0

So basically, I have made a RESTful API using ServiceTalk from Apple (Netty implementation) and Jersey and it works. Only through http though. I have seen that when I was making my React web page make a POST request through http, it would complain about CORS (which I'm still trying to fix) and that the browser (At least Brave) would not allow the request to be made because it was http and my web page was running on https using let's encrypt cert. How do I fix this issue? Do I need to add SSL with Netty? If so, how can I do that with a certificate that's going to be changing every once in a while?

I also have NGINX setup with Let's Encrypt and enabled auto-renew certificate setting from the setup wizard for NGINX + Let's Encrypt. If I can somehow make NGINX run the HTTPS request as a proxy to the netty server on http, then I think it would also be a better solution. I know this is a common practice with NodeJS Express + NGINX.

Norman Maurer
  • 23,104
  • 2
  • 33
  • 31
Fern
  • 93
  • 6
  • 16

1 Answers1

2

You are right, if you already have NGINX that serves your static content (html/css/js) it will be better to configure it as a proxy for a ServiceTalk backend service. That will let you keep SSL/TLS configuration in one place (NGINX config file only) and you will be able to use its auto-renew certificate feature. For an example of how you can configure NGINX as an SSL/TLS proxy for a backend service, see here: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/

However, in this case, your connection between NGINX and ServiceTalk will not be encrypted. In some environments, it might be inappropriate according to security policies and requirements. If this is your case, you also need to configure SSL/TLS for ServiceTalk using HttpServerBuilder.secure() method that returns HttpServerSecurityConfigurator. Here is an example of a secure ServiceTalk server.

To avoid CORS, keep using NGINX as a proxy even when ServiceTalk also configured with SSL/TLS connections. If there is a requirement to avoid additional proxy on the way between a browser and backend service, target ServiceTalk directly. But NGINX gives additional features, like load balancing between multiple backend instances.

To get the best SSL performance in ServiceTalk/Netty we recommend to use OpenSSL provided instead of a built-in JDK provider. For more information, see Performance / netty-tcnative OpenSSL engine documentation section.

Note: ServiceTalk does not auto-renew SSL/TLS certificates. You will need to restart the server when certificate expires.

Idel Pivnitskiy
  • 1,057
  • 7
  • 9
  • I can't seem to get this to work. I have gotten the upstream settings in NGINX, however my REST API isn't supposed and is failing to handle the HTTPS requests NGINX is proxying. Am I missing something I am not understanding? Oh and the OpenSSL engine seems to apply only to the client usage of ServiceTalk, no? My client is on React Javascript using the library axios. – Fern Nov 19 '19 at 23:15
  • It's hard to say what is missing without knowing details of your nginx configuration. Try to look for other examples, like this one: https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins But in this article they map everything to the backend. You will need to map one path as a backend proxy (for example `location /api`) and another path as static content (for example `location /static`). See https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content/ – Idel Pivnitskiy Nov 20 '19 at 18:20
  • > OpenSSL engine seems to apply only to the client usage of ServiceTalk, no? No, SSL provided could be configured for both client and server. Classpath requirements are the same. You may skip builder configuration, because if no specific SSL provider is set, it will pick OpenSSL when it is available in your classpath. See this example: https://github.com/apple/servicetalk/blob/56e0dd753060fd4f0b7e43ab9bf4e77906b608e1/servicetalk-examples/http/http2/build.gradle#L28-L32 – Idel Pivnitskiy Nov 20 '19 at 18:22
  • NGINX Config isn't working. I'm getting a 500 Internal error. The config: https://pastebin.com/Vp8M2sGP The error: https://pastebin.com/MJDM079u Java REST API has no errors or logs. – Fern Nov 20 '19 at 21:51
  • It looks like you have some misconfiguration in your nginx config. Try to simplify it by removing `upstream` section and `server` section for `backend.site.com`. You can do `proxy_pass http://localhost:3000` directly from your `site.com` server. This example is simpler: https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins – Idel Pivnitskiy Nov 21 '19 at 07:57
  • 1
    Not only were all of this true, I had to add a / at the end the location like https://stackoverflow.com/a/38773464/9816000 mentioned. – Fern Nov 21 '19 at 23:57