Spring-boot Actuator SSL configuration - spring-boot

I'm developing a webapplication with Spring-boot using embedded tomcat.
One of the requirements of this app is 2-way SSL (clientAuth).
Enabling ClientAuth is easy enough however we also like to use spring-boot Actuator for management of the app on a different port without clientAuth.
Is there is a clean way to do this?
(Disabling SSL on the actuator endpoints would also be enough)

According to latest spring docs, you can use
management.server.port=8080
management.server.ssl.enabled=false
in the properties to configure the management ports. see production-ready-management-specific-ssl in the spring boot doc for more options.

Related

Springboot disable Apache Jserv Protocol (AJP) through application.properties

Recently there has been an exploit on Apache Jserv Protocol (AJP) for webapps running in Tomcat.
The quickest way to mitigate that risk is to disable that protocol if not in use. I would like to know how to disable Apache Jserv Protocol (AJP) on Springboot web application through application.properties or any other configurable method. I've looked for it on Springboot documention and other sources but could not find how to do it.
Thanks!

Spring Boot Actuator + Spring Boot Admin - Is there a way to define a custom management url?

Is there a way I can define the port for the management URLs (not the management.server.port) so that spring boot admin can identify the actuator URLs from the spring boot app for monitoring?
I'm running the spring boot app in a docker container and it's externally exposed on a different port using the Kubernetes NodePort.
If you are using service discovery for application lookup you could define the exposed management port in instance metadata. This metadata is used to build up the management URL.
More details documented here:
http://codecentric.github.io/spring-boot-admin/current/#spring-cloud-discovery-support
Handling is done in de.codecentric.boot.admin.server.cloud.discovery.DefaultServiceInstanceConverter
Example for Eureka:
eureka.instance.metadata-map.management.port=[K8S-EXPOSED-PORT]
If you are using Service Discovery, take a look into DefaultServiceInstanceConverter, try specifying the management.port property.
If you are not using Service Discovery, then take a look into de.codecentric.boot.admin.server.domain.values.Registration, you might need to use the builder apis to register your application correctly (try to set managementUrl properly). Note, you will need to do this in your client application (the one which is being monitored).

Spring Boot health checks for non-web apps

After reading up on the Spring Boot Actuator features, specifically the health endpoint, I've found it quite useful for implementing docker container health checks for some of my services.
However some of my services are not webapps, and it seems like overkill to enable HTTP just to allow the container to check the app is up and running. Looking through the options, actuator seems to support HTTP endpoints, JMX, and SSH/Telnet, though that last one apparently requires you to be running a JDK, and is going away in boot 2.0.
Are there any established ways of doing container healthchecks for non-web spring boot apps?

Spring Boot Actuator + Java Melody

I'm using the actuator sub project in my spring boot application. I configured the address and the port of the actuator management functions in the application.properties to separate the monitoring traffic from the production traffic.
management.address=127.0.0.1
management.port=8081
Additionally I want to use java melody and I want to provide the java melody dashboard on the same connection pool as the actuator endpoints. So finally the java melody dashboard should be provided by localhost:8081/monitoring, not(!) by localhost:8080/monitoring.
How can I do that?
You can now use the spring-boot management port (e.g. 8081) for the monitoring page instead of the application http port (e.g. 8080), since javamelody-spring-boot-starter 1.76.
See doc:
https://github.com/javamelody/javamelody/wiki/SpringBootStarter#configuration-in-case-of-management-port

Spring Boot Server using HTTPS, Management Server only HTTP?

Based on an answer from #andy-wilkinson to a past Spring Boot question, it appears that with the exception of a couple parameters (port for example), the management server leverages the same configuration as the regular servlet container.
I would like to configure the main Spring Boot server to use HTTPS (for the application/service it is serving) and to use just HTTP for the actuator endpoints. Has anyone done this? Is this even possible?
-Joshua
It's not possible at the moment. Please open an issue if it's an enhancement that you'd like to see.

Resources