Hi there,
It seems to me that when SSL is enabled the port is changed to 443. Is there any way to change the port?
I tried configuring Dserver.port but it does not work with SSL...
Here is my config:
-Dserver.ssl.key-store=/opt/unimus/unimus.keystore.p12
-Dserver.ssl.keyStoreType=PKCS12
-Dserver.ssl.keyAlias=unimus
-Dserver.ssl.key-store-password=XXX
-Dserver.port=8085
Thanks!
Eduardo
[Solved] change SSL port
server.port should control the port whether in HTTP or HTTPS mode.
With your config, Unimus should only work with HTTPS on 8085 and HTTP should not work at all.
For production deploys, we recommend placing an Apache or Nginx reverse proxy that terminates the HTTPS in front of Unimus.
With your config, Unimus should only work with HTTPS on 8085 and HTTP should not work at all.
For production deploys, we recommend placing an Apache or Nginx reverse proxy that terminates the HTTPS in front of Unimus.
-
- Posts: 4
- Joined: Wed Oct 18, 2017 2:55 pm
Nginx Example:Tomas wrote: ↑Tue Nov 14, 2017 4:56 pmserver.port should control the port whether in HTTP or HTTPS mode.
With your config, Unimus should only work with HTTPS on 8085 and HTTP should not work at all.
For production deploys, we recommend placing an Apache or Nginx reverse proxy that terminates the HTTPS in front of Unimus.
Code: Select all
server {
listen 443 ssl;
server_name unimus.mycompany.tld;
location / {
proxy_pass http://172.16.1.100:8005;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Yes, that's exactly what I'm referencingsterlingarcher wrote: ↑Mon Nov 20, 2017 9:18 pmNginx Example:Tomas wrote: ↑Tue Nov 14, 2017 4:56 pmserver.port should control the port whether in HTTP or HTTPS mode.
With your config, Unimus should only work with HTTPS on 8085 and HTTP should not work at all.
For production deploys, we recommend placing an Apache or Nginx reverse proxy that terminates the HTTPS in front of Unimus.Would that be what you are referencing? If so, Unimus would still be accessible via the direct IP/port. Is the Nginx/Apache reverse proxy suggested for cleanliness and ease of access or is there another reason for terminating the HTTPS connection through a handler?Code: Select all
server { listen 443 ssl; server_name unimus.mycompany.tld; location / { proxy_pass http://172.16.1.100:8005; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
As for why:
1) easier certificate management than in embedded Tomcat (which is what Unimus uses)
2) much easier to use services like LetsEncrypt
3) Apache or nginx are much better optimized for HTTPS handling than embedded Tomcat (which is what Unimus uses)
It's also considered best practice in the industry to not allow direct connection to back-end services like this, only allow connection through the reverse proxy, where complex security, filtering, and access limitation mechanism can be implemented.
For example, you can easily select supported HTTPS ciphers, or filter by client agent, etc.
In embedded Tomcat (which, as mentioned, Unimus uses), this is possible, but quite hard