I am using Quarkus to build a REST API.
I have enabled the MicroProfile Health endpoints following https://quarkus.io/guides/microprofile-health
I would like to know how to secure or reduce the visibility of the <IP>:8080/health endpoints so that it wont be visible to external users.
You can then use the below configuration :
quarkus.http.auth.permission.public.paths=/health/*,/metrics/*,/openapi/*
quarkus.http.auth.permission.public.policy=authenticated
If your security is not enabled, then please check this guide.
Related
My services work through the Spring Api Gateway, if some service is turned off and then turned on, the Gateway "loses" it.
( Release2021.0.x aka Jubilee / Spring boot 2.6.x, 2.7.x (Starting with 2021.0.3)
How can 'Spring Api Gateway' be forced to frequently look into the Eureka Server registry, or can clients be forced to register with Spring Api Gateway or somehow inform it?
Otherwise, you have to restart the 'Spring Api Gateway'.
The solution would be to reduce the registry fetch interval property as suggested here for a similar question.
eureka.client.registry-fetch-interval-seconds=30s
I have a non boot spring application with micrometer integrated. Right now we are pushing these metrics to the logging file using LoggingRegistry.
We want to enhance this project to expose these metrics in the Rest API(we cannot use actuator as turning ON auto configuration is causing issues in our non boot application).Is there any way to expose these metrics which are automatically provided by the micrometer in the Rest API?
Any example will be appreciated?
You can add PrometheusMeterRegistry, it is for this use case, see the docs: https://micrometer.io/docs/registry/prometheus
I have a spring boot app deployed to Swisscom App Cloud that should to be secured with mTLS.
Obviously there's spring security... Specific to Swisscom App Cloud I read about securing traffic on https://docs.developer.swisscom.com/adminguide/securing-traffic.html.
It is unclear to me how the two play together...
If I enable mTLS via spring security, would that work as is or would I need additional configuration for the Swisscom App Cloud? (I came across HTTP routing which mentions passing client certificates for mTLS https://docs.developer.swisscom.com/concepts/http-routing.html)
Is the configuration of mTLS on Swisscom App Cloud a replacement for what I would otherwise enable with spring security or would I still need to configure something within my application?
Securing traffic mentions deployment manifest and BOSH manifest, is the latter (and maybe additional) configuration needed to enable mTLS on Swisscom App Cloud (i.e. would I need to have access to configs besides the deployment manifest) ?
Update
My use case that I have a REST API that will be consumed by a client outside of Swisscom App Cloud. It was decided that it shall be secured using mTLS.
The admin guide you're referring to is meant for platform operators (i.e. Swisscom), so it's not a resource that can be leveraged by end users.
What is your use case? If it's only a security requirement to check off a list, be aware that the platform itself will be using mTLS internally soon, so the whole path up until the app container is secured. That might be enough for your auditor.
If you really need to validate client certificates by yourself, CF's way of doing so is leveraging X-Forwarded-Client-Cert (https://docs.cloudfoundry.org/concepts/http-routing.html#-forward-client-certificate-to-applications).
However, we've currently not enabled this (there was no need for it up until now), but we can do so.
Update:
According to this explanation, insertion of X-Forwarded-Client-Cert is actually done transparently by the platform. So if you add the client application's certificate to the server application's truststore, it will verify the client certificate.
Update 2:
As you can see in the discussions below, it looks like there is currently conceptually no easy way to allow apps to do proper mTLS using X-Forwarded-Client-Cert. The only option currently is using tcp routes, which is something you can request with your Appcloud support team.
I'm pretty much new to spring cloud gateway. I have configured routing with two different apps with 'path'. Now, I need some help/docs on
1. How to route to different instance of an app from spring cloud gateway?
2. How to enable sticky session?
My apps are not using spring boot/eureka. I do see that I can use lb://service-name if i'm using any discovery client (unfortunately that is not my case).
Thanks in advance.
IMHO:
How to route to different instance of an app from spring cloud gateway?
Routing to different instances is the basic job of what spring cloud gateway is doing. Spring cloud gateway implements the pattern named client side routing along with the ease of service discovery. So if you are not using any discovery server or your apps are not registered with any discovery server, you loose the dynamic discovery and routing feature, BUT still you can specify your server list (refer to Netflix Ribbon). Until then you can think about your routing strategy.
How to enable sticky session?
I suppose that's one requirement of your routing strategy - implement sticky session because you are not using shared session store. According to my limited knowledge of spring cloud gateway, sticky seems not being supported out of box. But it could be customized with a Filter, see shipped LoadBalancerClientFilter for reference.
Good luck!
I am trying to use hazelcast rest api (hazelcast version 3.9.1) to gather caching information. I am exposing Rest endpoint in my application (e.g. http://localhost:8080/cache/info) using which the caching information will get collected (using hazelcast rest api e.g. /cache/localinfo) but ever time I hit the endpoint it pop up "Authentication Required" dialog and entering same credential which I used to set group config name and password doesn't work.
I am wondering how to first disable authentication (if possible).
If not what credential it is looking for ? Shouldn't it be same what is being used to setup group config name and password while configuration hazelcast ? e.g. Config config = new Config();
config.getGroupConfig().setName("hazel-instance"); config.getGroupConfig().setPassword("password");
Hazelcast doesn't offer the possibility to secure the REST API by using credentials. Hazelcast is not designed to be open to the public internet. If you want to have it for internal authentication we recommend to put nginx in front of the Hazelcast REST API and use a proxy mechanism.
Anyhow the REST API is considered a legacy API for situations where the programming language doesn't have a native client. The REST API doesn't know about the internal partitioning and therefore will not offer best possible performance.