Zuul proxy and ssl - spring-boot

I have a Spring boot project that is setup as a zuul proxy that is functioning as a api gateway for my rest services. I am now having problems with https which makes sense because I haven't configured https yet. One solution is to run nginx on port 443 and then forward all requests to the zuul proxy however that is extra overhead. So that is no solution.
Do I have to configure the zuul proxy to use the certificates or do I have to configure all the individual rest services?
What does the zuul proxy do with incoming requests? Does it forward the request or create a new one?

Possible duplicated, if this answer helps you please someone marks as duplicated this questions else let me know what is the difference? . Error when Zuul routing to a HTTPS url

Related

Spring boot Oauth2 SSO with Zuul proxy and multiple clients (native, mobile, web)

I'm currently working on a project that uses Zuul to proxy requests to both API endpoints as well as client resources. There is an angular app that is being served from the same endpoint as the Zuul proxy as outlined in this guide. I have the need for additional clients, specifically a desktop application.
I'm not sure I understand how Zuul proxy handles requests and I think there are several paths to get to where I want to go, I'm just not sure what the correct one is.
Here is what I have surmised thus far:
Option 1: Extract the Zuul proxy and SSO capabilities to it's own server. Then create a new UI server which is behind the gateway server. Follow this up with creating a new client application server which handles the authentication of the desktop client.
Option 2: Extract the Zuul proxy and SSO capabilities to it's own server. Serve the current angular app from its own server NOT behind the proxy and change the authorization flow to something different (implicit). Alter Zuul proxy and SSO configuration to ignore requests that already have a bearer token in the header.
If I go with option 2 then I don't understand how to register with the Zuul gateway client that I already am providing the authorization header with my requests so all it should be doing then is proxying my requests to the correct microservices.
Final Questions:
Which option is the most optimal one?
If an access token is already acquired (directly from the auth server using implicit flow) then how does Zuul need to be configured to not try and acquire the access token using the jsessionid?

enable to access a resource behind 2 zuul proxy with spring cloud oauth2

I' working in an microservices architecture where my ui services are backed by zuul-gui and backend services are backed by a zuul-service proxy (both with Spring cloud oauth2 #EnableOAuth2Sso annotation).
My problem is that i'm enable to access backend services after authenticated to gui service with the oauth authorization server. It seems that zuul-gui (the first gui proxy) is not relaying token to zuul-service!!??
I'm wrong when using #EnableOAuth2Sso in both zuul proxy? Why is token not relayed between zuul-gui and zuul-service?
Thanks in advance for your help.
I finally find a solution to my issue. The idea is to not secure the 2 second zuul proxy (zuul-service) and to set zuul.sensitive-hearder to empty in order to tell zuul-service to not strip request headers and cookies for the backend service.
Hope it'll help someone else! I struggled and wasted lot of times with this issue!

routing differences through zuul proxy with eureka

I have two machines (with same application) register to eureka server.
all requests to these services are through zuul proxy.
my application.properties of my backend services is:
spring.application.name=core
my application.properties of my zuul proxy is:
zuul.sensitiveHeaders=Set-Cookie
zuul.routes.address.path=/to-address/**
zuul.routes.address.url=http://localhost:8888
zuul.routes.service.path=/by-service/**
zuul.routes.service.url=CORE
I have two questions:
All three request below are working, which one should I use?
What is the difference with upper case and lower case?
http://localhost:9090/api/by-service/customer/1
http://localhost:9090/api/core/customer/1
http://localhost:9090/api/CORE/customer/1
When I call the service in the following way:
http://localhost:9090/api/to-address/customer/1
I noticed that a new session is being created by my core server, which force my user to login again. Any idea why?
As you can see it's the same method (same filter, same application...) with just a routing difference.
you need to use req.getRequestedSessionId() instead of req.getSession().getId().

When to configure zuul routes

I am new to spring cloud and going through some examples and material available online to make myself comfortable. However, while reading about ZUUL, some sites configured the routes in ZUUL's application.yml and some other sites mentioned that the requests will be forwarded to the respective microservice and no need to explicitly configure the routes. I was bit confused. For ex, in the below scenario what is the approach, to configure routes or to let zuul route automatically?
Let's say i have few micro services running and all of them along with ZUUL are registered to Eureka.
I have a front end which is running on a different port on the same server and needs to interact with the above micro services.
I also have few other applications (Running entirely on different servers) which need to interact with the above micro services for fetching the data.
TIA..
Did you use Zuul (which know microservices address through Eureka) to forward request between your micro-services ? if it's the case, you are using Server-Side Load Balancing pattern.
If you use a discovery service (Eureka in your case), i think the best approach it's to use Client-Side load balancing pattern for all inter-services requests (inside your system). (you can use Ribbon or RestTemplate for that).
You can use Zuul as a unified front door to your system, which allows a browser, mobile app or other user interface to consume services from multiple hosts without managing cross-origin resource sharing (CORS) and authentication for each one.
For example : a client (mobile app) request for all picture comments. The client dont need to know the Comments-service address. Only proxy address needed and Zuul will forward the request to the right service. You can do this in application.yml/.properties by
zuul.routes.comments.path=/comments/**
zuul.routes.comments.service-id=comments
The request will be GET www.myproxy.mycompany.com/comments. Dont forget the service name in your application.yml/.properties is very important (spring.application.name). It's the service-id in Zuul routes (which the same identifier in Eureka).
For some reason, your system need to request external services (as you mentionned in the 3th note). In this case, your external services are not a discovery client, Zuul can't look for the service-id from Eureka. you use routes as
zuul.routes.currencyprovider.path=/currencies/**
zuul.routes.currencyprovider.url=https://currencies.net/
with this route, all /currencies/** requests from your services THROUGH Zuul will be done.
with this approach you have one door for all your system. This is API Gateway pattern.
Sometimes your system need to aggregate multiple results from different services to response to client request. You can do this in Proxy (Zuul in your case).

Zuul proxy is not working with utf-8 urls

I have a spring cloud app with Zuul proxy. My zuul proxy doesn't work with UTF-8 urls. How should I configure it?
This will work in my microservice, without proxy.
http://localhost:8080/rest/item/гандан_тикет
However when its behind a proxy
http://localhost:9000/core/rest/item/гандан_тикет
the гандан_тикет will come as ??????_????? into the microservice.

Resources