I'm developing app for GAE. Currently GAE dev server doesn't support https, so I managed to create a HTTPS proxy using nginx. The problem is that I also have a third party service that uses my app, but only can make requests using HTTPS, i.e. it can make request https://localhost, but won't proceed http://localhost. Inside my app I use the library of the service that internally uses req.getRequestURL() from HttpServletRequest. So, the request: Request (to https: //localhost) -> nginx proxy -> Request (to http: //localhost) -> dev GAE server. And req.getRequestURL() returns "http: //localhost" which doesn't match that in the request field (it's a special field in the request specified by the protocol of the service) and the library throws exception. What can I do?
My nginx config:
server {
listen 443 ssl; # The ssl directive tells NGINX to decrypt
# the traffic
server_name localhost;
ssl_certificate ls.crt; # This is the certificate file
ssl_certificate_key ls.key; # This is the private key file
location / {
proxy_pass http://localhost:8080;
}
}
Related
I'm using Retrofit2 (that uses OkHttpClient) to make REST requests to the server.
I'm using TLSv1.3 protocol.
How can I enable and configure SNI (Server Name Indication) for my client?
It's enabled automatically using the hostname in the URL.
I actually have a hosting service who has a subdomain, that subdomain function is to redirect to my local server where I have my services, for example:
My domain: example.com
Subdomain: guaymas.example.com // His function is to redirect to my server (firewall)
Redirect to a port : guaymas.example.com:8080 // where I have my services
And through a port I have a web service, in order to make the data transfer more secure I wanted to implement a SSL certificate but because of my configuration I’ḿ not able to generate the certificate with letś encrypt (because buying one is not an option), I can’t verify with http or dns method, Is there any other method that I can use to generate the SSL certificate?
PD: I'm using GlassFish and Soap web services on JAVA, those are running on Linux Server and my distro is deepin
Thanks a lot
I'm running a Tomcat webserver on http port 8080. In front I have an Apache that handles https ssl connections.
How can I know if the client made a request using http:// or https://? Because the following shows http always, because the Apache internally sends only http:8080 requests to the Tomcat of course. So the initial scheme requested is lost here.
HttpServletRequest req;
req.getRequestURL().toString(); // always shows http://....
Apache should add following request headers as explained in mod_proxy docs:
X-Forwarded-For - The IP address of the client.
X-Forwarded-Host - The original host requested by the client in the Host HTTP request header.
X-Forwarded-Server - The hostname of the proxy server.
Additionally X-Forwaded-Proto with the original protocol can be added as explained in this example:
<VirtualHost *:443>
<strong>RequestHeader set X-Forwarded-Proto "https"</strong>
I need to use HTTPs in my Spring boot application so I added config files for Elastic Beanstalk (Java 8 running on 64bit Amazon Linux/2.7.1). Here is the config for HTTPS server:
server {
listen 443 default ssl;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:6080;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
The config seems to apply, but when I make a request using HTTPs the app throws this exception:
2018-06-17 09:40:55.245 INFO 29898 --- [nio-6080-exec-3] o.apache.coyote.http11.Http11Processor:
Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:426) ~[tomcat-embed-core-8.5.27.jar!/:8.5.27]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687) ~[tomcat-embed-core-8.5.27.jar!/:8.5.27]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.27.jar!/:8.5.27]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) [tomcat-embed-core-8.5.27.jar!/:8.5.27]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) [tomcat-embed-core-8.5.27.jar!/:8.5.27]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.27.jar!/:8.5.27]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_171]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_171]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.27.jar!/:8.5.27]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_171]
I guess the problem is that the server listens for HTTPs requests but my app expects HTTP request but I am not really sure. What should I do?
#Configuration
#EnableResourceServer
public class ResourceServer extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().permitAll()
.and().csrf()
.disable();
}
}
yes this problem occur because of HTTPs Request hit from client side. So solution is to
Configuring Your Elastic Beanstalk Environment's Load Balancer to Terminate HTTPS
To update your AWS Elastic Beanstalk environment to use HTTPS, you need to configure an HTTPS listener for the load balancer in your environment. Two types of load balancer support an HTTPS listener: Classic Load Balancer and Application Load Balancer.
You can use either the Elastic Beanstalk console or a configuration file to configure a secure listener and assign the certificate.
Note
Single-instance environments don't have a load balancer and don't support HTTPS termination at the load balancer.
Configuring a Secure Listener Using the Elastic Beanstalk Console
Configuring a Secure Listener Using a Configuration File
You can configure a secure listener on your load balancer with one of the following configuration files.
Example .ebextensions/securelistener-clb.config
Use this example when your environment has a Classic Load Balancer. The example uses options in the aws:elb:listener namespace to configure an HTTPS listener on port 443 with the specified certificate, and to forward the decrypted traffic to the instances in your environment on port 80.
option_settings:
aws:elb:listener:443:
SSLCertificateId: arn:aws:acm:us-east-2:1234567890123:certificate/####################################
ListenerProtocol: HTTPS
InstancePort: 80
Replace the highlighted text with the ARN of your certificate. The certificate can be one that you created or uploaded in AWS Certificate Manager (ACM) (preferred), or one that you uploaded to IAM with the AWS CLI.
For more information about Classic Load Balancer configuration options, see Classic Load Balancer Configuration Namespaces.
Example .ebextensions/securelistener-alb.config
Use this example when your environment has an Application Load Balancer. The example uses options in the aws:elbv2:listener namespace to configure an HTTPS listener on port 443 with the specified certificate. The listener routes traffic to the default process.
option_settings:
aws:elbv2:listener:443:
Protocol: HTTPS
SSLCertificateArns: arn:aws:acm:us-east-2:1234567890123:certificate/####################################
Configuring a Security Group
If you configure your load balancer to forward traffic to an instance port other than port 80, you must add a rule to your security group that allows inbound traffic over the instance port from your load balancer. If you create your environment in a custom VPC, Elastic Beanstalk adds this rule for you.
You add this rule by adding a Resources key to a configuration file in the .ebextensions directory for your application.
The following example configuration file adds an ingress rule to the AWSEBSecurityGroup security group, which allows traffic on port 1000 from the load balancer's security group.
Example .ebextensions/sg-ingressfromlb.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 1000
FromPort: 1000
SourceSecurityGroupName: {"Fn::GetAtt" : ["AWSEBLoadBalancer" , "SourceSecurityGroup.GroupName"]}
Hope this will help you. Or refer: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html
I'm working with tomcat with a front load balancer. The load balancer take my requests in HTTPS and forward them to tomcat over HTTP. So my tomcat has no SSL configuration and it's working fine so.
My problem is that I've got a response wrapper that does encode redirect some URLs, all my URLs are relative and when I encode redirect my URLs the resulting redirect URL is in HTTP. I'd like it to be HTTPS. I believe this is because tomcat is not in HTTPS, is it possible to enforce HTTPS when doing encode redirect without configuring tomcat with a SSL connector ?
Configure Tomcat to use the RemoteIPValve. This will take the headers that AWS ELB uses to communication the original TLS connection information to the back-end server and wire it into the request object.
This will get you the proper redirect protocol plus you'll also get the original client's IP address when you ask for it, instead of the IP address of the proxy (which is pretty much useless).