Does Undertow support SNI? In other words, can I run https on multiple domains/certificates on a single IP?
Undertow 1.3 and below do not support SNI. I'm guessing 1.4 won't either.
There is a JIRA feature request for it.
Related
Spring Boot can support http/2 now, but if browser does not support http/2, can browser request server use http1.x+ssl with the same http port? Nginx can automatically downgrade http/2 to http1.x+ssl when browser does not support http/2.
Is this a Spring Boot issue, or a servlet container issue(tomcat, jetty, Undertow)?
I tried local with a Spring Boot application with http/2, browsers that support http/2 can access successfully, but access from browsers that does not support http/2 got a 'Aborted' http status.
Application informations:
Spring Boot Version: 2.1.0.M4
Servlet Container: default, Apache Tomcat/9.0.12
application.properties:
spring.application.name=spring-test
server.port=8443
server.http2.enabled=true
server.ssl.key-store=classpath:testkeystore.jks
server.ssl.key-store-password=test
server.ssl.key-password=test
Browser support http/2: Chrome, version: 66.0.3359.139
Browser does not support http/2: Firefox, version: 30.0
This is more of a container problem - although depending on the concrete problem, Spring Boot might be able to help in the way it's configuring the server.
The core issue with what you're describing is: if a server supports both http/2 and http/1.1, it still has to enforce strict minimal requirements for cipher suites, otherwise attackers could be able to force the clients to downgrade the security and use a broken cipher.
So effectively, the category of HTTP clients you're worried about is getting smaller by the day. Clients that support those modern ciphers also support http/2. For example, in the latest Jetty release, all TLS_RSA ciphers are now excluded by default.
Based on an answer from #andy-wilkinson to a past Spring Boot question, it appears that with the exception of a couple parameters (port for example), the management server leverages the same configuration as the regular servlet container.
I would like to configure the main Spring Boot server to use HTTPS (for the application/service it is serving) and to use just HTTP for the actuator endpoints. Has anyone done this? Is this even possible?
-Joshua
It's not possible at the moment. Please open an issue if it's an enhancement that you'd like to see.
I'm using jersey 2.4 grizzly2-http container in my application and was wondering is there a way to get the Remote Host address inside a Request Filter. I would like to reject all requests that are not coming from a list of allowed remote IPs.
Thanks
Josip
I would recommend using a servlet filter external to Jersey. This will be much more customizable. Tomcat has one natively, but you could always role your own. This way you can externalize this from your code and make changes in your web.xml without having to rebuild your app.
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Address_Filter
Here is a more generic one you could use with grizzly
java- using a filter to check remote address
Does anyone know if it's possible to use websockets on Cloudbees or Jelastic. I deployed a Railo project with websockets on port 10126, it works beautifully on my Tomcat local setup however nothing happens when deployed to both Jelastic and Cloudbees.
At Jelastic we do. That is one of the outcomes of our making Public IPs available. We will be doing a short how-to article coming up this very topic. You can look out for it on our blog (http://blog.jelastic.com) or our twitter account (#jelastic).
Cloudbees now supports Websockets.
This is done via a proxy - so can work with any app via http upgrade.
simply set:
bees app:proxy:update http_version=1.1
as http 1.1 support Upgrade to websocket (thus ws and wss will work).
CloudBees now offers support for WebSockets - you just need to use a different endpoint to access your application: http://developer.cloudbees.com/bin/view/RUN/WebSockets
AFAIK, only dotCloud supports websockets for now: http://docs.dotcloud.com/guides/websockets/
Ok in my understanding with Jelastic they support running Websockets in GlassFish and can support Public IPs.
while Cloudbees supports running separate JVMs (plain java apps, no app server) but without Public IPs.
Here are some references:
Cloudbees JVM container
I'm using Spring Integration - HTTP Adaptor.
Now, I want to make it HTTPS. Please let me know how to implement it.
If you mean on the client (outbound) side, simply use an https://... url.
If you mean on the server (inbound) side, then configure your servlet container to use SSL.