How to disable hostname verification in jetty embedded verion 9.x - jetty-9

Currently I have a Verison 9.3.x Embedded Jetty server working perfectly offering websockets communications through port 8080 and through 8443 for secure communications.
I need to disable the validation of the hostname as well as the certificates but I can not disable it.
I am using the method setTrustAll and setEndpointIdentificationAlgorithm(null) but the hostname verification is still activated.
sslContextFactory.setTrustAll(true);
sslContextFactory.setEndpointIdentificationAlgorithm(null);
How can avoid it?

Are you using the HttpsConfiguration and setting a SecureRequestCustomizer? I was doing that when I ran into this and it drove me crazy until I realized it was my fault. So the SNI stuff is basically duplicated between the SslContextFactory and the SecureRequestCustomizer, you need to set it false in both places.

Related

SSL certificate for Spring boot application with nginx running on the same server

I have server that run docker with Nginx container inside which serve react build files inside, this nginx server have an installed and working SSL certificate on port 80 and 443.
On the same machine I have an JRE that run an Spring boot application that running on port 8801.
I have search for some infomation online related to how to create an SSL certificate for spring boot when port 80 and 443 is in use, or what is the best practice to do it simultaneously with the existance of SSL certificate, And could not find any.
My friend suggest to me that we will use reverse proxy in order to hide: http://example.com:8801 under https://example.com:80/api
What could be the best way to do it?
Thanks!
You would want to terminate the SSL on Nginx and offload that load on the application server (spring boot running tomcat, for eg.).
One reason to take SSL all the way to the app server is when the communication medium between those two needs to be kept secure. But if the app server and the web server are within the DMZ, you can just use the first approach and terminate on the web server. There is a lot of optimization that goes into web servers to handle TLS termination.
Refer to this for already detailed responses and insights.

Make netty server on localhost accesable over internet

I have developed a Jooby-Application which is hosted on a netty server. I can access the application on localhost and tests were fine. Now I want to make the app accessable over internet and dont know what is the best way to reach this goal?
The complete application is hosted on a Windows Server, because it uses Excel. (Read/Write over Apache POI. For macros it has to be Windows) Should I try to connect the running netty-server with IIS or can I just forward the requests from outside to localhost? The last mentioned approach propably is a bad idea regarding security issues.
It works with reverse proxy over IIS. I had to install some features like Application Request Routing and URL Rewrite. Then I can start the jooby application (netty server) as usual on a specific port at localhost and set a reverse proxy to it.
I am not sure why being on a window is necessary, anyways, Netty is just a Java network programming framework, it can run on any platform where Java is installed.
You need to host a server, you can buy a VPS, install windows as OS, install Java, you can run your application as you like.
What I understand is you need to test it, for that you can use any port forwarding service like https://pagekite.net/support/intro/features/ to enable "world access" to localhost

how to port forward an https website

I have recently got an SSL certificate on my website, on the apache server that I am using to host my website. The website says "Secure" and also works fine when I run it over localhost using the laptops ip address 192.168.*.**. But when I try to port forward this website over the port 443, it somehow says unsecure and your connection is not private. Any help here will be appreciated.
It sounds like you are using a self-signed certificate for your https connection. While modern browsers such as chrome give you errors saying the connection is unsecure and perhaps you even see red lines crossing out the https at the beginning of your url, there is no need to worry. If you are getting your page to render with these characteristics all is working, the reason for the errors is because the certificate is signed only for you.
In a real world production scenario you would have to use a third party service for a public capable certificate. However for your own development purposes, as long as the page runs with https there all is working as it is intended to.
For more try reading this article.

Apache forward proxy that handles https

I followed the example in the following SO question to successfully set up an Apache forwarding proxy: Setting up an Apache Proxy with Authentication
It works well, except that when accessing sites via https, it says it cannot find the site. For example, Chrome gives
Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.
And on the server, I do not even see something in the access logs. For my proxy settings, I have configured the same for http and https (i.e. port 80 on my proxy server).
Do you perhaps have an example of how to set up a forward proxy with Apache for https?
It seems the only thing I was missing is that I had not enabled mod_proxy_connect which was achieved with
sudo a2enmod proxy_connect
To quote the mod_proxy_connect documentation page:
This module requires the service of mod_proxy. It provides support for
the CONNECT HTTP method. This method is mainly used to tunnel SSL
requests through proxy servers.
Are you attempting to terminate the SSL or just trying to create a forward proxy without handling any SSL certs? The issue that you are having is because during HTTPS proxying, the browser attempts to create an HTTP tunnel and it seems that your server is not correctly configured to handle tunneling. You can see another example here: Implementing a Simple HTTPS Proxy Application.
Here is another helpful thread on proxying HTTPS traffic with HTTP tunneling: Tunnel over HTTPS.
If you can choose something else other than Apache, I would suggest you use a robust forward proxy such as Squid or TrafficServer that are built to handle this type of setup.

Reverse Proxy on Windows

I have a web server that responds to a number of different sites on port 80. Currently, IIS does the mapping to various sites via host headers, but I'd like to be able to serve other web apps on port 80 hosted in Jetty or Tomcat. IIS prevents that by grabbing all port 80 traffic.
I basically need a reverse proxy to just change the port number to something that another app stack can listen in on. I was looking into nginx but it seems to not be quite ready for prime time on Windows. Eventually I may set up a Linux box specifically for this, but for now I'm interested in a solution which will run all on the same box.
All I really need is something very light which mostly just matches hostname/port and allows rewriting of the port. Does anyone have any suggestions?
If you are running in IIS 7 or above you can use Application Request Routing for that: http://www.iis.net/download/ApplicationRequestRouting
For IIS 5-6, it looks like Apache Tomcat Connector (JK 1.2) is a clean solution. This is an IIS ISAPI filter which allows IIS to act as a reverse proxy for other web servers. It uses Apache JServ Protocol (AJP) to communicate with the app server actually serving requests. Both Tomcat and Jetty implement AJP. URLs are mapped with regex-like config to a particular AJP server instance.
Overview: http://www.iisadmin.co.uk/?p=40&page=3
IIS Config: http://tomcat.apache.org/connectors-doc/reference/iis.html
Mapping Config: http://tomcat.apache.org/connectors-doc/reference/workers.html
This ISAPI plug-in also works with IIS 7.x, but in that case the Application Request Routing (see marked answer) should be considered as it might work better with non-AJP servers.

Resources