I try to do GRPC client --> GCP external LB with HTTPS --> GKE with pod GRPC server
The external LB uses a google managed certificate.
The documentation states:
If you are using HTTPS or HTTP/2 from the load balancer to the backends, you must install SSL certificates on each VM instance. To install SSL certificates on a VM instance, use the instructions in your application documentation. These certificates can be self-signed.
So I developped the grpc server with a self-signed certificate.
My question is how the backend service (part of the LB) can call the GRPC server without the server.crt, i.e. the public key of the cert used in the GRPC server?
Is there a way to pass this server.crt to the backend service?
I don't see how to fulfill the documentation requirement.
Please help :)
Related
I have server that run docker with Nginx container inside which serve react build files inside, this nginx server have an installed and working SSL certificate on port 80 and 443.
On the same machine I have an JRE that run an Spring boot application that running on port 8801.
I have search for some infomation online related to how to create an SSL certificate for spring boot when port 80 and 443 is in use, or what is the best practice to do it simultaneously with the existance of SSL certificate, And could not find any.
My friend suggest to me that we will use reverse proxy in order to hide: http://example.com:8801 under https://example.com:80/api
What could be the best way to do it?
Thanks!
You would want to terminate the SSL on Nginx and offload that load on the application server (spring boot running tomcat, for eg.).
One reason to take SSL all the way to the app server is when the communication medium between those two needs to be kept secure. But if the app server and the web server are within the DMZ, you can just use the first approach and terminate on the web server. There is a lot of optimization that goes into web servers to handle TLS termination.
Refer to this for already detailed responses and insights.
I deployed one web application to EB. I used Route 53 to redirect two domains to my application. On EB environment, it seems it only allows me to add one certificate to port 443 for my load balancer. Let's say my users only use my domain names to access my web application. How should I go about creating and adding SSL certificate(s) to secure the connections from those two domains to my application.
Yes, you can add. In the EB concole, you can add only 1 SSL cert. To add other ones, you have to do it directly in the EC2 console on your load balancer.
The load balancer used by your EB env supports multiple certificates. So you can add extra SSL certificates to your HTTPS listener.
Helpful information is below:
How do I add multiple SSL certificates to the Application Load Balancer in my Elastic Beanstalk environment?
How can I add certificates for multiple domains to an ELB using AWS Certificate Manager?
Application Load Balancers Now Support Multiple TLS Certificates With Smart Selection Using SNI
Elastic Beanstalk Add more than one ssl certificate
Alternatively, you can register multiple domains under one certificate.
In the EC2 console, you have an option (marked below) to modify the SSL certificates for your HTTPS listener:
Using Fabric 2 stateless services with Kestrel 3.1
Have a problem exposing a HTTPS endpoint. A primary certificate is defined on the cluster (Security section). This certificate (primary) is accessible to the nodes (i.e. via X509Store find operations on the thumbprint or subject) automatically by Service Fabric. When configuring kestrel for a particular endpoint the certificate is used by the UseHttps method on any Ipv6 address (i.e. Ipv6Any). In the Application Manifest the access to the certificate's private key is granted (see article) with an endpoint policy. Here is example code on gist. The cluster's load balanser exposes the 443 HTTPS endpoint via the 8443 port (similar to the setup in this tutorial).
Despite the above configuration when navigating to the application the response is that the web page is either down or has been moved plus a ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY error.
The service according to the logging sent to Insights starts fine using the primary certificate:
Hosting environment: Production
...
Now listening on: https://[::]:443
Anybody else get as similar setup working?
Turns out I had set the protocol to HTTP2 rather than HTTP1.
Is it possible to generate certificates via Citadel for HTTPS services? In my case, I would like to use the Elastic ECK operator to spawn a new Elasticsearch cluster + Kibana, but I don't want to use the self-signed CA (since I'd have to push that CA certificate file to all and every service that wants to connect to the ES API); rather I'd like to use another self-signed certificate authority; the one and the same that Istio uses.
My hope is that if we get around to adding Vault to the cluster + cert-manager, I can easily create new certificates with that and all HTTPS usage INSIDE the cluster.
How can I (or can I), generate TLS certificates with Istio somehow? I have SDS installed in the cluster.
This question is not about:
How to generate public certificates
cert-manager
How to turn off TLS in Elasticsearch's HTTP endpoint
I have a spring boot application that i want to deploy on google compute engine or kubernetes and i want to expose it through https instead of http.
I want to do this because i have an angular frontend that is deployed on google app engine and it needs to access the api through https instead of http.
The api is accessible through port 8080 and it works if i use http. How can i exspose the api through https, can i use a load balancer with https to redirect all incoming traffic to http?
Well, I think the SSL certificate is the key for both (GCE and KE). You must to set a certificate for each option.
On Kubernetes Engine you could deploy the application with a Load Balancer and install a SSL certificate on it. Then you have to modify your ingress configuration to use the SSl certificate. Of course this process is too large to explain here, but you can find the details here [1], to find details about Load Balancer ingress configuration here [2]
For GCE you will require to set a SSL certificate on instance or using a Load balancer. Take a look to this GCP documentation that explain it [3]
[1] https://estl.tech/configuring-https-to-a-web-service-on-google-kubernetes-engine-2d71849520d
[2] https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer#remarks
[3] https://cloud.google.com/solutions/connecting-securely#https-and-ssl