I am running Spring Cloud Gateway with Spring Boot version 2.5.8 and Spring Cloud version 2020.0.5.
I am trying to configure Spring Cloud Gateway to validate JWT access tokens using Spring Security and thus the gateway needs to connect to the OAuth2 Authorization server external to my company's network. As per company standard, I am using a proxy host to connect to the external Authorization server and I have set the http.proxy* and https.proxy* environment variables ie
-Dhttp.proxyHost=my-proxy.com -Dhttp.proxyPort=3328 -Dhttps.proxyHost=my-proxy..com -Dhttps.proxyPort=3328 -Dhttp.proxySet=true -Dhttps.proxySet=true
and well as the properties in application.yml. ie
spring:
cloud:
httpclient:
proxy:
host: my-proxy.com
port: 3328
But I am getting timeout error when connecting to the external Authorization Server. The proxy host and port are correct and are working for other Spring Boot projects using Spring MVC. I saw this question/answer
spring-boot app as spring-cloud-gateway has to use a proxy: JVM arguments not used NOR spring.cloud.gateway.httpclient.proxy.****
But my entries in application.yml is not working. Would appreciate if someone can provide some advice on resolving the issue.
Thanks
Related
I've recently migrated a microservices backend to Spring boot v2.6.1 + spring cloud v2021.0.0 (old version was v2.2.1.RELEASE).
Previously, the setup included a discovery server (Eureka), a gateway (Zuul) and various microservices accessible externally via the gateway. All of these were TLS/secure port enabled so all requests (discovery, registration, gateway forwarding etc) required SSL trust store configuration.
Since Zuul is no longer supported in this version, I am switching to Spring cloud gateway, with the following application.properties setup:
server.port = 8080
eureka.instance.securePortEnabled=false
eureka.client.serviceUrl.defaultZone = http://localhost:8761/eureka/
spring.application.name= gateway-service
spring.cloud.gateway.routes[0].id=first-service
spring.cloud.gateway.routes[0].uri=lb://FIRST-SERVICE
spring.cloud.gateway.routes[0].predicates[0].name=Path
spring.cloud.gateway.routes[0].predicates[0].args.pattern=/firstService/**
spring.cloud.gateway.routes[0].filters[0]=StripPrefix=1
security.require-ssl=true
server.ssl.key-store=keystore.p12
server.ssl.key-store-password=password
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=localhost
spring.cloud.gateway.httpclient.ssl.trustedX509Certificates[0]=cert.pem
Without ssl universally disabled, I can access a first service URL via that gateway without issue. With SSL enabled, I can access the first service directly and again no issue:
https://localhost:8100/test
{ "message": "Hello World!" }
However, the gateway is not correctly forwarding the requests either via the correct protocol or with the correct client certificate. I am getting the below error response instead of "Hello World" message:
https://localhost:8080/firstService/test
Bad Request This combination of host and port requires TLS.
(It's worth noting that the Eureka secure port is disabled, and registration/registry fetch is done via HTTP due to issues logged at Error setting custom trust store for Eureka Discovery client by overriding DiscoveryClient.DiscoveryClientOptionalArgs
Ok, this comes down to how the microservices register with Eureka.
Although FIRST-SERVICE was also setup with security.require-ssl=true for direct access it was also necessary to register with Eureka with SSL enabled.
Adding the settings below to application.properties fixed the issue without any changes needed for the gateway configuration:
eureka.client.tls.enabled=true
eureka.client.tls.key-store=file:<path-to-key-store>
eureka.client.tls.key-store-password=<password>
eureka.client.tls.keyStoreType=PKCS12
eureka.client.tls.keyPassword=<password>
eureka.client.tls.trust-store=file:<path-to-trust-store>
eureka.client.tls.trust-store-password=<password>
I am using a Spring Cloud Config server with the following eureka and basic security configuration.
The client gets the config server uri correctly through eureka, however cannot access to the properties data because basic authentication is not working on the client side.
I would appreciate some help to understand how to fix this situation.
The Spring Cloud Config server is the following:
eureka.client.serviceUrl.defaultZone=http://localhost:8010/eureka
eureka.instance.hostname=localhost
eureka.instance.non-secure-port-enabled=false
eureka.instance.secure-port-enabled=true
eureka.instance.statusPageUrl=https://${eureka.hostname}:${server.port}/actuator/info
eureka.instance.healthCheckUrl=https://${eureka.hostname}:${server.port}/health
eureka.instance.homePageUrl=https://${eureka.hostname}:${server.port}/
spring.security.user.name=admin
spring.security.user.password=pass
The client configuration is the following:
eureka.client.serviceUrl.defaultZone=http://localhost:8010/eureka
eureka.instance.hostname=localhost
eureka.instance.instance-id=${spring.application.name}:${spring.application.instance_id:${random.value}}
eureka.instance.non-secure-port-enabled=false
eureka.instance.secure-port-enabled=true
eureka.instance.statusPageUrl: https://${eureka.hostname}:${server.port}/actuator/info
eureka.instance.healthCheckUrl: https://${eureka.hostname}:${server.port}/health
eureka.instance.homePageUrl: https://${eureka.hostname}:${server.port}/
spring.cloud.config.discovery.enabled=true
spring.cloud.config.discovery.service-id=trm-config-server
spring.cloud.config.username=admin
spring.cloud.config.password=pass
spring.cloud.config.name=users-ws
What are the production environment requirements for this method of integration? Does spring cloud work in WAN defined by a client/company?
There is no requirement for an outside internet connection for eureka, feign or any of the spring cloud projects.
Installed spring boot admin and server.
All client endpoints are visible in spring boot admin but after adding security dependency in client secured endpoints are not visible in admin.
Provided credentials of admin and client in application.yaml of client.
Had the same problem. Firstly, you need to share user and password from admin-client, this can be configured in yml file:
spring.boot.admin.client:
url: http://localhost:8080
instance:
metadata:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
Also you need to enable http basic in security config, because SBA server then uses this metadata to make http calls.
source: https://codecentric.github.io/spring-boot-admin/2.2.3/#_securing_client_actuator_endpoints
I have recently installed a micro service infrastraucture based on Spring Boot + Spring Cloud.
My Spring Boot microservices register in my Eureka server and Zuul automaticaly redirects requests to them.
I have a Drupal content manager that exposes content through REST interface and I'd like it to take part in the discovery rave party. How can I have my drupal register it self in the Eureka server so Zuul redirects the corresponding calls to it?
As an ugly workaround I wonder if I can have automatic discovery and routing running in Zuul while manually configuring some REST paths to be redirected to the drupal server? (Using zuul.routes... property files)
I found that I can add manual zuul routes in bootstrap.yaml
I have tried adding it in the application yaml property files in configuration server but for some reason they are ignored when the Eureka discovery server is working.
Anyway, bootstrap.yaml works. Example:
zuul:
routes:
mta_api:
path: /mta_api/**
url: http://my-non-springboot-rest-service.com/
stripPrefix: false
You could add sidecar to your non-springboot application. This would allow Eureka support.
Source: Dead- http://cloud.spring.io/spring-cloud-static/Edgware.SR4/single/spring-cloud.html#_polyglot_support_with_sidecar
Current: https://cloud.spring.io/spring-cloud-static/Dalston.SR5/multi/multi__polyglot_support_with_sidecar.html