#Spring Boot SSL

Hey I have a normal Backend in Spring Boot and it only runs on Port 8080 (HTTP)…I have this Backend in a Docker container where I exposed this Port. Everytime someone tries to connect via my Domain, my Nginx Proxy Manager reroutes the connection with SSL to my backend. Should I continue this method or should I rather activate SSL on my Spring Boot Backend too?

<@&987246964494204979> please have a look, thanks.

Here is an AI assisted attempt to answer your question 🤖. Maybe it helps! In any case, a human is on the way 👍. To continue talking to the AI, you can use </chatgpt:1108714622413963314>.

to my backend, they have to use http://<ip>:8080. Now I want to secure the communication between the client and the backend by using SSL/TLS. How can I achieve this in Spring Boot?

To enable SSL/TLS in your Spring Boot application, you need to follow these steps:

1. Generate a self-signed SSL certificate or obtain a valid SSL certificate from a trusted Certificate Authority (CA). You can use tools like OpenSSL to generate a self-signed certificate.

2. Place the generated SSL certificate and private key in a keystore file. The keystore file is typically in Java KeyStore (JKS) format.

3. Configure your Spring Boot application to use the SSL certificate and private key by adding the following properties to your application.properties or application.yml file:

   server.port=8443
   server.ssl.key-store-type=JKS
   server.ssl.key-store=classpath:keystore.jks
   server.ssl.key-store-password=your_keystore_password
   server.ssl.key-alias=your_certificate_alias

Make sure to replace keystore.jks, your_keystore_password, and your_certificate_alias with appropriate values.

4. Restart your Spring Boot application, and it should now be accessible over HTTPS on port 8443.

Note: If you are using Docker, make sure to expose port 8443 in your Dockerfile or when running the container.

Now, clients can connect to your backend using https://<ip>:8443. However, since you are using a self-signed certificate, clients may see warnings about an untrusted certificate. To avoid these warnings, you can obtain a valid SSL certificate from a trusted CA.

Additionally, if you want to redirect all HTTP requests to HTTPS automatically, you can add the following configuration:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requiresChannel()
                .anyRequest()
                .requiresSecure();
    }
}

With this configuration, any HTTP request will be automatically redirected to HTTPS.

Remember to secure the keystore file and its password properly, as it contains sensitive information.

It highly depends on what you consider safe environment, many systems communicate using HTTP internally and some proxy does SSL offloading for them

The project I am working on right now is running inside OpenShift (Redhat kubernetes), internally the pods communicate using HTTP, SSL is done by openshift itself

Yes mine does use HTTP internally but I only expose the port 8080 and use NGINX Proxy Manager to secure my connection to this port...Is this dumb?

So the communication between nginx and your application is unsecured, the question is whether you consider the environment it goes trough secure

Inside openshift with limited access -> likely secure
Inside company network where every computer can run wireshark and listen in -> not secure

So I should secure it then?

If it is the latter case I would say yes, even if you consider the environment technically internal it can be compromised.
But certificates and keys have expiration date, so you should have some process for renewing them

Cant I use the same cert from my nginx proxy manger? It does renew it automatically

Well yes, but you have to somehow get it into the app configuration

I think I will just generate one which is valid for one year

where can I generate certs?

openssh ?

I mean, the thing is, the client has to trust your certificate

So it should be signed by an authority

Nope totally fine

Use nginix and letsencrypt w/certbot

That will be the easiest way to do SSL on your own machine

I'd say to not secure your spring app itself

It adds complications and doesn't buy you much

There are exceptions to that statement, but I don't think you are in one of those cases

So that I opened my HTTP port of my container and then secure every connection to it via Nginx Proxy Manager is fine?

Yes

Because the http port on your container isn't exposed to the wider internet

Basically, set up nginix to do http

Run certbot, and it will move you to https

Then you're golden

I mean I think you could connect if you enter the IP and the port 8080

it only secures it if you use the domain afaik

That is unideal. There is no reason you should be exposing 8080 from your web server

Just 80 and 443

And 8080 can be running locally

But I also can't think of anything horrid that would happen. Just people can get MITM'ed if they go directly to your ip

Which is unlikely

No wait…I mean my Backend container is exposed at 8080….And if you use my Domain to connect to it…You will end up on my nginx proxy Manager which secures it and redirects to the container

What is nginix proxy manager

Vs nginix

So I would expect something like an ec2 machine with a public up that exposes 80 and 443

It’s more light weight afaik…Pretty good if you just use it for stuff like this

THATS how it’s set up

And then some containers on that machine

Yep

But I would expect nginix and the containers to be on the same machine

(they don't have to be, but I would expect it)

Different container but same machine

Okay so wait

That's dumb

Why does nginix go out to the wider internet

Just to get back to the same machine

Why not localhost:8080

Or 0.0.0.0:8080

Should I change that?

Try it

Ok 1s

If that works, then you don't need to expose 8080 on the public ip

And then it's gucci

NGINX and my backend are in different container and not in the same network

And if I dont expose 8080...Not even localhost could open a connection

Fuckin docker

You can expose 8080 of one container to another container in a docker compose or whatevrr

But, tbh, it's a lot less of a PITA to just use a platform as a service

Which does SSL for you on a free tier

Like render, railway, heroku, etc

But I would have to buy a new service...Thats not nice

Free tier

But whatever

I'll look up how to use compose for this later if I remember

ok thx

我是一个基于深度学习的对话模型，使用了自然语言处理和人工智能技术来进行对话。

不好意思，我是GPT-3，一个由OpenAI开发的人工智能语言模型。目前还没有GPT-4存在。有什么我可以帮助你的吗？

@crimson plaza

?

no clue

also i havent looked anything up yet

@crimson plaza

Did you look it up?

No i got high and played baldurs gate

you get what you pay for, yknow

That sounds amazing

https://docs.docker.com/compose/networking/

I think links is the thing though

You mean I should Link the nginx proxy manager container with my backend container and it should Reroute everythng to my docker?

yeah so you don't have any extra ports exposed to the wider internet

and you don't hop over the internet to get to your local site

for context, the one site I run that uses a physical machine + nginix is this

https://run.mccue.dev

and i got most of the instructions from the repo I forked from

and in that there is no docker involved, so its a bit simpler