如何解决使用SSL在Heroku上运行SpringBoot
尝试在具有自签名证书和SSL的Heroku上运行SpringBoot。 这是我的application.yaml:
server:
ssl:
key-store-type: PKCS12
key-store: classpath:server-dev.p12
key-store-password: changeit
key-password: changeit
key-alias: server-dev
trust-store: classpath:root_CA-truststore.jks
trust-store-password: changeit
trust-store-type: JKS
client-auth: need
enabled: true
# forward-headers-strategy: tried native / framework,didn't help
use-forward-headers: true
这是我的SecurityConfig
@EnableWebSecurity
@Component
@RequiredArgsConstructor
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final X509PrincipalExtractorWithCertificateValidation x509PrincipalExtractorWithCertificateValidation;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requiresChannel()
.requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null)
.requiresSecure()
.and()
.authorizeRequests()
.antMatchers("/private/api/v1/security/test")
.authenticated()
.and()
.x509()
.x509PrincipalExtractor(x509PrincipalExtractorWithCertificateValidation)
.userDetailsService(userDetailsService())
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.authorizeRequests()
.antMatchers("/**").permitAll()
.and()
.csrf()
.disable();
}
}
无论我做什么,所有请求都会得到400
这是卷曲日志:
curl -kvI https://my-server.herokuapp.com/swagger-ui.html#/
* Trying 34.246.118.170...
* TCP_NODELAY set
* Connected to my-server.herokuapp.com (XXX.XXX.XXX.XXX) port 443 (#0)
* ALPN,offering h2
* ALPN,offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT),TLS handshake,Client hello (1):
* TLSv1.2 (IN),Server hello (2):
* TLSv1.2 (IN),Certificate (11):
* TLSv1.2 (IN),Server key exchange (12):
* TLSv1.2 (IN),Server finished (14):
* TLSv1.2 (OUT),Client key exchange (16):
* TLSv1.2 (OUT),TLS change cipher,Client hello (1):
* TLSv1.2 (OUT),Finished (20):
* TLSv1.2 (IN),Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN,server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Heroku,Inc.; CN=*.herokuapp.com
* start date: Jun 15 00:00:00 2020 GMT
* expire date: Jul 7 12:00:00 2021 GMT
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
> HEAD /swagger-ui.html HTTP/1.1
> Host: my-server.herokuapp.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 400
HTTP/1.1 400
< Server: Cowboy
Server: Cowboy
< Date: Tue,18 Aug 2020 23:13:58 GMT
Date: Tue,18 Aug 2020 23:13:58 GMT
< Connection: keep-alive
Connection: keep-alive
< Content-Type: text/plain;charset=UTF-8
Content-Type: text/plain;charset=UTF-8
< Via: 1.1 vegur
Via: 1.1 vegur
<
* Connection #0 to host my-server.herokuapp.com left intact
我该怎么办?
UPD 我已经为SpringBoot嵌入式tomcat启用了调试功能
2020-08-19T00:21:58.085035+00:00 app[web.1]: 00:21:58.084 [https-jsse-nio-30633-Acceptor] DEBUG o.a.tomcat.util.threads.LimitLatch - Counting up[https-jsse-nio-30633-Acceptor] latch=1
2020-08-19T00:21:58.085334+00:00 app[web.1]: 00:21:58.085 [https-jsse-nio-30633-exec-9] DEBUG o.a.tomcat.util.net.NioEndpoint - Error during SSL handshake
2020-08-19T00:21:58.085336+00:00 app[web.1]: java.io.IOException: Found an plain text HTTP request on what should be an encrypted TLS connection
2020-08-19T00:21:58.085337+00:00 app[web.1]: at org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:322)
2
Heroku出于某种原因发送HTTP通信。...
解决方法
我遇到了和你完全一样的问题。我还想通过使用 Spring Boot 来设置 MTLS。
不幸的是,Heroku 不支持 MTLS,因为从路由器到后端 dynos 的连接是纯 HTTP 请求。这有点悲惨,但似乎您需要找到不同的解决方案。
在此处查看 Heroku 帮助部分的官方答案:
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。