I deployed a webserver on AWS Beanstalk. The log file shows there are quite some HTTP requests to URLs that do not exist on my webserver. Those requests cause Spring Boot to forward the requests to /error, for which I have a controller to process.
Those URLs are
/hedwig.cgi
/system.ini
/upgrade_handle.php
/board.cgi
/shell
/azenv.php
Does it mean someone is trying to attack my website? How can I configure Spring Boot or Beanstalk to match those URLs and drop the request so that they do not reach to my controller handling /error?
Related
I am trying to connect from my javascript front to the REST API of my camunda orchestration which is deployed as part of a spring boot application.
the called url is :
GET http://localhost:8081/oms-orchestrator-ms/api/engine/engine/default/history/process-instance
i get an 401 error for non authenticated queries which is normal
First question : is it the right way to query the Engine Rest API for process definition/ instances and history?
In order to make it work , i add the JSESSIONID cookie as header to my requests,
how can i use the basic auth to query the orchestrator api instead of using the cookie?
Thanks for your Help
the /api path is part of the cockpits REST backend which is secured by the same rules as the cockpit webapp.
You can additionally deploy the rest api (camunda-bpm-spring-boot-starter-rest if you are using spring boot). This will add an almost identical REST api for the engine under the path /rest. This one is open by default and can be secured manually if required (and advised for prod environments).
We are using Spring Boot v2.0.4 + Spring Cloud (Finchley release).
We have deployed Zuul, Auth Server, Eureka, and Config Server, each in their own separate applications / processes. We have half a dozen of our own services deployed. We are using OAuth2 authentication for all services. We are using the embedded undertow container for all apps.
When Zuul uses the embedded Undertow container, we can not log in- the login page is redisplayed even though the credentials are correct. When Zuul is switched to use the embedded Tomcat container, everything works correctly- logging in brings the user to the correct page. (All other apps use Undertow in both cases.)
When we debug the requests coming through Zuul for Tomcat vs Undertow, we see that the SPRING_SECURITY_CONTEXT session attribute is being set for Tomcat but is not being set for Undertow. I assume this means that the user will be redirected back to the login page, which is why we are seeing that behavior.
We know that it is an issue with Zuul + Tomcat vs. Undertow, since the configuration of all other apps remains exactly the same.
Any ideas? We are really scratching our heads over this one.
It turned out this was caused by JSESSIONID cookie name conflict between Zuul and Auth Server. Because Tomcat container has different handling than Wildfly for multiple Set-Cookies of the same name (which is in violation of RFC6265), we are only seeing it now.
I should have mentioned that we configured auth server to be behind the Zuul proxy, hence the multiple JSESSIONID cookies.
We fixed this for now by renaming the JSESSIONID cookie name on all back-end servers. We will investigate the best way to do this for production deployment going forward, perhaps by using Spring Session. Any suggestions welcome.
I have deployed a Spring Boot application via Elastic Beanstalk. I'm using a load balancer, so this is the flow (as far as I understand):
Internet/Browser request ---HTTPS---> Load Balancer ---HTTP---> Spring Boot App Server
So essentially, the SSL terminates at the load balancer and the app server just deals with plain old HTTP.
But in the case of a HTTP request from the browser, I would like the load balancer to automatically redirect to HTTPS.
There are several questions about this issue:
Spring Boot with Embedded Tomcat behind AWS ELB - HTTPS redirect
How to redirect automatically to https with Spring Boot
Spring Boot redirect HTTP to HTTPS
But none of the answers to these questions make sense to me. Perhaps I'm misunderstanding, but all the answers basically make the Spring Boot app only server HTTPS request (for example when using http.requiresChannel().anyRequest().requiresSecure()).
However, this goes against the flow because I'm perfectly fine with the SSL terminating at the load balancer and the Spring Boot app server just dealing with HTTP. So if I require SSL at the spring boot level, then I'll need to do an end-to-end SSL connection, which isn't really required for my application.
I have also used the following properties, which don't seem to help either:
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
With the help of this article, I was finally able to figure out how to do this for a Spring Boot app in an ELB environment.
I had to create a conf file in src/main/webapp/.ebextensions/nginx/conf.d. I just called it myconf.conf.
In myconf.conf, I put this code in:
server {
listen 80;
server_name www.my-site.com;
if ($http_x_forwarded_proto != "https") {
rewrite ^(.*)$ https://$server_name$REQUEST_URI permanent;
}
}
Also, make sure that both HTTP and HTTPS listeners are open for the load balancer.
Additionally, my spring boot app only opens up HTTP since the load balancer already terminates SSL.
AWS Load balancer cannot handle redirection. You may do it via your server or by using cloudfront distributions.
We are currently developing a microservice application using Spring Boot 1.4 and Keycloak 2.5.0 (configured as openid-connect service) using the Keycloak Spring Adapter (not the Spring Boot adapter).
All of our microservices are put behind a load balancer and an additional reverse proxy as the application will be hosted on an existing domain behind a context root (so the root of our application is http://foo.bar/foobar/ and the rest services are http://foo.bar/foobar/rest/).
We are facing a couple of problems with Keycloak in this given scenario:
Keycloak forward to /sso/login if a sign-in is needed. This is in our case unwanted behaviour because http://foo.bar/sso/login will not exist. I have found a way to change the forward but there is no way to make Keycloak listen to the same url; we end up with a 404 in this case.
After signing in, Keycloak redirects back to the /sso/login url with the correct tokens, but if this is not the same server, the request fails and it redirects us to http://foo.bar/. Since every microservice exposes /sso/login, this can be in fact a completely different server.
If keycloak is hosted on the same domain, we end up in a redirect loop. We would also like to have Keycloak hosted on the same domain and on the context root http://foo.bar/foobar/auth/ .
We've already tried using the "token-store": "cookie" but this did not resolve the problem.
Is there a way to resolve these problems or is Keycloak maybe not the correct solution for our use-case ?
Update 05/05/2017:
Move my answer from here to an answer
We are now up and running with Keycloak so I'll briefly explain what we did. The front-end of our application runs Angular2 and we created a custom login page in the Angular application itself (so it's not a theme for Keycloak) which will directly query the Keycloak API for an OAuth2 Bearer token. The front-end will send this token on each request in the Authorization header (as per the OAuth standards).
On the service side we have configured keycloak as a bearer-only solution (bearer-only: true in the keycloak.json), this way the application just returns a 401 or a 403 instead of forwarding to the login page.
Using this configuration the user will never see anything from the /sso/login page and there is also no redirect issue anymore.
TLDR; the use-case I described was also not realistic, calling a REST URL and then forwarding to a login page is kind of bad stuff :)
I have a Zuul reverse proxy in front of my spring boot microservices, used as an API gateway.
Can the Zuul spring boot app be used to deliver static content, IE client code that calls the API gateway? I dont want to host this in a microservices or have another VM to manage for hosting content
I tried having a static folder in resources folder, but cant figure out how to map this in the application.yml responsible for routing. I dont want to route it to a NGnix or apache server, but use the embedded Tomcat of Zuul Spring boot app.
What would be the route to put in the route config, or what is the best approach for this.
Thank you
You don't have to map it in the routes config. Whatever you put in the resources/static folder will be served, as long nothing else is mapped on the same path.