I have a spring boot application in which tomcat is listening on port 8000 over HTTPS. However, when port 8000 is hit with plain http request, the server responds with http 400.
Bad Request
This combination of host and port requires TLS.
Is there a way to prevent this? I don't want server to send any response when http://localhost:8000 is requested. Spring boot and tomcat versions are as below:
sprint-boot v2.0.0.RELEASE
tomcat v8.5.28
Update: application.properties is as below
server.port=8000
server.ssl.enabled=true
server.ssl.key-alias=alias
server.ssl.key-store=classpath:key.jks
server.ssl.key-store-type=JKS
server.ssl.key-store-password=<password>
server.ssl.key-password=<password>
You enabled SSL Just change server.ssl.enabled=true toserver.ssl.enabled=false
Related
I have a standalone spring authorization server at https://auth.foo.com with certificate configured in the spring boot application directly (no Proxy).
I have a client spring boot app using http 8080 behind a K8s Nginx Proxy. The certificate terminates on the proxy and then delivers http upstream to the spring boot app. https://client.foo.com
I have enabled the following in the client application.yaml
server:
port: 8080
forward-headers-strategy: native
tomcat:
use-relative-redirects: true
remoteip:
remote-ip-header: x-forwarded-for
protocol-header: x-forwarded-proto
When navigating to the https://client.foo.com app, the relative redirects work fine, all links redirect to https.
However on successful login via https://auth.foo.com, the auth server redirects to https://client.foo.com/login/oauth2/code/foo-client-oidc?code=XXX then the client responds with a 302 but the Location header is insecure http://client.foo.com
Is there a way to force the redirect to use https in Spring Authorisation Server
Thanks in advance
I've recently migrated a microservices backend to Spring boot v2.6.1 + spring cloud v2021.0.0 (old version was v2.2.1.RELEASE).
Previously, the setup included a discovery server (Eureka), a gateway (Zuul) and various microservices accessible externally via the gateway. All of these were TLS/secure port enabled so all requests (discovery, registration, gateway forwarding etc) required SSL trust store configuration.
Since Zuul is no longer supported in this version, I am switching to Spring cloud gateway, with the following application.properties setup:
server.port = 8080
eureka.instance.securePortEnabled=false
eureka.client.serviceUrl.defaultZone = http://localhost:8761/eureka/
spring.application.name= gateway-service
spring.cloud.gateway.routes[0].id=first-service
spring.cloud.gateway.routes[0].uri=lb://FIRST-SERVICE
spring.cloud.gateway.routes[0].predicates[0].name=Path
spring.cloud.gateway.routes[0].predicates[0].args.pattern=/firstService/**
spring.cloud.gateway.routes[0].filters[0]=StripPrefix=1
security.require-ssl=true
server.ssl.key-store=keystore.p12
server.ssl.key-store-password=password
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=localhost
spring.cloud.gateway.httpclient.ssl.trustedX509Certificates[0]=cert.pem
Without ssl universally disabled, I can access a first service URL via that gateway without issue. With SSL enabled, I can access the first service directly and again no issue:
https://localhost:8100/test
{ "message": "Hello World!" }
However, the gateway is not correctly forwarding the requests either via the correct protocol or with the correct client certificate. I am getting the below error response instead of "Hello World" message:
https://localhost:8080/firstService/test
Bad Request This combination of host and port requires TLS.
(It's worth noting that the Eureka secure port is disabled, and registration/registry fetch is done via HTTP due to issues logged at Error setting custom trust store for Eureka Discovery client by overriding DiscoveryClient.DiscoveryClientOptionalArgs
Ok, this comes down to how the microservices register with Eureka.
Although FIRST-SERVICE was also setup with security.require-ssl=true for direct access it was also necessary to register with Eureka with SSL enabled.
Adding the settings below to application.properties fixed the issue without any changes needed for the gateway configuration:
eureka.client.tls.enabled=true
eureka.client.tls.key-store=file:<path-to-key-store>
eureka.client.tls.key-store-password=<password>
eureka.client.tls.keyStoreType=PKCS12
eureka.client.tls.keyPassword=<password>
eureka.client.tls.trust-store=file:<path-to-trust-store>
eureka.client.tls.trust-store-password=<password>
I have a spring boot web service running on localhost:8000 with an embedded Apache Tomcat.
Frontend is developed using Angular and is running on nginx and port 80. Connection between front- and back-end is established with a REST API endpoint, i.e. /v1/getdata/...
We have a static IP and outside access is OK with this configuration. But after setting a DNS record, i.e. https://x.y.com for the static IP, the spring web server does not return data and ERR_TUNNEL_CONNECTION_FAILED error is occurred in Angular, although the front-end is loaded successfully on port 80.
The only server-side configurations in Spring app is server.port=8000 and CORS configs.
I have set [STATIC-IP]:8000 and https://x.y.com:8000 for the api address in Angular but neither worked. However accessing with static IP is still working.
I think there is a problem with SSL configuration.
Any Ideas?
I am adding the secure port with the non-secure port already opened. I wants to separate the traffic between two and forward to different Spring boot 2 Controllers. Wonder how I can achieve that?
In most solutions I have seen so far, https / SSL is terminated infront of Tomcat or Spring Boot application, so that Tomcat / Spring Controller receives only http requests on port 8080 (for example).
Termination of SSL in front of Tomcat / Spring Boot could be done with a Reverse Proxy or Web Server, like Apache2 or nginx.
Then the communication flow looks like this:
User ==HTTP-80==> Apache2 ==HTTP-8080==> Tomcat/Spring Boot
User ==HTTPS-443==> Apache2 ==HTTP-8080==> Tomcat/Spring Boot
("HTTP-80" means HTTP protocol on port 80. "== ==>" is arrow showing communication flow.)
I already have a tomcat server running in a VM with port as 443 and redirect port as 8443. Can I configure the redirect port for spring boot application also as 8443 and run in same VM? Would I face error like port already in use? If yes, are there any specific port to be used for this purpose? I would not like to try since this is a production environment VM.
By default the https port used is 9393 in springboot.So , in your application if you need it to be 8443 , you need to configure it in the application.properties or application.yml like
application.yml
server:
port: 8443
or
application.properties
server.port=8443
Yes, you will have issues if some other application is using the same https port on the same VM, you will have to find a port that is not used by any other application and assign it for your springboot application. Check in your vm if any other application is already mapped to this port, if not you can use this port without any issues.
Please note that :
If HTTPS is enabled, it will completely replace HTTP as the protocol
over which the REST endpoints and the Data Flow Dashboard interact.
Plain HTTP requests will fail - therefore, make sure that you
configure your Shell accordingly.
Spring doc.