>>>>>>>
>>>>>>>> --jetty-config=FILE Set up the server (not services) with a Jetty
>>>>>>>> XML
>>>>>>>> file
>>>>>>>>
>>>>>>>> ---
>>>>>>>> A. Soroka
>>>>>>>> The University of Virginia Library
>>>>>>>>
>>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>>
>>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat
>>>>>>>>> or
>>>>>>>>> Jetty) or using the server included with Fuseki and is it Fuskei 1
>>>>>>>>> or
>>>>>>>>> 2?
>>>>>>>>>
>>>>>>>>> If the former, you will need to supply configuration specific to
>>>>>>>>> that
>>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>>> Overflow
>>>>>>>>> answer for it:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>>
>>>>>>>>> but the links seems to be dead. The idea is to supply your own
>>>>>>>>> Jetty
>>>>>>>>> configuration (Jetty is the servlet container that the Fuseki
>>>>>>>>> command
>>>>>>>>> uses).
>>>>>>>>> For Fuseki 2, I think it is still under development? You could use
>>>>>>>>> a
>>>>>>>>> reverse
>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>
>>>>>>>>> ---
>>>>>>>>> A. Soroka
>>>>>>>>> The University of Virginia Library
>>>>>>>>>
>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>
>>>>>>>>>> Jason
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
On 20/08/15 22:37, Jason Levitt wrote:
> Thanks. So I can still use the "--jetty-config" option with Fuseki v2.30 ?
>
> J
Yes, should work to pass in the file. There was a major jetty version
change (8 to 9) and what effect that has had on that option is unclear
to me. Connector changed Jetty 8->9
http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
and their example:
http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
It would be good to add this to the distribution - if you or anyone else
has a working version, I'd be very grateful to get a copy.
Andy
>
> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org> wrote:
>> On 20/08/15 21:24, Jason Levitt wrote:
>>>
>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>
>>> J
>>
>>
>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>
>> ==> Jetty 9.1.1.v20140108
>>
>> Andy
>>
>>
>>>
>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>>
>>>> The Jetty documentation is the best place to go for details of setting up
>>>> Jetty.
>>>>
>>>> Here's one in the examples/ area but as far as I can tell it's more int
>>>> he
>>>> category of "should work" (it is from Fuseki1 and that was a different
>>>> version of Jetty) rather than tested.
>>>>
>>>>
>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>
>>>> If you, or anyone else, has a better example - please send it.
>>>>
>>>> Andy
>>>>
>>>>
>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>
>>>>>
>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>>>>> only talks to internal machines so there
>>>>> is no need to protect it from external exposure. So that means that
>>>>> the easiest way is to use the
>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs on
>>>>> what the options are for that
>>>>> config file (e.g. what goes into the config file)?
>>>>>
>>>>> J
>>>>>
>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org> wrote:
>>>>>>
>>>>>>
>>>>>> Right. In a production environment, a reverse proxy is useful for
>>>>>> several
>>>>>> things and while there is nothing that force a reverse proxy, the
>>>>>> weight
>>>>>> of
>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>> production
>>>>>> system.
>>>>>>
>>>>>> 1/ Blocking undesirable clients
>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>> Java web containers just aren't as good under silly load
>>>>>> conditions.
>>>>>> 3/ URL rewrite
>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>> 4/ Security
>>>>>> integrate with local systems; rich choice of controls.
>>>>>> Control who and what can update
>>>>>> No need to restart for shiro chnages.
>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>
>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>> network
>>>>>> interface. In an environment like AWS, where port control is easily,
>>>>>> it's
>>>>>> trivial to secure the Fuseki server to only talk to the local reverse
>>>>>> proxy
>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>
>>>>>> Andy
>>>>>>
>>>>>>
>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I checked more carefully (should have done that before replying) and
>>>>>>> it
>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for using a
>>>>>>> Jetty
>>>>>>> configuration that supports HTTPS:
>>>>>>>
>>>>>>> --jetty-config=FILE Set up the server (not services) with a Jetty
>>>>>>> XML
>>>>>>> file
>>>>>>>
>>>>>>> ---
>>>>>>> A. Soroka
>>>>>>> The University of Virginia Library
>>>>>>>
>>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>>
>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat
>>>>>>>> or
>>>>>>>> Jetty) or using the server included with Fuseki and is it Fuskei 1 or
>>>>>>>> 2?
>>>>>>>>
>>>>>>>> If the former, you will need to supply configuration specific to that
>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>> Overflow
>>>>>>>> answer for it:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>
>>>>>>>> but the links seems to be dead. The idea is to supply your own Jetty
>>>>>>>> configuration (Jetty is the servlet container that the Fuseki command
>>>>>>>> uses).
>>>>>>>> For Fuseki 2, I think it is still under development? You could use a
>>>>>>>> reverse
>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>
>>>>>>>> ---
>>>>>>>> A. Soroka
>>>>>>>> The University of Virginia Library
>>>>>>>>
>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>> any guidelines online to setting up
>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>
>>>>>>>>> Jason
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
Thanks. So I can still use the "--jetty-config" option with Fuseki v2.30 ?
J
On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <an...@apache.org> wrote:
> On 20/08/15 21:24, Jason Levitt wrote:
>>
>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>
>> J
>
>
> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>
> ==> Jetty 9.1.1.v20140108
>
> Andy
>
>
>>
>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org> wrote:
>>>
>>> The Jetty documentation is the best place to go for details of setting up
>>> Jetty.
>>>
>>> Here's one in the examples/ area but as far as I can tell it's more int
>>> he
>>> category of "should work" (it is from Fuseki1 and that was a different
>>> version of Jetty) rather than tested.
>>>
>>>
>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>
>>> If you, or anyone else, has a better example - please send it.
>>>
>>> Andy
>>>
>>>
>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>
>>>>
>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>>>> only talks to internal machines so there
>>>> is no need to protect it from external exposure. So that means that
>>>> the easiest way is to use the
>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs on
>>>> what the options are for that
>>>> config file (e.g. what goes into the config file)?
>>>>
>>>> J
>>>>
>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org> wrote:
>>>>>
>>>>>
>>>>> Right. In a production environment, a reverse proxy is useful for
>>>>> several
>>>>> things and while there is nothing that force a reverse proxy, the
>>>>> weight
>>>>> of
>>>>> features can mean it's a useful and flexible thing to put into a
>>>>> production
>>>>> system.
>>>>>
>>>>> 1/ Blocking undesirable clients
>>>>> (manic crawlers, badly written PHP scripts)
>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>> Java web containers just aren't as good under silly load
>>>>> conditions.
>>>>> 3/ URL rewrite
>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>> 4/ Security
>>>>> integrate with local systems; rich choice of controls.
>>>>> Control who and what can update
>>>>> No need to restart for shiro chnages.
>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>
>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>> network
>>>>> interface. In an environment like AWS, where port control is easily,
>>>>> it's
>>>>> trivial to secure the Fuseki server to only talk to the local reverse
>>>>> proxy
>>>>> by blocking all ports except (22 and) 80+443.
>>>>>
>>>>> Andy
>>>>>
>>>>>
>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> I checked more carefully (should have done that before replying) and
>>>>>> it
>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for using a
>>>>>> Jetty
>>>>>> configuration that supports HTTPS:
>>>>>>
>>>>>> --jetty-config=FILE Set up the server (not services) with a Jetty
>>>>>> XML
>>>>>> file
>>>>>>
>>>>>> ---
>>>>>> A. Soroka
>>>>>> The University of Virginia Library
>>>>>>
>>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>>> <aj...@email.virginia.edu> wrote:
>>>>>>
>>>>>>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat
>>>>>>> or
>>>>>>> Jetty) or using the server included with Fuseki and is it Fuskei 1 or
>>>>>>> 2?
>>>>>>>
>>>>>>> If the former, you will need to supply configuration specific to that
>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>> Overflow
>>>>>>> answer for it:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>
>>>>>>> but the links seems to be dead. The idea is to supply your own Jetty
>>>>>>> configuration (Jetty is the servlet container that the Fuseki command
>>>>>>> uses).
>>>>>>> For Fuseki 2, I think it is still under development? You could use a
>>>>>>> reverse
>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>
>>>>>>> ---
>>>>>>> A. Soroka
>>>>>>> The University of Virginia Library
>>>>>>>
>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>> any guidelines online to setting up
>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>
>>>>>>>> Jason
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
On 20/08/15 21:24, Jason Levitt wrote:
> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>
> J
http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
==> Jetty 9.1.1.v20140108
Andy
>
> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org> wrote:
>> The Jetty documentation is the best place to go for details of setting up
>> Jetty.
>>
>> Here's one in the examples/ area but as far as I can tell it's more int he
>> category of "should work" (it is from Fuseki1 and that was a different
>> version of Jetty) rather than tested.
>>
>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>
>> If you, or anyone else, has a better example - please send it.
>>
>> Andy
>>
>>
>> On 20/08/15 02:54, Jason Levitt wrote:
>>>
>>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>>> only talks to internal machines so there
>>> is no need to protect it from external exposure. So that means that
>>> the easiest way is to use the
>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs on
>>> what the options are for that
>>> config file (e.g. what goes into the config file)?
>>>
>>> J
>>>
>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org> wrote:
>>>>
>>>> Right. In a production environment, a reverse proxy is useful for
>>>> several
>>>> things and while there is nothing that force a reverse proxy, the weight
>>>> of
>>>> features can mean it's a useful and flexible thing to put into a
>>>> production
>>>> system.
>>>>
>>>> 1/ Blocking undesirable clients
>>>> (manic crawlers, badly written PHP scripts)
>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>> Java web containers just aren't as good under silly load conditions.
>>>> 3/ URL rewrite
>>>> E.g don't need /dataset/query - can be any URL you like.
>>>> 4/ Security
>>>> integrate with local systems; rich choice of controls.
>>>> Control who and what can update
>>>> No need to restart for shiro chnages.
>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>> 6/ https (can be expensive so a C-implementation can help)
>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>> 8/ Lots of Q&A on stackoverflow!
>>>>
>>>> Fuseki has "--localhost" to only talk to the machine's localhost network
>>>> interface. In an environment like AWS, where port control is easily, it's
>>>> trivial to secure the Fuseki server to only talk to the local reverse
>>>> proxy
>>>> by blocking all ports except (22 and) 80+443.
>>>>
>>>> Andy
>>>>
>>>>
>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>
>>>>>
>>>>> I checked more carefully (should have done that before replying) and it
>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for using a
>>>>> Jetty
>>>>> configuration that supports HTTPS:
>>>>>
>>>>> --jetty-config=FILE Set up the server (not services) with a Jetty XML
>>>>> file
>>>>>
>>>>> ---
>>>>> A. Soroka
>>>>> The University of Virginia Library
>>>>>
>>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>>> <aj...@email.virginia.edu> wrote:
>>>>>
>>>>>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat or
>>>>>> Jetty) or using the server included with Fuseki and is it Fuskei 1 or
>>>>>> 2?
>>>>>>
>>>>>> If the former, you will need to supply configuration specific to that
>>>>>> container. If the latter and it is Fuseki 1, there is a Stack Overflow
>>>>>> answer for it:
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>
>>>>>> but the links seems to be dead. The idea is to supply your own Jetty
>>>>>> configuration (Jetty is the servlet container that the Fuseki command
>>>>>> uses).
>>>>>> For Fuseki 2, I think it is still under development? You could use a
>>>>>> reverse
>>>>>> proxy in front of Fuseki, in that case.
>>>>>>
>>>>>> ---
>>>>>> A. Soroka
>>>>>> The University of Virginia Library
>>>>>>
>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>> any guidelines online to setting up
>>>>>>> Fuseki for HTTPS access?
>>>>>>>
>>>>>>> Jason
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
Which version of Jetty does Fuseki 2.30 (the latest version) use?
J
On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <an...@apache.org> wrote:
> The Jetty documentation is the best place to go for details of setting up
> Jetty.
>
> Here's one in the examples/ area but as far as I can tell it's more int he
> category of "should work" (it is from Fuseki1 and that was a different
> version of Jetty) rather than tested.
>
> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>
> If you, or anyone else, has a better example - please send it.
>
> Andy
>
>
> On 20/08/15 02:54, Jason Levitt wrote:
>>
>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>> only talks to internal machines so there
>> is no need to protect it from external exposure. So that means that
>> the easiest way is to use the
>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs on
>> what the options are for that
>> config file (e.g. what goes into the config file)?
>>
>> J
>>
>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org> wrote:
>>>
>>> Right. In a production environment, a reverse proxy is useful for
>>> several
>>> things and while there is nothing that force a reverse proxy, the weight
>>> of
>>> features can mean it's a useful and flexible thing to put into a
>>> production
>>> system.
>>>
>>> 1/ Blocking undesirable clients
>>> (manic crawlers, badly written PHP scripts)
>>> 2/ more robust to DOS attacks (and accidental attacks)
>>> Java web containers just aren't as good under silly load conditions.
>>> 3/ URL rewrite
>>> E.g don't need /dataset/query - can be any URL you like.
>>> 4/ Security
>>> integrate with local systems; rich choice of controls.
>>> Control who and what can update
>>> No need to restart for shiro chnages.
>>> 5/ Rate control (e.g. no more than N queries at a time)
>>> 6/ https (can be expensive so a C-implementation can help)
>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>> 8/ Lots of Q&A on stackoverflow!
>>>
>>> Fuseki has "--localhost" to only talk to the machine's localhost network
>>> interface. In an environment like AWS, where port control is easily, it's
>>> trivial to secure the Fuseki server to only talk to the local reverse
>>> proxy
>>> by blocking all ports except (22 and) 80+443.
>>>
>>> Andy
>>>
>>>
>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>
>>>>
>>>> I checked more carefully (should have done that before replying) and it
>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for using a
>>>> Jetty
>>>> configuration that supports HTTPS:
>>>>
>>>> --jetty-config=FILE Set up the server (not services) with a Jetty XML
>>>> file
>>>>
>>>> ---
>>>> A. Soroka
>>>> The University of Virginia Library
>>>>
>>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>>> <aj...@email.virginia.edu> wrote:
>>>>
>>>>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat or
>>>>> Jetty) or using the server included with Fuseki and is it Fuskei 1 or
>>>>> 2?
>>>>>
>>>>> If the former, you will need to supply configuration specific to that
>>>>> container. If the latter and it is Fuseki 1, there is a Stack Overflow
>>>>> answer for it:
>>>>>
>>>>>
>>>>>
>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>
>>>>> but the links seems to be dead. The idea is to supply your own Jetty
>>>>> configuration (Jetty is the servlet container that the Fuseki command
>>>>> uses).
>>>>> For Fuseki 2, I think it is still under development? You could use a
>>>>> reverse
>>>>> proxy in front of Fuseki, in that case.
>>>>>
>>>>> ---
>>>>> A. Soroka
>>>>> The University of Virginia Library
>>>>>
>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>> any guidelines online to setting up
>>>>>> Fuseki for HTTPS access?
>>>>>>
>>>>>> Jason
>>>>>
>>>>>
>>>>>
>>>>
>>>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
The Jetty documentation is the best place to go for details of setting
up Jetty.
Here's one in the examples/ area but as far as I can tell it's more int
he category of "should work" (it is from Fuseki1 and that was a
different version of Jetty) rather than tested.
https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
If you, or anyone else, has a better example - please send it.
Andy
On 20/08/15 02:54, Jason Levitt wrote:
> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
> only talks to internal machines so there
> is no need to protect it from external exposure. So that means that
> the easiest way is to use the
> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs on
> what the options are for that
> config file (e.g. what goes into the config file)?
>
> J
>
> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org> wrote:
>> Right. In a production environment, a reverse proxy is useful for several
>> things and while there is nothing that force a reverse proxy, the weight of
>> features can mean it's a useful and flexible thing to put into a production
>> system.
>>
>> 1/ Blocking undesirable clients
>> (manic crawlers, badly written PHP scripts)
>> 2/ more robust to DOS attacks (and accidental attacks)
>> Java web containers just aren't as good under silly load conditions.
>> 3/ URL rewrite
>> E.g don't need /dataset/query - can be any URL you like.
>> 4/ Security
>> integrate with local systems; rich choice of controls.
>> Control who and what can update
>> No need to restart for shiro chnages.
>> 5/ Rate control (e.g. no more than N queries at a time)
>> 6/ https (can be expensive so a C-implementation can help)
>> 7/ Lots of add-ons and mods for all sorts of tasks.
>> 8/ Lots of Q&A on stackoverflow!
>>
>> Fuseki has "--localhost" to only talk to the machine's localhost network
>> interface. In an environment like AWS, where port control is easily, it's
>> trivial to secure the Fuseki server to only talk to the local reverse proxy
>> by blocking all ports except (22 and) 80+443.
>>
>> Andy
>>
>>
>> On 18/08/15 20:21, A. Soroka wrote:
>>>
>>> I checked more carefully (should have done that before replying) and it
>>> seems that Fuseki 2 also offers the `--jetty-config` flag for using a Jetty
>>> configuration that supports HTTPS:
>>>
>>> --jetty-config=FILE Set up the server (not services) with a Jetty XML
>>> file
>>>
>>> ---
>>> A. Soroka
>>> The University of Virginia Library
>>>
>>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>>> <aj...@email.virginia.edu> wrote:
>>>
>>>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat or
>>>> Jetty) or using the server included with Fuseki and is it Fuskei 1 or 2?
>>>>
>>>> If the former, you will need to supply configuration specific to that
>>>> container. If the latter and it is Fuseki 1, there is a Stack Overflow
>>>> answer for it:
>>>>
>>>>
>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>
>>>> but the links seems to be dead. The idea is to supply your own Jetty
>>>> configuration (Jetty is the servlet container that the Fuseki command uses).
>>>> For Fuseki 2, I think it is still under development? You could use a reverse
>>>> proxy in front of Fuseki, in that case.
>>>>
>>>> ---
>>>> A. Soroka
>>>> The University of Virginia Library
>>>>
>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com> wrote:
>>>>
>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>> any guidelines online to setting up
>>>>> Fuseki for HTTPS access?
>>>>>
>>>>> Jason
>>>>
>>>>
>>>
>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
We're in an AWS environment using Fuseki 2 with built-in Jetty. It
only talks to internal machines so there
is no need to protect it from external exposure. So that means that
the easiest way is to use the
`--jetty-config` flag to setup HTTPS to Jetty? Are there any docs on
what the options are for that
config file (e.g. what goes into the config file)?
J
On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <an...@apache.org> wrote:
> Right. In a production environment, a reverse proxy is useful for several
> things and while there is nothing that force a reverse proxy, the weight of
> features can mean it's a useful and flexible thing to put into a production
> system.
>
> 1/ Blocking undesirable clients
> (manic crawlers, badly written PHP scripts)
> 2/ more robust to DOS attacks (and accidental attacks)
> Java web containers just aren't as good under silly load conditions.
> 3/ URL rewrite
> E.g don't need /dataset/query - can be any URL you like.
> 4/ Security
> integrate with local systems; rich choice of controls.
> Control who and what can update
> No need to restart for shiro chnages.
> 5/ Rate control (e.g. no more than N queries at a time)
> 6/ https (can be expensive so a C-implementation can help)
> 7/ Lots of add-ons and mods for all sorts of tasks.
> 8/ Lots of Q&A on stackoverflow!
>
> Fuseki has "--localhost" to only talk to the machine's localhost network
> interface. In an environment like AWS, where port control is easily, it's
> trivial to secure the Fuseki server to only talk to the local reverse proxy
> by blocking all ports except (22 and) 80+443.
>
> Andy
>
>
> On 18/08/15 20:21, A. Soroka wrote:
>>
>> I checked more carefully (should have done that before replying) and it
>> seems that Fuseki 2 also offers the `--jetty-config` flag for using a Jetty
>> configuration that supports HTTPS:
>>
>> --jetty-config=FILE Set up the server (not services) with a Jetty XML
>> file
>>
>> ---
>> A. Soroka
>> The University of Virginia Library
>>
>> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu
>> <aj...@email.virginia.edu> wrote:
>>
>>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat or
>>> Jetty) or using the server included with Fuseki and is it Fuskei 1 or 2?
>>>
>>> If the former, you will need to supply configuration specific to that
>>> container. If the latter and it is Fuseki 1, there is a Stack Overflow
>>> answer for it:
>>>
>>>
>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>
>>> but the links seems to be dead. The idea is to supply your own Jetty
>>> configuration (Jetty is the servlet container that the Fuseki command uses).
>>> For Fuseki 2, I think it is still under development? You could use a reverse
>>> proxy in front of Fuseki, in that case.
>>>
>>> ---
>>> A. Soroka
>>> The University of Virginia Library
>>>
>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com> wrote:
>>>
>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>> any guidelines online to setting up
>>>> Fuseki for HTTPS access?
>>>>
>>>> Jason
>>>
>>>
>>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
Right. In a production environment, a reverse proxy is useful for
several things and while there is nothing that force a reverse proxy,
the weight of features can mean it's a useful and flexible thing to put
into a production system.
1/ Blocking undesirable clients
(manic crawlers, badly written PHP scripts)
2/ more robust to DOS attacks (and accidental attacks)
Java web containers just aren't as good under silly load conditions.
3/ URL rewrite
E.g don't need /dataset/query - can be any URL you like.
4/ Security
integrate with local systems; rich choice of controls.
Control who and what can update
No need to restart for shiro chnages.
5/ Rate control (e.g. no more than N queries at a time)
6/ https (can be expensive so a C-implementation can help)
7/ Lots of add-ons and mods for all sorts of tasks.
8/ Lots of Q&A on stackoverflow!
Fuseki has "--localhost" to only talk to the machine's localhost network
interface. In an environment like AWS, where port control is easily,
it's trivial to secure the Fuseki server to only talk to the local
reverse proxy by blocking all ports except (22 and) 80+443.
Andy
On 18/08/15 20:21, A. Soroka wrote:
> I checked more carefully (should have done that before replying) and it seems that Fuseki 2 also offers the `--jetty-config` flag for using a Jetty configuration that supports HTTPS:
>
> --jetty-config=FILE Set up the server (not services) with a Jetty XML file
>
> ---
> A. Soroka
> The University of Virginia Library
>
> On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu <aj...@email.virginia.edu> wrote:
>
>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat or Jetty) or using the server included with Fuseki and is it Fuskei 1 or 2?
>>
>> If the former, you will need to supply configuration specific to that container. If the latter and it is Fuseki 1, there is a Stack Overflow answer for it:
>>
>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>
>> but the links seems to be dead. The idea is to supply your own Jetty configuration (Jetty is the servlet container that the Fuseki command uses). For Fuseki 2, I think it is still under development? You could use a reverse proxy in front of Fuseki, in that case.
>>
>> ---
>> A. Soroka
>> The University of Virginia Library
>>
>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com> wrote:
>>
>>> Sorry if this is a FAQ, but I'm wondering if there are
>>> any guidelines online to setting up
>>> Fuseki for HTTPS access?
>>>
>>> Jason
>>
>
Re: Fuseki over HTTPS?
Posted by "A. Soroka" <aj...@virginia.edu>.
I checked more carefully (should have done that before replying) and it seems that Fuseki 2 also offers the `--jetty-config` flag for using a Jetty configuration that supports HTTPS:
--jetty-config=FILE Set up the server (not services) with a Jetty XML file
---
A. Soroka
The University of Virginia Library
On Aug 18, 2015, at 10:34 AM, ajs6f@virginia.edu <aj...@email.virginia.edu> wrote:
> Are you deploying Fuseki to your own servlet container (e.g. Tomcat or Jetty) or using the server included with Fuseki and is it Fuskei 1 or 2?
>
> If the former, you will need to supply configuration specific to that container. If the latter and it is Fuseki 1, there is a Stack Overflow answer for it:
>
> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>
> but the links seems to be dead. The idea is to supply your own Jetty configuration (Jetty is the servlet container that the Fuseki command uses). For Fuseki 2, I think it is still under development? You could use a reverse proxy in front of Fuseki, in that case.
>
> ---
> A. Soroka
> The University of Virginia Library
>
> On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com> wrote:
>
>> Sorry if this is a FAQ, but I'm wondering if there are
>> any guidelines online to setting up
>> Fuseki for HTTPS access?
>>
>> Jason
>
Re: Fuseki over HTTPS?
Posted by "ajs6f@virginia.edu" <aj...@virginia.edu>.
Are you deploying Fuseki to your own servlet container (e.g. Tomcat or Jetty) or using the server included with Fuseki and is it Fuskei 1 or 2?
If the former, you will need to supply configuration specific to that container. If the latter and it is Fuseki 1, there is a Stack Overflow answer for it:
https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
but the links seems to be dead. The idea is to supply your own Jetty configuration (Jetty is the servlet container that the Fuseki command uses). For Fuseki 2, I think it is still under development? You could use a reverse proxy in front of Fuseki, in that case.
---
A. Soroka
The University of Virginia Library
On Aug 17, 2015, at 7:07 PM, Jason Levitt <sl...@gmail.com> wrote:
> Sorry if this is a FAQ, but I'm wondering if there are
> any guidelines online to setting up
> Fuseki for HTTPS access?
>
> Jason
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
On 14/09/15 03:32, Jason Levitt wrote:
> Ok. So there's no way to just do an official 2.3.1 release of Fuseki
> with the Jetty upgrade?
Jena is open source. It's not open source if you can't make
modifications and derived works.
You can:
+ Take the last release, switch the Jetty versions, build.
+ Clone from git, build.
Open source at Apache is produced by the community. Most people are not
paid to work on it (you work for a commercial company).
In the Jena project, we try to run with the master branch passing all
the tests and being fit for release.
The Jena release process
https://cwiki.apache.org/confluence/display/JENA/Release+Process
does not have any extra testing steps on top of development.
Andy
> Cheers,
>
> J
>
> On Sun, Sep 13, 2015 at 11:22 AM, Andy Seaborne <an...@apache.org> wrote:
>> s/Netty/Jetty/ :-)
>>
>> Generally, releases are every 3 to 6 months depending on someone stepping
>> forward to do them. Jena 3.0.0 was end of July.
>>
>> Andy
>>
>>
>> On 12/09/15 04:54, Jason Levitt wrote:
>>>
>>> Andy,
>>>
>>> When do you officially plan to release Fuseki 2.3.1 with Netty
>>> updated?
>>>
>>> Cheers,
>>>
>>> J
>>>
>>> On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
>>>>
>>>> After exchanging intact XML files offlist, Jason and I managed to get a
>>>> working Jetty configuration for HTTP+HTTPS to work with Fuseki after the
>>>> updates to Jetty 9.3.3:
>>>>
>>>> This should be taken as an example, not the definitive setup.
>>>>
>>>> https://gist.github.com/afs/63a80512cdc55caf77d0
>>>>
>>>> Improvements and verification very welcome.
>>>>
>>>> Andy
>>
>>
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
Ok. So there's no way to just do an official 2.3.1 release of Fuseki
with the Jetty upgrade?
Cheers,
J
On Sun, Sep 13, 2015 at 11:22 AM, Andy Seaborne <an...@apache.org> wrote:
> s/Netty/Jetty/ :-)
>
> Generally, releases are every 3 to 6 months depending on someone stepping
> forward to do them. Jena 3.0.0 was end of July.
>
> Andy
>
>
> On 12/09/15 04:54, Jason Levitt wrote:
>>
>> Andy,
>>
>> When do you officially plan to release Fuseki 2.3.1 with Netty
>> updated?
>>
>> Cheers,
>>
>> J
>>
>> On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
>>>
>>> After exchanging intact XML files offlist, Jason and I managed to get a
>>> working Jetty configuration for HTTP+HTTPS to work with Fuseki after the
>>> updates to Jetty 9.3.3:
>>>
>>> This should be taken as an example, not the definitive setup.
>>>
>>> https://gist.github.com/afs/63a80512cdc55caf77d0
>>>
>>> Improvements and verification very welcome.
>>>
>>> Andy
>
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
s/Netty/Jetty/ :-)
Generally, releases are every 3 to 6 months depending on someone
stepping forward to do them. Jena 3.0.0 was end of July.
Andy
On 12/09/15 04:54, Jason Levitt wrote:
> Andy,
>
> When do you officially plan to release Fuseki 2.3.1 with Netty updated?
>
> Cheers,
>
> J
>
> On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
>> After exchanging intact XML files offlist, Jason and I managed to get a
>> working Jetty configuration for HTTP+HTTPS to work with Fuseki after the
>> updates to Jetty 9.3.3:
>>
>> This should be taken as an example, not the definitive setup.
>>
>> https://gist.github.com/afs/63a80512cdc55caf77d0
>>
>> Improvements and verification very welcome.
>>
>> Andy
Re: Fuseki over HTTPS?
Posted by Rob Vesse <rv...@dotnetrdf.org>.
The JVM manages its own key store and certificate chains separately from
those managed by your browser(s) and/or OS
Thus you may need to obtain the root certificates for your CA (which
should be readily available) and add them to the JVM key store
Digicert's appear to be available at
https://www.digicert.com/digicert-root-certificates.htm
Rob
On 14/09/2015 16:04, "Jason Levitt" <sl...@gmail.com> wrote:
>It's a Digicert wildcard certificate that's paid for, valid, and
>actively used for several
>domains (e.g. xxxx.mysite.com, yyyy.mysite,com, etc..). As I pointed
>out, the latest
>versions of Chrome and Firefox show the certificate as perfectly valid
>when I
>browse to the fuseki admin app at https://fuseki.mysite.com:8443
>
>So, maybe the question is: what's the difference between a web browser
>client and
>a Java 8 client trying to connect over SSL? Does a Java 8 client
>require some special
>configuration to connect over SSL?
>
>J
>
>---------- Forwarded message ----------
>From: Rob Vesse <rv...@dotnetrdf.org>
>Date: Mon, Sep 14, 2015 at 3:47 AM
>Subject: Re: Fuseki over HTTPS?
>To: users@jena.apache.org
>
>
>Basically the certificate is not trusted, most likely because you created
>a self signed certificate
>
>I have a repo at https://bitbucket.org/rvesse/java-ssl-helper/overview
>which has some useful scripts for configuring the JVM keystore on *nix/OS
>X based systems
>
>Rob
>
>On 13/09/2015 17:19, "Andy Seaborne" <an...@apache.org> wrote:
>
>>
>>On 12/09/15 05:23, Jason Levitt wrote:
>>> As I mentioned, I have Fuseki running using SSL with a valid
>>>certificate.
>>>
>>> However, when I try to access the site remotely, using the Jena libs,
>>> I get the exception below.
>>
>>http://stackoverflow.com/questions/6908948/java-sun-security-provider-cer
>>t
>>path-suncertpathbuilderexception-unable-to-find
>>
>>https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification
>>
>>?
>>
>> Andy
>>>
>>> Firefox shows that the endpoint (via the admin app) is a valid
>>> Digicert certificate.
>>>
>>> Is there something missing in the Jena API handshake?
>>>
>>> org.apache.jena.atlas.web.HttpException:
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find valid certification path to requested target
>>> at org.apache.jena.riot.web.HttpOp.exec(HttpOp.java:1125)
>>> at org.apache.jena.riot.web.HttpOp.execHttpHead(HttpOp.java:1039)
>>> at
>>>org.apache.jena.web.DatasetGraphAccessorHTTP.doHead(DatasetGraphAccessor
>>>H
>>>TTP.java:156)
>>> at
>>>org.apache.jena.web.DatasetGraphAccessorHTTP.httpHead(DatasetGraphAccess
>>>o
>>>rHTTP.java:150)
>>> at
>>>org.apache.jena.web.DatasetAdapter.containsModel(DatasetAdapter.java:56)
>>> ...
>>> ...
>>> ....
>>> ...
>>> ...
>>>
>>>
>>> On Fri, Sep 11, 2015 at 10:54 PM, Jason Levitt <sl...@gmail.com>
>>>wrote:
>>>> Andy,
>>>>
>>>> When do you officially plan to release Fuseki 2.3.1 with Netty
>>>>updated?
>>>>
>>>> Cheers,
>>>>
>>>> J
>>>>
>>>> On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
>>>>> After exchanging intact XML files offlist, Jason and I managed to get
>>>>>a
>>>>> working Jetty configuration for HTTP+HTTPS to work with Fuseki after
>>>>>the
>>>>> updates to Jetty 9.3.3:
>>>>>
>>>>> This should be taken as an example, not the definitive setup.
>>>>>
>>>>> https://gist.github.com/afs/63a80512cdc55caf77d0
>>>>>
>>>>> Improvements and verification very welcome.
>>>>>
>>>>> Andy
>>
Fwd: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
It's a Digicert wildcard certificate that's paid for, valid, and
actively used for several
domains (e.g. xxxx.mysite.com, yyyy.mysite,com, etc..). As I pointed
out, the latest
versions of Chrome and Firefox show the certificate as perfectly valid when I
browse to the fuseki admin app at https://fuseki.mysite.com:8443
So, maybe the question is: what's the difference between a web browser
client and
a Java 8 client trying to connect over SSL? Does a Java 8 client
require some special
configuration to connect over SSL?
J
---------- Forwarded message ----------
From: Rob Vesse <rv...@dotnetrdf.org>
Date: Mon, Sep 14, 2015 at 3:47 AM
Subject: Re: Fuseki over HTTPS?
To: users@jena.apache.org
Basically the certificate is not trusted, most likely because you created
a self signed certificate
I have a repo at https://bitbucket.org/rvesse/java-ssl-helper/overview
which has some useful scripts for configuring the JVM keystore on *nix/OS
X based systems
Rob
On 13/09/2015 17:19, "Andy Seaborne" <an...@apache.org> wrote:
>
>On 12/09/15 05:23, Jason Levitt wrote:
>> As I mentioned, I have Fuseki running using SSL with a valid
>>certificate.
>>
>> However, when I try to access the site remotely, using the Jena libs,
>> I get the exception below.
>
>http://stackoverflow.com/questions/6908948/java-sun-security-provider-cert
>path-suncertpathbuilderexception-unable-to-find
>
>https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification
>
>?
>
> Andy
>>
>> Firefox shows that the endpoint (via the admin app) is a valid
>> Digicert certificate.
>>
>> Is there something missing in the Jena API handshake?
>>
>> org.apache.jena.atlas.web.HttpException:
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>> at org.apache.jena.riot.web.HttpOp.exec(HttpOp.java:1125)
>> at org.apache.jena.riot.web.HttpOp.execHttpHead(HttpOp.java:1039)
>> at
>>org.apache.jena.web.DatasetGraphAccessorHTTP.doHead(DatasetGraphAccessorH
>>TTP.java:156)
>> at
>>org.apache.jena.web.DatasetGraphAccessorHTTP.httpHead(DatasetGraphAccesso
>>rHTTP.java:150)
>> at
>>org.apache.jena.web.DatasetAdapter.containsModel(DatasetAdapter.java:56)
>> ...
>> ...
>> ....
>> ...
>> ...
>>
>>
>> On Fri, Sep 11, 2015 at 10:54 PM, Jason Levitt <sl...@gmail.com>
>>wrote:
>>> Andy,
>>>
>>> When do you officially plan to release Fuseki 2.3.1 with Netty
>>>updated?
>>>
>>> Cheers,
>>>
>>> J
>>>
>>> On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
>>>> After exchanging intact XML files offlist, Jason and I managed to get
>>>>a
>>>> working Jetty configuration for HTTP+HTTPS to work with Fuseki after
>>>>the
>>>> updates to Jetty 9.3.3:
>>>>
>>>> This should be taken as an example, not the definitive setup.
>>>>
>>>> https://gist.github.com/afs/63a80512cdc55caf77d0
>>>>
>>>> Improvements and verification very welcome.
>>>>
>>>> Andy
>
Re: Fuseki over HTTPS?
Posted by Rob Vesse <rv...@dotnetrdf.org>.
Basically the certificate is not trusted, most likely because you created
a self signed certificate
I have a repo at https://bitbucket.org/rvesse/java-ssl-helper/overview
which has some useful scripts for configuring the JVM keystore on *nix/OS
X based systems
Rob
On 13/09/2015 17:19, "Andy Seaborne" <an...@apache.org> wrote:
>
>On 12/09/15 05:23, Jason Levitt wrote:
>> As I mentioned, I have Fuseki running using SSL with a valid
>>certificate.
>>
>> However, when I try to access the site remotely, using the Jena libs,
>> I get the exception below.
>
>http://stackoverflow.com/questions/6908948/java-sun-security-provider-cert
>path-suncertpathbuilderexception-unable-to-find
>
>https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification
>
>?
>
> Andy
>>
>> Firefox shows that the endpoint (via the admin app) is a valid
>> Digicert certificate.
>>
>> Is there something missing in the Jena API handshake?
>>
>> org.apache.jena.atlas.web.HttpException:
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>> at org.apache.jena.riot.web.HttpOp.exec(HttpOp.java:1125)
>> at org.apache.jena.riot.web.HttpOp.execHttpHead(HttpOp.java:1039)
>> at
>>org.apache.jena.web.DatasetGraphAccessorHTTP.doHead(DatasetGraphAccessorH
>>TTP.java:156)
>> at
>>org.apache.jena.web.DatasetGraphAccessorHTTP.httpHead(DatasetGraphAccesso
>>rHTTP.java:150)
>> at
>>org.apache.jena.web.DatasetAdapter.containsModel(DatasetAdapter.java:56)
>> ...
>> ...
>> ....
>> ...
>> ...
>>
>>
>> On Fri, Sep 11, 2015 at 10:54 PM, Jason Levitt <sl...@gmail.com>
>>wrote:
>>> Andy,
>>>
>>> When do you officially plan to release Fuseki 2.3.1 with Netty
>>>updated?
>>>
>>> Cheers,
>>>
>>> J
>>>
>>> On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
>>>> After exchanging intact XML files offlist, Jason and I managed to get
>>>>a
>>>> working Jetty configuration for HTTP+HTTPS to work with Fuseki after
>>>>the
>>>> updates to Jetty 9.3.3:
>>>>
>>>> This should be taken as an example, not the definitive setup.
>>>>
>>>> https://gist.github.com/afs/63a80512cdc55caf77d0
>>>>
>>>> Improvements and verification very welcome.
>>>>
>>>> Andy
>
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
On 12/09/15 05:23, Jason Levitt wrote:
> As I mentioned, I have Fuseki running using SSL with a valid certificate.
>
> However, when I try to access the site remotely, using the Jena libs,
> I get the exception below.
http://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find
https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification
?
Andy
>
> Firefox shows that the endpoint (via the admin app) is a valid
> Digicert certificate.
>
> Is there something missing in the Jena API handshake?
>
> org.apache.jena.atlas.web.HttpException:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at org.apache.jena.riot.web.HttpOp.exec(HttpOp.java:1125)
> at org.apache.jena.riot.web.HttpOp.execHttpHead(HttpOp.java:1039)
> at org.apache.jena.web.DatasetGraphAccessorHTTP.doHead(DatasetGraphAccessorHTTP.java:156)
> at org.apache.jena.web.DatasetGraphAccessorHTTP.httpHead(DatasetGraphAccessorHTTP.java:150)
> at org.apache.jena.web.DatasetAdapter.containsModel(DatasetAdapter.java:56)
> ...
> ...
> ....
> ...
> ...
>
>
> On Fri, Sep 11, 2015 at 10:54 PM, Jason Levitt <sl...@gmail.com> wrote:
>> Andy,
>>
>> When do you officially plan to release Fuseki 2.3.1 with Netty updated?
>>
>> Cheers,
>>
>> J
>>
>> On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
>>> After exchanging intact XML files offlist, Jason and I managed to get a
>>> working Jetty configuration for HTTP+HTTPS to work with Fuseki after the
>>> updates to Jetty 9.3.3:
>>>
>>> This should be taken as an example, not the definitive setup.
>>>
>>> https://gist.github.com/afs/63a80512cdc55caf77d0
>>>
>>> Improvements and verification very welcome.
>>>
>>> Andy
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
As I mentioned, I have Fuseki running using SSL with a valid certificate.
However, when I try to access the site remotely, using the Jena libs,
I get the exception below.
Firefox shows that the endpoint (via the admin app) is a valid
Digicert certificate.
Is there something missing in the Jena API handshake?
org.apache.jena.atlas.web.HttpException:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at org.apache.jena.riot.web.HttpOp.exec(HttpOp.java:1125)
at org.apache.jena.riot.web.HttpOp.execHttpHead(HttpOp.java:1039)
at org.apache.jena.web.DatasetGraphAccessorHTTP.doHead(DatasetGraphAccessorHTTP.java:156)
at org.apache.jena.web.DatasetGraphAccessorHTTP.httpHead(DatasetGraphAccessorHTTP.java:150)
at org.apache.jena.web.DatasetAdapter.containsModel(DatasetAdapter.java:56)
...
...
....
...
...
On Fri, Sep 11, 2015 at 10:54 PM, Jason Levitt <sl...@gmail.com> wrote:
> Andy,
>
> When do you officially plan to release Fuseki 2.3.1 with Netty updated?
>
> Cheers,
>
> J
>
> On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
>> After exchanging intact XML files offlist, Jason and I managed to get a
>> working Jetty configuration for HTTP+HTTPS to work with Fuseki after the
>> updates to Jetty 9.3.3:
>>
>> This should be taken as an example, not the definitive setup.
>>
>> https://gist.github.com/afs/63a80512cdc55caf77d0
>>
>> Improvements and verification very welcome.
>>
>> Andy
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
Andy,
When do you officially plan to release Fuseki 2.3.1 with Netty updated?
Cheers,
J
On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
> After exchanging intact XML files offlist, Jason and I managed to get a
> working Jetty configuration for HTTP+HTTPS to work with Fuseki after the
> updates to Jetty 9.3.3:
>
> This should be taken as an example, not the definitive setup.
>
> https://gist.github.com/afs/63a80512cdc55caf77d0
>
> Improvements and verification very welcome.
>
> Andy
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
On 09/09/15 23:38, Jason Levitt wrote:
> Does the client that's sending queries to Fuseki have to do anything
> special to enable
> SSL (other than specifying the HTTPS endpoint)?
Don't think so.
Andy
>
> J
>
> On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
>> After exchanging intact XML files offlist, Jason and I managed to get a
>> working Jetty configuration for HTTP+HTTPS to work with Fuseki after the
>> updates to Jetty 9.3.3:
>>
>> This should be taken as an example, not the definitive setup.
>>
>> https://gist.github.com/afs/63a80512cdc55caf77d0
>>
>> Improvements and verification very welcome.
>>
>> Andy
Re: Fuseki over HTTPS?
Posted by Jason Levitt <sl...@gmail.com>.
Does the client that's sending queries to Fuseki have to do anything
special to enable
SSL (other than specifying the HTTPS endpoint)?
J
On Sat, Sep 5, 2015 at 3:12 PM, Andy Seaborne <an...@apache.org> wrote:
> After exchanging intact XML files offlist, Jason and I managed to get a
> working Jetty configuration for HTTP+HTTPS to work with Fuseki after the
> updates to Jetty 9.3.3:
>
> This should be taken as an example, not the definitive setup.
>
> https://gist.github.com/afs/63a80512cdc55caf77d0
>
> Improvements and verification very welcome.
>
> Andy
Re: Fuseki over HTTPS?
Posted by Andy Seaborne <an...@apache.org>.
After exchanging intact XML files offlist, Jason and I managed to get a
working Jetty configuration for HTTP+HTTPS to work with Fuseki after the
updates to Jetty 9.3.3:
This should be taken as an example, not the definitive setup.
https://gist.github.com/afs/63a80512cdc55caf77d0
Improvements and verification very welcome.
Andy