First of all I do realize that some people managed to do what I am trying to, but I could't find any documentation describing how to enable SSL across all Spring Clod Netflix components. I have fairly simple system consisting out of Eureka and Zuul servers and few Spring Boot components (I am not using Ribbon and Hystrix yet). All my component's main classes are annotated with:
@SpringBootApplication
@EnableDiscoveryClient
@EnableElasticsearchRepositories(repositoryFactoryBeanClass = RestElasticsearchRepositoryFactoryBean.class)
Eureka server's application.yml
server:
port: 8761
ssl:
enabled: true
key-store: classpath:keystore.jks
key-store-password: password
key-password: password
eureka:
instance:
hostname: localhost
securePort: ${server.port}
securePortEnabled: true
nonSecurePortEnabled: false
secureVirtualHostName: ${spring.application.name}
homePageUrl: https://${eureka.instance.hostname}:${server.port}/
statusPageUrl: https://${eureka.instance.hostname}:${server.port}/admin/info
metadataMap:
hostname : ${eureka.instance.hostname}
securePort: ${server.port}
client:
registerWithEureka: false
fetchRegistry: false
server:
waitTimeInMsWhenSyncEmpty: 0
Zuul's application.yml:
info:
component: Zuul Server
spring:
application:
name: zuul
server:
port: 8765
ssl:
enabled: true
key-store: classpath:keystore.jks
key-store-password: password
key-password: password
eureka:
client:
enabled: true
instance:
securePort: ${server.port}
securePortEnabled: true
nonSecurePortEnabled: false
homePageUrl: https://${eureka.instance.hostname}:${server.port}/
zuul:
routes:
discovery-service: /distribmgt/discovery/**
telemetry-service: /distribmgt/telemetry/**
One of the component's application.yml. It is not really important since the problems started as soon as I start Zuul it fails.
server:
port: 0
ssl:
enabled: true
key-store: classpath:keystore.jks
key-store-password: password
key-password: password
endpoints:
restart:
enabled: true
shutdown:
enabled: true
health:
sensitive: false
eureka:
instance:
leaseRenewalIntervalInSeconds: 10
securePort: ${server.port}
securePortEnabled: true
nonSecurePortEnabled: false
metadataMap:
instanceId: ${vcap.application.instance_id:${spring.application.name}:${spring.application.instance_id:${server.port}}}
client:
region: default
registryFetchIntervalSeconds: 5
securePortEnabled: true
availabilityZones:
default: ${APPLICATION_DOMAIN:${DOMAIN:defaultZone}}
The Eureka server starts normally, but as soon as I start Zuul I am getting the following error:
2015-07-24 11:21:39.511 ERROR 7180 --- [ main] com.netflix.discovery.DiscoveryClient : Can't get a response from http://localhost:8761/eureka/apps/
Can't contact any eureka nodes - possibly a security group issue?
com.sun.jersey.api.client.ClientHandlerException: org.apache.http.NoHttpResponseException: localhost:8761 failed to respond
The cause of the problem seems to be this: localhost:8761 failed to respond It seems that the components are still trying to talk to Eureka via HTTP and not HTTPS. I am fairly certain that something is mis-configured, but have no idea what.
Comment From: mkaberman
I solved the Zuul and my services startup problem by adding
client:
serviceUrl:
defaultZone: https://localhost:8761/eureka/
to their application.yml. Now both Zuul and my services start up with no problems and I see them registered with Eureka. I am still having problem with Zuul not forwarding client's https URLs, but I think it is a different issue.
Comment From: Hwatu
wel ,thx
Comment From: amnonkhen
@mkaberman did you ever manage to solve the forwarding over https problem? I am experiencing the same thing and am stuck for a few days.
Comment From: medmes
Hey @amnonkhen , I don't know if you already solved your issue but I think you must let Zuul forward all HTTP request to HTTPS by customizing the HttpClient(default HTTP client used by Zuul) over your restTemplate if you are actually using OkHTTP as default HTTP client i think it's not widely different than the following pseudo-code:
@Bean
public RestTemplate restTemplate(RestTemplateBuilder builder) throws Exception {
private String allPassword = "some-pasword";
SSLContext sslContext = SSLContextBuilder
.create()
.loadKeyMaterial(ResourceUtils.getFile("classpath:keystore.jks"), allPassword.toCharArray(), allPassword.toCharArray())
.loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())
.build();
HttpClient client = HttpClients.custom()
.setSSLContext(sslContext)
.build();
return builder
.requestFactory(new HttpComponentsClientHttpRequestFactory(client))
.build();
}
Hopefully will be helpful ;)
Comment From: amnonkhen
Thanks, Mohammed. I tried doing just that, however I could not find how to configure the SD CONTEXT of the actual RestTemplate. Maybe zuul has its own bean instance? Need to investigate this further.
On Fri, 27 Jul 2018 at 1:28 Mohammed MESAOUDI notifications@github.com wrote:
Hey @amnonkhen https://github.com/amnonkhen , I don't know if you already solved your issue but I think you must let Zuul forward all HTTP request to HTTPS by enabling injecting HttpClient over your restTemplate:
` @bean https://github.com/bean public RestTemplate restTemplate(RestTemplateBuilder builder) throws Exception { private String allPassword = "some-pasword";
SSLContext sslContext = SSLContextBuilder .create() .loadKeyMaterial(ResourceUtils.getFile("classpath:keystore.jks"), allPassword.toCharArray(), allPassword.toCharArray()) .loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray()) .build(); HttpClient client = HttpClients.custom() .setSSLContext(sslContext) .build(); return builder .requestFactory(new HttpComponentsClientHttpRequestFactory(client)) .build();}
` Hopefully will be helpful ;)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spring-cloud/spring-cloud-netflix/issues/453#issuecomment-408254651, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4lqf4eTXxYnD_fgm285TV3T5BkqO14ks5uKkKngaJpZM4FewnY .
Comment From: medmes
@amnonkhen which instance you are talking about ? could you please share with us your stack trace.
Comment From: bsushant-athena
Is there way to set isSecure = false and still serve service requests via https?