From 3bc346869e7cfd27d281935d5c1de7ee67c89b56 Mon Sep 17 00:00:00 2001
From: Clement Escoffier <clement.escoffier@gmail.com>
Date: Mon, 27 Nov 2023 08:27:20 +0100
Subject: [PATCH] Mention how to disable the HTTP port

This is particularly important when mTLS is used.
---
 docs/src/main/asciidoc/http-reference.adoc          |  2 +-
 .../security-authentication-mechanisms.adoc         |  2 ++
 .../vertx/http/runtime/HttpBuildTimeConfig.java     | 13 ++++++++-----
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/docs/src/main/asciidoc/http-reference.adoc b/docs/src/main/asciidoc/http-reference.adoc
index 100241d9118799..00b975459a5714 100644
--- a/docs/src/main/asciidoc/http-reference.adoc
+++ b/docs/src/main/asciidoc/http-reference.adoc
@@ -151,7 +151,7 @@ Refer to the xref:./management-interface-reference.adoc[management interface ref
 ====
 
 [[ssl]]
-== Supporting secure connections with SSL
+== Supporting secure connections with TLS/SSL
 
 In order to have Quarkus support secure connections, you must either provide a certificate and associated key file, or supply a keystore.
 
diff --git a/docs/src/main/asciidoc/security-authentication-mechanisms.adoc b/docs/src/main/asciidoc/security-authentication-mechanisms.adoc
index 108657ce55dc09..ca88b658a7e486 100644
--- a/docs/src/main/asciidoc/security-authentication-mechanisms.adoc
+++ b/docs/src/main/asciidoc/security-authentication-mechanisms.adoc
@@ -193,6 +193,7 @@ quarkus.http.ssl.certificate.trust-store-password=the_trust_store_secret
 quarkus.http.ssl.client-auth=required                                      <3>
 quarkus.http.auth.permission.default.paths=/*                              <4>
 quarkus.http.auth.permission.default.policy=authenticated
+quarkus.http.insecure-requests=disabled                                    <5>
 ----
 <1> The keystore where the server's private key is located.
 <2> The truststore from which the trusted certificates are loaded.
@@ -200,6 +201,7 @@ quarkus.http.auth.permission.default.policy=authenticated
 To relax this requirement so that the server accepts requests without a certificate, set the value to `REQUEST`.
 This option is useful when you are also supporting authentication methods other than mTLS.
 <4> Defines a policy where only authenticated users should have access to resources from your application.
+<5> Optionally, disable the plain HTTP protocol, and consequently require all requests to be made over HTTPS.
 
 When the incoming request matches a valid certificate in the truststore, your application can obtain the subject by injecting a `SecurityIdentity` as follows:
 
diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/HttpBuildTimeConfig.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/HttpBuildTimeConfig.java
index c1a2819bd3a88e..cb700213cd36a0 100644
--- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/HttpBuildTimeConfig.java
+++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/HttpBuildTimeConfig.java
@@ -28,7 +28,10 @@ public class HttpBuildTimeConfig {
 
     /**
      * Configures the engine to require/request client authentication.
-     * NONE, REQUEST, REQUIRED
+     * {@code NONE, REQUEST, REQUIRED}.
+     * <p>
+     * When set to REQUIRED, it's recommended to also set `quarkus.http.insecure-requests=disabled` to disable the
+     * plain HTTP port.
      */
     @ConfigItem(name = "ssl.client-auth", defaultValue = "NONE")
     public ClientAuth tlsClientAuth;
@@ -43,7 +46,7 @@ public class HttpBuildTimeConfig {
     /**
      * A common root path for non-application endpoints. Various extension-provided endpoints such as metrics, health,
      * and openapi are deployed under this path by default.
-     *
+     * <p>
      * * Relative path (Default, `q`) ->
      * Non-application endpoints will be served from
      * `${quarkus.http.root-path}/${quarkus.http.non-application-root-path}`.
@@ -51,7 +54,7 @@ public class HttpBuildTimeConfig {
      * Non-application endpoints will be served from the specified path.
      * * `${quarkus.http.root-path}` -> Setting this path to the same value as HTTP root path disables
      * this root path. All extension-provided endpoints will be served from `${quarkus.http.root-path}`.
-     *
+     * <p>
      * If the management interface is enabled, the root path for the endpoints exposed on the management interface
      * is configured using the `quarkus.management.root-path` property instead of this property.
      *
@@ -69,7 +72,7 @@ public class HttpBuildTimeConfig {
     /**
      * If enabled then the response body is compressed if the {@code Content-Type} header is set and the value is a compressed
      * media type as configured via {@link #compressMediaTypes}.
-     *
+     * <p>
      * Note that the RESTEasy Reactive and Reactive Routes extensions also make it possible to enable/disable compression
      * declaratively using the annotations {@link io.quarkus.vertx.http.Compressed} and
      * {@link io.quarkus.vertx.http.Uncompressed}.
@@ -79,7 +82,7 @@ public class HttpBuildTimeConfig {
 
     /**
      * When enabled, vert.x will decompress the request's body if it's compressed.
-     *
+     * <p>
      * Note that the compression format (e.g., gzip) must be specified in the Content-Encoding header
      * in the request.
      */