Skip to content

TLS SSL support

Jump to bottom Edit New page
Matjaz B. Juric edited this page Aug 4, 2017 · 6 revisions

TLS/SSL support

KumuluzEE provides TSL/SSL support (since version 2.4.0). Below you will find the description of all the main features, the instructions on how to configure TLS/SSL and the description of all the configuration parameters.

NOTE: For microservices, particularly for larger deployments, having TLS/SSL support in microservice directly is not best-practice, as it complicates maintenance. We encourage you to offload TLS/SSL (You can have a look here: https://www.nginx.com/blog/nginx-ssl/).

Features

  • Force HTTPS redirect
  • Reverse proxy support
  • HTTP/2 support
  • Custom SSL protocol and ciphers support

Configuration

TLS/SSL is configured using the KumuluzEE built-in configuration framework. This means that the configuration can be defined using system properties, environment variables, config.yaml, config server, etc.

Below is an example of TLS/SSL configuration describing all possible configuration parameters using YAML format:

kumuluzee:
  server:
    # server context path (defaults to /)
    context-path: /test
    # force HTTPS (disabled by default)
    force-https: false
    # minimum server threads (defaults to 5)
    min-threads: 5
    # maximum server threads (defaults to 100)
    max-threads: 100
    http:
      # HTTP port (defaults to 8080)
      port: 9080
      # bind address
      address: 0.0.0.0
      # enable HTTP/2 (disabled by default)
      http2: false
      # enable reverse proxy support (disabled by default)
      proxy-forwarding: true
      # max request header size (defaults to 8192)
      request-header-size: 8192
      # max response header size (defaults to 8192)
      response-header-size: 8192
      # idle timeout in milliseconds (defaults to 3600000)
      idle-timeut: 3600000
      # so linger time in milliseconds (defaults to -1)
      so-linger-time: -1
    https:
      # enable HTTPS
      enabled: true
      # HTTPS port (default to 8443)
      port: 9443
      # enable HTTPS
      http2: true
      # absolute path of the keystore file that contains the server certificate/key (defaults to javax.net.ssl.keyStore 
      # system property value)
      keystore-path: /some/path/to/keystore.jks
      # keystore password (defaults to javax.net.ssl.keyStorePassword system propery value)
      keystore-password: password
      # certificate/key alias
      key-alias: test
      # certificate/key password
      key-password: password
      # comma separated list of supported SSL protocols
      ssl-protocols: TLSv1.1,TLSv1.2
      # comma separated list of supported SSL ciphers
      ssl-ciphers: >
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Add a custom footer
Clone this wiki locally