My Spring app uses lets encrypt and is https only. I did not include http to https thing, as it worked for me in postman with https:// format
When I deployed to Cloud Run, and mentioned the custom port (the port specified in spring)
and tested using URL from dashboard
https://..blah..run.app
I am getting error/message
Bad Request
This combination of host and port requires TLS.
What configuration is required on Cloud Run to resolve this?
The url as I see on service details page has htpps://...
EDIT:
If Cloudrun does not need me to take case of SSL, I can remove the application properties entries
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:key/keystore.p12
server.ssl.key-store-password=${lets.secret}
server.ssl.key-alias=someCertAlias
server.ssl.enabled=true
So Can I get an answer on whether to remove SSL from spring?
If cloudrun always uses http, all my calls use redirectConnector, which seems pointless
The Cloud Run Service listens on HTTP and HTTPS. Your application running in the container must listen on a port configured with HTTP only.
FYI: For a public facing web server, you should almost always enable HTTP. Otherwise, when a user enters www.example.com in the browser, the user will receive a connect error. This not always the case, for example .dev gTLDs, but is good practice. When a user connects to Cloud Run with the HTTP protocol, Cloud Run will redirect the user to HTTPS and connect to your application using the HTTP protocol.
Related
I have server that run docker with Nginx container inside which serve react build files inside, this nginx server have an installed and working SSL certificate on port 80 and 443.
On the same machine I have an JRE that run an Spring boot application that running on port 8801.
I have search for some infomation online related to how to create an SSL certificate for spring boot when port 80 and 443 is in use, or what is the best practice to do it simultaneously with the existance of SSL certificate, And could not find any.
My friend suggest to me that we will use reverse proxy in order to hide: http://example.com:8801 under https://example.com:80/api
What could be the best way to do it?
Thanks!
You would want to terminate the SSL on Nginx and offload that load on the application server (spring boot running tomcat, for eg.).
One reason to take SSL all the way to the app server is when the communication medium between those two needs to be kept secure. But if the app server and the web server are within the DMZ, you can just use the first approach and terminate on the web server. There is a lot of optimization that goes into web servers to handle TLS termination.
Refer to this for already detailed responses and insights.
We have a web application that is required to run on HTTPS. We started to use a third party control that uses Websockets to connect to a windows service that will be running on the user computer. This page states that websockets should not be used in a mixed content environment. Is this security consideration still applies in this case (the websocket connection is not trying to connect to the same server that handled the https request)? If so, why would a websockets to a localhost would need to be secured? Isn't this just added complexity for no reason?
We have a setup with Spring Cloud Gateway running with consul service discovery and proxying requests to services in a cluster.
When one of these services responds with a Location: / header this gets rewritten on the way out thru the gateway.
The problem is that the gateway seems to add the service local hostname and port as found in Consul. This url is of course not available (or desirable) for the client.
I have verified thet the upstream server sends:
Location: /
(Generated by the "redirect: /" Spring MCV shorthand)
But when it reached the end client is rewritten to:
Location: https://10.0.0.10:34567/
(https://10.0.0.10:34567/ being the upstream location of the service in consul)
If is of course incorrect.
My problem is that I can't find any documentation on how to configure this and no indication of what classes are used (to debug) so I just don't know where to start looking for the fix.
The desired behaviour is of course to just leave the redirect unchanged.
In this particular case we use a host based routing setup:
.route("app", r -> r.host("app.**").uri("lb://app"))
Any help or hint appreciated.
I already tried to create a proxy server on heroku using java, python and nodejs but for some reason I can't.
I can only use port 80 so I would need to use the proxy as appname.herokuapp.com:80 but I get the response as "app doesn't exist".
Is this possible or not? Is there any alternative for what I want to do?
The Heroku routing layer routes your http requests based on the Host header it finds in the HTTP request from your client. And if you have your own endpoint, it at least validates that the Host header content is one of your apps' domains.
If you look at this answer you see that the Host header contains the name of the server you are trying to reach through the proxy server, not the proxy itself.
So there is no way you can run a http proxy server on heroku.
I followed the example in the following SO question to successfully set up an Apache forwarding proxy: Setting up an Apache Proxy with Authentication
It works well, except that when accessing sites via https, it says it cannot find the site. For example, Chrome gives
Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.
And on the server, I do not even see something in the access logs. For my proxy settings, I have configured the same for http and https (i.e. port 80 on my proxy server).
Do you perhaps have an example of how to set up a forward proxy with Apache for https?
It seems the only thing I was missing is that I had not enabled mod_proxy_connect which was achieved with
sudo a2enmod proxy_connect
To quote the mod_proxy_connect documentation page:
This module requires the service of mod_proxy. It provides support for
the CONNECT HTTP method. This method is mainly used to tunnel SSL
requests through proxy servers.
Are you attempting to terminate the SSL or just trying to create a forward proxy without handling any SSL certs? The issue that you are having is because during HTTPS proxying, the browser attempts to create an HTTP tunnel and it seems that your server is not correctly configured to handle tunneling. You can see another example here: Implementing a Simple HTTPS Proxy Application.
Here is another helpful thread on proxying HTTPS traffic with HTTP tunneling: Tunnel over HTTPS.
If you can choose something else other than Apache, I would suggest you use a robust forward proxy such as Squid or TrafficServer that are built to handle this type of setup.