spring cloud data flow server cloud foundry redirect to https

0
votes

I have been wrestling with this for a couple of days now. I want to deploy Spring Cloud Data Flow Server for Cloud Foundry to my org's enterprise Pivotal Cloud Foundry instance. My problem is forcing all Data Flow Server web requests to TLS/HTTPS. Here is an example of a configuration I've tried to get this working:

# manifest.yml
---
applications:
- name: gdp-dataflow-server
  buildpack: java_buildpack_offline
  host: dataflow-server
  memory: 2G
  disk_quota: 2G
  instances: 1
  path: spring-cloud-dataflow-server-cloudfoundry-1.2.3.RELEASE.jar
  env:
    SPRING_APPLICATION_NAME: dataflow-server
    SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_URL: https://api.system.x.x.io
    SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_ORG: my-org
    SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_SPACE: my-space
    SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_DOMAIN: my-domain.io
    SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_USERNAME: user
    SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_PASSWORD: pass
    SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_STREAM_SERVICES: dataflow-mq
    SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_STREAM_BUILDPACK: java_buildpack_offline
    SPRING_CLOUD_DEPLOYER_CLOUDFOUNDRY_TASK_SERVICES: dataflow-db
    SPRING_APPLICATION_JSON: |
      {
        "server": {
          "use-forward-headers": true,
          "tomcat": {
            "remote-ip-header": "x-forwarded-for",
            "protocol-header": "x-forwarded-proto"
          }
        },
        "management": {
          "context-path": "/management",
          "security": {
            "enabled": true
          }
        },
        "security": {
          "require-ssl": true,
          "basic": {
            "enabled": true,
            "realm": "Data Flow Server"
          },
          "user": {
            "name": "dataflow-admin",
            "password": "nimda-wolfatad"
          }
        }
services:
  dataflow-db
  dataflow-redis

Despite the security block in SPRING_APPLICATION_JSON, the Data Flow Server's web endpoints are still accessible via insecure HTTP. How can I force all requests to HTTPS? Do I need to customize my own build of the Data Flow Server for Cloud Foundry? I understand that PCF's proxy is terminating SSL/TLS at the load balancer, but configuring the forward headers should induce Spring Security/Tomcat to behave the way I want, should it not? I must be missing something obvious here, because this seems like a common desire that should not be this difficult.

Thank you.

1
cloud-foundryspring-cloud-dataflow
take a look at this: github.com/cloudfoundry/java-buildpack/issues/310kinjelom

1 Answers

0
votes

There's nothing out-of-the-box from Spring Boot proper to enable/disable HTTPS and at the same time also intercept and auto-redirect plain HTTP -> HTTPS.

There are several online literatures on how to write a custom Configuration class to accept multiple-connectors in Spring Boot (see example).

Spring Cloud Data Flow (SCDF) is a simple Spring Boot application, so all this applies to the SCDF-server as well.

That said, if you intend to enforce HTTPS all throughout your application interaction, there is a PCF setting [Disable HTTP traffic to HAProxy] that can be applied as a global override in Elastic Runtime - see docs. This consistently applies it to all the applications and it is not just specific to Spring Boot or SCDF. Even Python or Node or other types of apps can be enforced to interact via HTTPS with this setting.