I got my Dropwizard application running in an Openshift DIY Cartridge.
The application uses Https and binds to port 8080. I can access the application with curl from within an ssh connection via rhc ssh appname.
What do I have do configure that I can access my Dropwizard application via the appname-username.rhcloud.com domain?
I always get a proxy error 502. Error reading from remote server.
Any suggestion is greatly appreciated.
tmy
In OpenShift your application is deployed behind a proxy server ant this proxy server can only communicate with your application using http.
The OpenShift proxy server allows you to use both http and https connections and to communicate which type of connection was used the proxy server adds x-forwarded headers in the request to your application.
Tho configure Dropwizard, you will need to configure the http connector on port 8080, the default, and set useForwardedHeaders to true, also the default. See http://dropwizard.io/manual/configuration.html#http for more information.
At this point Dropwizard is aware whether a http or https connection was used. The thing I did not find is how to make content "confidential" so that the jetty container inside Dropwizard redirect the client to the https connector served by the OpenShift proxy server when the client tries to connect to your application using http.
Related
I have spring boot admin server deployed in openshift with the help of fabric8 maven plugin
And also i have several applications deployed in openshift.
Spring boot admin server (SBAS) use spring cloud kubernetes discovery to discover services (applications) registered / running in namespace / cluster, which is automatic client discovery.
SBAS discovered as expected, its fine but some applications shown / registered in SBAS use http and some use https to check the health as like below
I have no idea, why SBAS use http for some apps and for https for some apps to check the health.
Since SBAS use https and port 8443 it shows applications are offline but those applications are exposed in http 8080 only
I have compared applications code and openshift configurations but i don't see any difference and how to fix this issue.
I am new to all above concepts could some one help me ?
I didn't find solution for this issue, but i did work around which helped me.
Since i am using only one port 8080, i have deleted other ports such as 8443 and 8778 via openshif yml as shown below. but you have you have to expose more ports this won't help.
I am working/learning on web application that has following dependencies:
Express.js + Node.js
MySQL
Angular 4
PM2 (Process manager)
Libs used on the backend:
express
body-parser
jsonwebtoken
bcrypt-nodejs
socketio-jwt
async.js
request
deep-diff
socket.io
cors
mysql
Libs used for the front end
angular2-jwt
socket.io-client
angular-2-dropdown-multiselect
angular2-tree-component
I wanted to know about the usage of CORS, putty for the development in detail for this app.
CORS or Cross-Origin Resource Sharing is a spec that appeared for security reason :
Your browser won't allow you to do http request to another domain except if your server-app return specifics headers (they start with Access-Control-Allow).
The npm cors module allow you to add those headers field in an easier way : app.use(cors())
Putty is a ssh client its permit you to connect to a remote server using ssh protocol (usually you use it to configure your server or run your app on your server).The server need to host an ssh-server like openSSH (nativ on linux).
I have ELB balancing TCP traffic to my Node.js processes. When ELB is balancing TCP connections it does not send the X-Forwarded-Proto header like it does with http connections. But I still need to know if the connection is using SSL/TLS so I can respond with a redirect from my Node process if it is not a secure connection.
Is there a way to make ELB send this header when balancing TCP connections?
Thanks
You can configure proxy protocol for your ELB to get connection related information. In case of HTTP the ELB adds headers telling about the client information, in case of TCP however, AWS ELB simply passes through the headers from the client without any modifications, this causes the back end server to lose client connection information as it is happening in your case.
To enable proxy control for your ELB, you will have to do it via API, there is currently no way to do it via UI.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html
The above doc is a step-by-step guide on how to do this, I don't want to paste the same here as that information might change over time.
EDIT:
As it turns out, Amazon implements Version 1 of the proxy protocol only which does not give away SSL information. It does however give port numbers which was requested by the client and a process can be developed stating something like if the request was over port 443 then it was SSL. I don't like it as it is indirect, requires hardocoding and coordination between devops and developers... seems to be the only way for now...lets hope AWS ELB starts supporting Version 2 of the proxy protocol which does have SSL info soon.
I am trying to configure nginx as a tcp proxy for ejabberd.
The nginx configuration for tcp proxying is as shown below
stream{
upstream ejabberd-servers{
server ejabberd:5222;
}
server{
listen 5222;
proxy_pass ejabberd-servers;
}
}
The ejabberd server is the ejabberd server node name. Since this is done in a docker environment.
When I connect to nginx using smack client library, I get the error is SOCKS5 socket fail.
When I try connection using SOCKS4, I get Servers response VN 60
The reason I am trying to do so is because I do not want to expose ejabberd directly to the Internet. I need to have a proxy to load balance connections and also prevent DDos attacks.
Setting up ejabberd for Internet is nicely explained here.
[how to open ejabberd server to public
Has anybody done so successfully?
I have a scalable application on elastic beanstalk running on Tomcat. I read that in front of Tomcat there is an Apache server for reverse proxy. I guess I have to install on apache the client certificate and configure it to accept only request encrypted by this certificate, but I have no idea how to do that.
Can you help me?
After many researches I found a solution. According to the difficult to discover it I want share with you my experience.
My platform on elastic beanstalk is Tomcat 8 with load balancer.
To use the client certificate (at the moment I was writing) you have to terminate the https on instance
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance.html
then
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-tomcat.html
I used this configuration to use both client and server certificates (seems that it doesn't work only with client certificate)
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCertificateChainFile "/etc/pki/tls/certs/GandiStandardSSLCA2.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile "/etc/pki/tls/certs/client.crt"
And last thing: api gateway doesn't work with self signed cerificate (thanks to Client certificates with AWS API Gateway), so you have to buy one from a CA.
SSLCACertificateFile "/etc/pki/tls/certs/client.crt"
This is where you should point the API Gateway provided client side certificate.
You might have to configure the ELB's listener for vanilla TCP on the same port instead of HTTPS. Basically TCP pass through at your ELB, your instance needs to handle on the SSL in order to authorize the requests which provided a valid client certificate.