HTTPS for Java App


Maaz
 

Hello,

We have CF 197 deployed in our environment (without HA Proxy). I am trying to push a standalone Spring boot JAR (with embedded tomcat). The app starts properly but I can't access it via https.

I have these settings for my spring boot app
server:
tomcat:
remote_ip_header: x-forwarded-for
protocol_header: x-forwarded-proto

Also
Within the app I have configured the tomcat to accept SSL connection using this sample
https://github.com/spring-projects/spring-boot/blob/master/spring-boot-samples/spring-boot-sample-tomcat-multi-connectors/src/main/java/sample/tomcat/multiconnector/SampleTomcatTwoConnectorsApplication.java

Can someone please point out what I am missing in order to get Https working for my app.
Do I need to enable something within the CF deployment ?

Thanks
Maaz


Daniel Mikusa
 

On Mon, Jul 13, 2015 at 7:01 PM, Khan, Maaz <Maaz.Khan(a)emc.com> wrote:

Hello,



We have CF 197 deployed in our environment (without HA Proxy).
Do you have a different load balancer then?


I am trying to push a standalone Spring boot JAR (with embedded tomcat).
The app starts properly but I can’t access it via https.



I have these settings for my spring boot app

server:

tomcat:

remote_ip_header: x-forwarded-for

protocol_header: x-forwarded-proto



Also

Within the app I have configured the tomcat to accept SSL connection using
this sample


https://github.com/spring-projects/spring-boot/blob/master/spring-boot-samples/spring-boot-sample-tomcat-multi-connectors/src/main/java/sample/tomcat/multiconnector/SampleTomcatTwoConnectorsApplication.java



Can someone please point out what I am missing in order to get Https
working for my app.
Usually this is not necessary. Your app would just need to listen on the
port assigned to it (i.e. via PORT env variable) and it would listen for
incoming HTTP traffic.


Do I need to enable something within the CF deployment ?
Usually what happens is that HTTPS traffic is terminated at your load
balancer (that's why I asked if you had one above). The load balancer will
then send a request to the go router which in turn directs the HTTP traffic
to your app.

Ex: Browser -> HTTPS -> LB -> HTTP -> GoRouter -> HTTP -> Your App

You can tell if the traffic came from the user's browser via HTTPS by
looking at the x-forwarded-proto header.

Dan




Thanks

Maaz



_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Maaz
 

Hi Dan,

Thanks for the comments.
I understand how HTTPS flow works for CF with Load balancer like F5 (i.e HTTPS -> LB -> HTTP -> GoRouter -> HTTP -> Your App)

I read here (https://johnpfield.wordpress.com/2014/09/10/configuring-ssltls-for-cloud-foundry/) that we can use HAProxy to enable HTTPS across the deployment.
Now since in our deployment we are using CF without HAProxy, I was wondering if something can be done from the Gorouter point of view to forward Https requests.

Thanks
Maaz

From: cf-dev-bounces(a)lists.cloudfoundry.org [mailto:cf-dev-bounces(a)lists.cloudfoundry.org] On Behalf Of Daniel Mikusa
Sent: Tuesday, July 14, 2015 4:29 AM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: Re: [cf-dev] HTTPS for Java App

On Mon, Jul 13, 2015 at 7:01 PM, Khan, Maaz <Maaz.Khan(a)emc.com<mailto:Maaz.Khan(a)emc.com>> wrote:
Hello,

We have CF 197 deployed in our environment (without HA Proxy).

Do you have a different load balancer then?

I am trying to push a standalone Spring boot JAR (with embedded tomcat). The app starts properly but I can’t access it via https.

I have these settings for my spring boot app
server:
tomcat:
remote_ip_header: x-forwarded-for
protocol_header: x-forwarded-proto

Also
Within the app I have configured the tomcat to accept SSL connection using this sample
https://github.com/spring-projects/spring-boot/blob/master/spring-boot-samples/spring-boot-sample-tomcat-multi-connectors/src/main/java/sample/tomcat/multiconnector/SampleTomcatTwoConnectorsApplication.java

Can someone please point out what I am missing in order to get Https working for my app.

Usually this is not necessary. Your app would just need to listen on the port assigned to it (i.e. via PORT env variable) and it would listen for incoming HTTP traffic.

Do I need to enable something within the CF deployment ?

Usually what happens is that HTTPS traffic is terminated at your load balancer (that's why I asked if you had one above). The load balancer will then send a request to the go router which in turn directs the HTTP traffic to your app.

Ex: Browser -> HTTPS -> LB -> HTTP -> GoRouter -> HTTP -> Your App

You can tell if the traffic came from the user's browser via HTTPS by looking at the x-forwarded-proto header.

Dan


Thanks
Maaz


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Christopher Piraino <cpiraino@...>
 

Hi Maaz,

We recently added the ability for the GoRouter to terminate SSL/TLS
with a manifest
change
<https://github.com/cloudfoundry/cf-release/blob/14d119a69428bdc4b56ee44023606a2c77bf9459/jobs/gorouter/spec#L43>.
We
still recommend that a load balancer sit in front of the deployment in
order to be able to scale horizontally.

Let me know if you have any questions!

Best,
Chris

On Tue, Jul 14, 2015 at 12:19 PM, Khan, Maaz <Maaz.Khan(a)emc.com> wrote:

Hi Dan,



Thanks for the comments.

I understand how HTTPS flow works for CF with Load balancer like F5 (i.e HTTPS
-> LB -> HTTP -> GoRouter -> HTTP -> Your App)



I read here (
https://johnpfield.wordpress.com/2014/09/10/configuring-ssltls-for-cloud-foundry/)
that we can use HAProxy to enable HTTPS across the deployment.

Now since in our deployment we are using CF without HAProxy, I was
wondering if something can be done from the Gorouter point of view to
forward Https requests.



Thanks

Maaz



*From:* cf-dev-bounces(a)lists.cloudfoundry.org [mailto:
cf-dev-bounces(a)lists.cloudfoundry.org] *On Behalf Of *Daniel Mikusa
*Sent:* Tuesday, July 14, 2015 4:29 AM
*To:* Discussions about Cloud Foundry projects and the system overall.
*Subject:* Re: [cf-dev] HTTPS for Java App



On Mon, Jul 13, 2015 at 7:01 PM, Khan, Maaz <Maaz.Khan(a)emc.com> wrote:

Hello,



We have CF 197 deployed in our environment (without HA Proxy).



Do you have a different load balancer then?



I am trying to push a standalone Spring boot JAR (with embedded tomcat).
The app starts properly but I can’t access it via https.



I have these settings for my spring boot app

server:

tomcat:

remote_ip_header: x-forwarded-for

protocol_header: x-forwarded-proto



Also

Within the app I have configured the tomcat to accept SSL connection using
this sample


https://github.com/spring-projects/spring-boot/blob/master/spring-boot-samples/spring-boot-sample-tomcat-multi-connectors/src/main/java/sample/tomcat/multiconnector/SampleTomcatTwoConnectorsApplication.java



Can someone please point out what I am missing in order to get Https
working for my app.



Usually this is not necessary. Your app would just need to listen on the
port assigned to it (i.e. via PORT env variable) and it would listen for
incoming HTTP traffic.



Do I need to enable something within the CF deployment ?



Usually what happens is that HTTPS traffic is terminated at your load
balancer (that's why I asked if you had one above). The load balancer will
then send a request to the go router which in turn directs the HTTP traffic
to your app.



Ex: Browser -> HTTPS -> LB -> HTTP -> GoRouter -> HTTP -> Your App



You can tell if the traffic came from the user's browser via HTTPS by
looking at the x-forwarded-proto header.



Dan





Thanks

Maaz




_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev



_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev