Spring Boot Server using HTTPS, Management Server only HTTP? - spring-boot

Based on an answer from #andy-wilkinson to a past Spring Boot question, it appears that with the exception of a couple parameters (port for example), the management server leverages the same configuration as the regular servlet container.
I would like to configure the main Spring Boot server to use HTTPS (for the application/service it is serving) and to use just HTTP for the actuator endpoints. Has anyone done this? Is this even possible?
-Joshua

It's not possible at the moment. Please open an issue if it's an enhancement that you'd like to see.

Related

consume spring boot rest services from private network

I want to consume the spring boot rest services deployed behind a firewall. Need a solution for the above scenario. Thank you.
To access a Rest API behind a firewall you need to open the default HTTP ports in that firewall(80 for HTTP and 443).
That has nothing to do with the technology that you are using to implement the Rest API.
Please provide more details about your question if this is not enough answer for you...

Recommended/Alternative ways of starting a Spring Boot app if config server is down?

Was wondering the recommended way of starting a spring boot app if the Spring cloud config server is temporarily down or unavailable. What would be the approach? I know of the retry configurations, but I am wondering if there is a way to have a 'replica' config server and use that as a failover (or something along those lines).
Sure, why not?
After all, spring-cloud-config server exposes rest API and all the interaction with spring boot microservices is done over HTTP.
From this point of view, you can scale out the spring cloud config server by providing more than one instance of it all are up-and-running and mapping them to one virtual IP.
If you're running in some kind of orchestrated environment (like kubernetes) it is a very easy thing to do.

How to implement 1-way SSL in Spring Boot

I am building a middle tier which will consume information from multiple downstream systems. The ask is to talk to them over 1 way SSL. I looked up samples but this concept is a bit if a mystery to me. Please help.
The question is too vague IMHO, I'll try to provide general insights
The answer may vary depending on the actual requirements in your organization security department and your actual spring boot configuration.
Spring Boot is a Java framework that usually allows the deployment architecture with an embedded tomcat, jetty or undertow servers that serve Http endpoints exposed by Spring MVC or without an embedded server at all (usually for legacy deployments)
If you in a "legacy" mode (build a WAR) - then HTTPs configuration should be done on the actual server and not in spring boot application.
If you use an embedded server, then the actual technical solution can actually depend on the server you use underneath, at least to some extent.
Indeed like Steffen Ullrich has stated in the comment section, there are many examples of doing this.
For example, take a look at This one
If you want to redirect HTTP requests to HTTPs you should configure your server to do so, and this solution is Tomcat specific.
Another thing to consider is whether you want to use SSL at the level of spring boot at all. Maybe you're running under the gateway / some kind of proxy. In this case, it can make sense to use https for accessing the proxy from outside, but from a proxy to java application you could use HTTP.
I know I'm just speculating about this solution, I've just decided to mention it because in my experience there are many organizations that work like this.
In addition, since spring boot is used for microservice development, the chances are that you have many spring boot artifacts that somehow "talk" to each other, so maybe running HTTPs between them is redundant.

Spring cloud config client without Eureka, Ribbon and spring boot

I have spring web application (not spring boot) running in AWS. I am trying to create centralized configuration server. How to refresh the spring-cloud-client after the changing the properties? As per tutorial
Actuator endpoint by sending an empty HTTP POST to the client’s refresh endpoint, http://localhost:8080/refresh, and then confirm it worked by reviewing the http://localhost:8080/message endpoint.
But my aws Ec2 instances are behind the loadbalancer so i can't invoke the client url. I didn't understand the netflix Eureka and Ribbon much but it seems like adding another level of load balancer in the client side. I don't like this approach. Just to change a property i don't want to make the existing project unnecessarily complex. Is there any other way? or Am I misunderstood Eureka/Ribbon usage?
I have looked at the spring-cloud-config-client-without-spring-boot, spring-cloud-config-client-without-auto-configuration none of them have answer. First thread was answered in 2015. Wondering is there any update?
To get the configuration properties from a config server. You can do a http request. Example:
From the documentation we can see:
/{application}/{profile}[/{label}]
/{application}-{profile}.yml <- example
/{label}/{application}-{profile}.yml
/{application}-{profile}.properties
/{label}/{application}-{profile}.properties
So if you would do a request to http://localhost:8080/applicationName-activeProfile.yml you would receive the properties in .yml format for the application with that name and active profile. Spring boot config clients would automatically provide these values but you will have to provide em manually.
You don't need Eureka/Ribbon for this to work, it's a separate component.
More info: http://cloud.spring.io/spring-cloud-static/spring-cloud.html#_spring_cloud_config
Maybe you could even use spring-cloud-config but I'm not sure what extra configuration is needed without spring-boot.
https://cloud.spring.io/spring-cloud-config/

Spring-boot Actuator SSL configuration

I'm developing a webapplication with Spring-boot using embedded tomcat.
One of the requirements of this app is 2-way SSL (clientAuth).
Enabling ClientAuth is easy enough however we also like to use spring-boot Actuator for management of the app on a different port without clientAuth.
Is there is a clean way to do this?
(Disabling SSL on the actuator endpoints would also be enough)
According to latest spring docs, you can use
management.server.port=8080
management.server.ssl.enabled=false
in the properties to configure the management ports. see production-ready-management-specific-ssl in the spring boot doc for more options.

Resources