Page 1 of 1
[Solved] change SSL port
Posted: Tue Nov 14, 2017 4:48 pm
by eparamo
Hi there,
It seems to me that when SSL is enabled the port is changed to 443. Is there any way to change the port?
I tried configuring Dserver.port but it does not work with SSL...
Here is my config:
-Dserver.ssl.key-store=/opt/unimus/unimus.keystore.p12
-Dserver.ssl.keyStoreType=PKCS12
-Dserver.ssl.keyAlias=unimus
-Dserver.ssl.key-store-password=XXX
-Dserver.port=8085
Thanks!
Eduardo
Re: change SSL port
Posted: Tue Nov 14, 2017 4:56 pm
by Tomas
server.port should control the port whether in HTTP or HTTPS mode.
With your config, Unimus should only work with HTTPS on 8085 and HTTP should not work at all.
For production deploys, we recommend placing an Apache or Nginx reverse proxy that terminates the HTTPS in front of Unimus.
Re: change SSL port
Posted: Wed Nov 15, 2017 4:33 pm
by eparamo
Hi Tomas, you're right. There was a problem with my config and now it's working properly.
Thank you!
Eduardo
Re: change SSL port
Posted: Mon Nov 20, 2017 9:18 pm
by sterlingarcher
Tomas wrote: ↑Tue Nov 14, 2017 4:56 pm
server.port should control the port whether in HTTP or HTTPS mode.
With your config, Unimus should only work with HTTPS on 8085 and HTTP should not work at all.
For production deploys, we recommend placing an Apache or Nginx reverse proxy that terminates the HTTPS in front of Unimus.
Nginx Example:
Code: Select all
server {
listen 443 ssl;
server_name unimus.mycompany.tld;
location / {
proxy_pass http://172.16.1.100:8005;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Would that be what you are referencing? If so, Unimus would still be accessible via the direct IP/port. Is the Nginx/Apache reverse proxy suggested for cleanliness and ease of access or is there another reason for terminating the HTTPS connection through a handler?
Re: change SSL port
Posted: Mon Nov 20, 2017 9:39 pm
by Tomas
sterlingarcher wrote: ↑Mon Nov 20, 2017 9:18 pm
Tomas wrote: ↑Tue Nov 14, 2017 4:56 pm
server.port should control the port whether in HTTP or HTTPS mode.
With your config, Unimus should only work with HTTPS on 8085 and HTTP should not work at all.
For production deploys, we recommend placing an Apache or Nginx reverse proxy that terminates the HTTPS in front of Unimus.
Nginx Example:
Code: Select all
server {
listen 443 ssl;
server_name unimus.mycompany.tld;
location / {
proxy_pass http://172.16.1.100:8005;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Would that be what you are referencing? If so, Unimus would still be accessible via the direct IP/port. Is the Nginx/Apache reverse proxy suggested for cleanliness and ease of access or is there another reason for terminating the HTTPS connection through a handler?
Yes, that's exactly what I'm referencing
As for why:
1) easier certificate management than in embedded Tomcat (which is what Unimus uses)
2) much easier to use services like LetsEncrypt
3) Apache or nginx are much better optimized for HTTPS handling than embedded Tomcat (which is what Unimus uses)
It's also considered best practice in the industry to not allow direct connection to back-end services like this, only allow connection through the reverse proxy, where complex security, filtering, and access limitation mechanism can be implemented.
For example, you can easily select supported HTTPS ciphers, or filter by client agent, etc.
In embedded Tomcat (which, as mentioned, Unimus uses), this is possible, but quite hard
