[Solved] change SSL port

Unimus support forum
Post Reply
eparamo
Posts: 8
Joined: Fri Nov 03, 2017 7:03 pm

Tue Nov 14, 2017 4:48 pm

Hi there,

It seems to me that when SSL is enabled the port is changed to 443. Is there any way to change the port?

I tried configuring Dserver.port but it does not work with SSL...

Here is my config:

-Dserver.ssl.key-store=/opt/unimus/unimus.keystore.p12
-Dserver.ssl.keyStoreType=PKCS12
-Dserver.ssl.keyAlias=unimus
-Dserver.ssl.key-store-password=XXX
-Dserver.port=8085


Thanks!
Eduardo
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Tue Nov 14, 2017 4:56 pm

server.port should control the port whether in HTTP or HTTPS mode.
With your config, Unimus should only work with HTTPS on 8085 and HTTP should not work at all.

For production deploys, we recommend placing an Apache or Nginx reverse proxy that terminates the HTTPS in front of Unimus.
eparamo
Posts: 8
Joined: Fri Nov 03, 2017 7:03 pm

Wed Nov 15, 2017 4:33 pm

Hi Tomas, you're right. There was a problem with my config and now it's working properly.

Thank you!
Eduardo
sterlingarcher
Posts: 4
Joined: Wed Oct 18, 2017 2:55 pm

Mon Nov 20, 2017 9:18 pm

Tomas wrote:
Tue Nov 14, 2017 4:56 pm
server.port should control the port whether in HTTP or HTTPS mode.
With your config, Unimus should only work with HTTPS on 8085 and HTTP should not work at all.

For production deploys, we recommend placing an Apache or Nginx reverse proxy that terminates the HTTPS in front of Unimus.
Nginx Example:

Code: Select all

server {
    listen 443 ssl;
    server_name unimus.mycompany.tld;

location / {
    proxy_pass http://172.16.1.100:8005;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
Would that be what you are referencing? If so, Unimus would still be accessible via the direct IP/port. Is the Nginx/Apache reverse proxy suggested for cleanliness and ease of access or is there another reason for terminating the HTTPS connection through a handler?
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Mon Nov 20, 2017 9:39 pm

sterlingarcher wrote:
Mon Nov 20, 2017 9:18 pm
Tomas wrote:
Tue Nov 14, 2017 4:56 pm
server.port should control the port whether in HTTP or HTTPS mode.
With your config, Unimus should only work with HTTPS on 8085 and HTTP should not work at all.

For production deploys, we recommend placing an Apache or Nginx reverse proxy that terminates the HTTPS in front of Unimus.
Nginx Example:

Code: Select all

server {
    listen 443 ssl;
    server_name unimus.mycompany.tld;

location / {
    proxy_pass http://172.16.1.100:8005;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
Would that be what you are referencing? If so, Unimus would still be accessible via the direct IP/port. Is the Nginx/Apache reverse proxy suggested for cleanliness and ease of access or is there another reason for terminating the HTTPS connection through a handler?
Yes, that's exactly what I'm referencing :)

As for why:
1) easier certificate management than in embedded Tomcat (which is what Unimus uses)
2) much easier to use services like LetsEncrypt
3) Apache or nginx are much better optimized for HTTPS handling than embedded Tomcat (which is what Unimus uses)

It's also considered best practice in the industry to not allow direct connection to back-end services like this, only allow connection through the reverse proxy, where complex security, filtering, and access limitation mechanism can be implemented.

For example, you can easily select supported HTTPS ciphers, or filter by client agent, etc.
In embedded Tomcat (which, as mentioned, Unimus uses), this is possible, but quite hard :(
Post Reply