I have server that run docker with Nginx container inside which serve react build files inside, this nginx server have an installed and working SSL certificate on port 80 and 443.
On the same machine I have an JRE that run an Spring boot application that running on port 8801.
I have search for some infomation online related to how to create an SSL certificate for spring boot when port 80 and 443 is in use, or what is the best practice to do it simultaneously with the existance of SSL certificate, And could not find any.
My friend suggest to me that we will use reverse proxy in order to hide: http://example.com:8801 under https://example.com:80/api
What could be the best way to do it?
Thanks!
You would want to terminate the SSL on Nginx and offload that load on the application server (spring boot running tomcat, for eg.).
One reason to take SSL all the way to the app server is when the communication medium between those two needs to be kept secure. But if the app server and the web server are within the DMZ, you can just use the first approach and terminate on the web server. There is a lot of optimization that goes into web servers to handle TLS termination.
Refer to this for already detailed responses and insights.
Related
My Spring app uses lets encrypt and is https only. I did not include http to https thing, as it worked for me in postman with https:// format
When I deployed to Cloud Run, and mentioned the custom port (the port specified in spring)
and tested using URL from dashboard
https://..blah..run.app
I am getting error/message
Bad Request
This combination of host and port requires TLS.
What configuration is required on Cloud Run to resolve this?
The url as I see on service details page has htpps://...
EDIT:
If Cloudrun does not need me to take case of SSL, I can remove the application properties entries
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:key/keystore.p12
server.ssl.key-store-password=${lets.secret}
server.ssl.key-alias=someCertAlias
server.ssl.enabled=true
So Can I get an answer on whether to remove SSL from spring?
If cloudrun always uses http, all my calls use redirectConnector, which seems pointless
The Cloud Run Service listens on HTTP and HTTPS. Your application running in the container must listen on a port configured with HTTP only.
FYI: For a public facing web server, you should almost always enable HTTP. Otherwise, when a user enters www.example.com in the browser, the user will receive a connect error. This not always the case, for example .dev gTLDs, but is good practice. When a user connects to Cloud Run with the HTTP protocol, Cloud Run will redirect the user to HTTPS and connect to your application using the HTTP protocol.
Im new to the topic of SSL certificates and i want to install my purchased SSL so that when users enter my site they wont see the untrusted certificate waring here are the steps i did so far
created a p12 file using the keytool
created a csr file from the file in step 1
uploaded the csr to my ssl vendor and after passing their verification of my domain, downloading the following files: .crt, .ca-bundle, .p7b files
i placed all the files (including the generated file by me) in the resources directory and added the following properties
server.ssl.key-store:classpath:myFile.p12
server.ssl.key-store-password:some_pass
server.ssl.keyStoreType:PKCS12
server.ssl.keyAlias:someAlias
i later ran the following command: keytool -importcert - trying to import the file i got from the ssl vendor to the file i created (.p12)
than i created my jar and uploaded it to pivotal cloud foundry but i still see the invalid certificate message
i dont know if i need to do something on the pivotal platform or something on the spring boot config
The only way this would work is if you use a TCP route. With standard HTTP routes on Cloud Foundry, the traffic first hits a load balancer & then Gorouter. TLS termination is going to happen there, not at your application. If you use a TCP route, this will load balance at the TCP level and allow your application to perform the TLS termination directly.
That said, you really don't want to do that. the TCP route isn't likely to allow you to pick port 443, because a port can only be assigned to one application. That means only one application using TCP routes can have port 443. Also in most cases, platform operators are only allowing high numbered ports for TCP routes, which means no one would be able to pick 443. Long story short, you don't want your users to have to access your site as https://www.example.com:47385, so you don't want a TCP route.
To set this up properly with standard HTTP routes, you are going to need to work with your platform operations team. Together you will need to do the following:
Obtain the domain you'd like to use.
Obtain a load balancer. This needs to be configured to route traffic to the Gorouters in the foundation. You can skip this and use the existing load balancer, but that has implications[1] for step #6 below.
Configure DNS for your domain so that it routes to the load balancer in step #2.
Add the domain as a private or shared domain in CF.
Map a route to your application using the domain you created in step #3.
Add your TLS certificate & key to the load balancer [1].
When you've done all this, traffic to your domain will resolve to the IPs of your load balancers. Your user's browser will make an HTTPS request to the LB, which will terminate TLS (if it's an HTTP/layer-7 LB), and forward along to Gorouter (if there is a TCP/layer-4 LB, then TLS is terminated here), which in turn forwards along to your application (based on the route you mapped).
Your application will need to look at the x-forwarded-for and x-forwarded-proto headers to confirm if the request came in over HTTPS, since it is not terminating TLS directly.
[1] - The implication is with how the certificates get installed. With a separate LB, you add the cert to it and are done. If you are trying to reuse the platform LB, you will need to add the cert to the existing list of certs. In addition, if your platform operations team is using a TCP/layer-4 load balancer then TLS termination does not happen at the LB, it happens at Gorouter. This means you then have to load your TLS cert into the Gorouter, which requires a Bosh deploy and is more work. Modifying the platform LB also runs the risk of an error taking down the foundation. For those reasons and more, adding a separate LB for your app is usually the way to go.
When installing ASP.NET Core apps on a windows machine, I used to install the websites within IIS, I used the bindings there to route depending on the URL to the correct web application and I used Letsencrypt to create the SSL certificates.
Now I want to start shipping my applications using Docker. The samples show, how to easily create an ASP.NET Core dockerized project, but that's where most of them end. So in the end I've got an ASP.NET application in my docker running listening on port 5000.
Are there any suggestion or resources showing how to set it up on a production system?
multiple web sites listening on the standard ports 80 and 443 and forwaring to the correct docker image
SSL certificate handling
Setup ngingx as a front end. It is world-class solution, used by top-traffic sites as a front-end for incoming requests.
Among other features it does:
Redirecting based on plenty of rules
SSL management (you can use unencrypted connections behind it)
Load balancing
It is free and available as docker image.
So, you open only ngingx outside your docker network, and make it route all your traffic inside.
Setup reverse proxy like nginx, even in IIS also you redirect to corresponding docker service having a particular port. You can fan out traffic to respective ports.
Image: https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/
I would like to add encrypted connections to my Spring application running on a Tomcat server in a remote host (Amazon EC2 server). I was going to add a Let's Encrypt certificate to my Tomcat, but while searching on the web I read that encrypting my connections could considerably slow down my application. So I was wondering, what would be the best practice to encrypt my application? And does it really slow down so much my application that it would be noticeable? I would really like to implement the best solution, so I am very grateful in advance for suggestions.
The (almost) universal practice is to put a proper high performance web server like nginx or Apache HTTPD in front of your application server acting as a reverse proxy and handling SSL. That way your application server stays on a private network and only a web server is exposed. It’s very easy and you can find many tutorials on how to set it up. Like this one: http://webapp.org.ua/sysadmin/setting-up-nginx-ssl-reverse-proxy-for-tomcat/
I have a web server that responds to a number of different sites on port 80. Currently, IIS does the mapping to various sites via host headers, but I'd like to be able to serve other web apps on port 80 hosted in Jetty or Tomcat. IIS prevents that by grabbing all port 80 traffic.
I basically need a reverse proxy to just change the port number to something that another app stack can listen in on. I was looking into nginx but it seems to not be quite ready for prime time on Windows. Eventually I may set up a Linux box specifically for this, but for now I'm interested in a solution which will run all on the same box.
All I really need is something very light which mostly just matches hostname/port and allows rewriting of the port. Does anyone have any suggestions?
If you are running in IIS 7 or above you can use Application Request Routing for that: http://www.iis.net/download/ApplicationRequestRouting
For IIS 5-6, it looks like Apache Tomcat Connector (JK 1.2) is a clean solution. This is an IIS ISAPI filter which allows IIS to act as a reverse proxy for other web servers. It uses Apache JServ Protocol (AJP) to communicate with the app server actually serving requests. Both Tomcat and Jetty implement AJP. URLs are mapped with regex-like config to a particular AJP server instance.
Overview: http://www.iisadmin.co.uk/?p=40&page=3
IIS Config: http://tomcat.apache.org/connectors-doc/reference/iis.html
Mapping Config: http://tomcat.apache.org/connectors-doc/reference/workers.html
This ISAPI plug-in also works with IIS 7.x, but in that case the Application Request Routing (see marked answer) should be considered as it might work better with non-AJP servers.