Undocumented JAVA: Web Application: Deploy to the Cloud – Part 4

Introduction

Well, well, well. Part 1, Part 2 and Part 3 are out. Now we are hosting our freshly written Java Spring Boot application on Heroku Cloud. Then Move it our our Domain and now if you have noticed when we moved the application to our domain HTTPS fell apart and we are now only running the application on HTTP only. Where did the security that heroku provided go? How can we get it back? This is all that we will be seeing in this part.


Recap of what we did so far

In Part 1 we deployed a newly written web application to Heroku. Here is what you see in the response.

$ http -v https://hero-boot.herokuapp.com/greeting
GET /greeting HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: hero-boot.herokuapp.com
User-Agent: HTTPie/0.9.2



HTTP/1.1 200 
Connection: keep-alive
Content-Type: application/json;charset=UTF-8
Date: Sun, 11 Mar 2018 01:28:53 GMT
Server: Cowboy
Transfer-Encoding: chunked
Via: 1.1 vegur

{
    "content": "Hello, World!", 
    "id": 8
}

Observations on the Httpie output:
1. The common name on the hostname and Server value Cowboy in the HTTP response header tells us that we are hitting Heroku cloud directly.
2.  Heroku provides HTTPS service to secure our application. Very thankful to Heroku.

Next in Part 2 we moved it to our domain.


$ curl -v  http://venkatvp.site./greeting\?name=Venkat 
*   Trying 23.21.74.117...
* Connected to venkatvp.site (23.21.74.117) port 80 (#0)
> GET /greeting?name=Venkat HTTP/1.1
> Host: venkatvp.site
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 
< Server: Cowboy
< Connection: keep-alive
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Sun, 11 Mar 2018 20:09:57 GMT
< Via: 1.1 vegur
< 
* Connection #0 to host venkatvp.site left intact
{"id":7,"content":"Hello, Venkat!"}

Observations on the curl output:
1. We lost the HTTPS service provided by Heroku and service is only HTTP.
2. Host got changed to the host name that we choose and not what Heroku provided.
3. The service that is running on the server is still provided by Heroku.

In Part 3, we changed our name server to Cloudflare and made Cloudflare be our shield to our service running on Heroku.


$ host -t ns  venkatvp.site.
venkatvp.site name server noah.ns.cloudflare.com.
venkatvp.site name server ali.ns.cloudflare.com.

To make sure the service is proxied via Cloudflare here is our test.

$ http -v http://venkatvp.site/greeting           
GET /greeting HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: venkatvp.site
User-Agent: HTTPie/0.9.2



HTTP/1.1 200 
CF-RAY: 3f9a6163b7c8832d-ATL
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/json;charset=UTF-8
Date: Sun, 11 Mar 2018 01:52:13 GMT
Server: cloudflare
Set-Cookie: __cfduid=d28c6a6d8b5e5d610798be7a4f8c929b11520733133; expires=Mon, 11-Mar-19 01:52:13 GMT; path=/; domain=.venkatvp.site; HttpOnly
Transfer-Encoding: chunked
Via: 1.1 vegur

{
    "content": "Hello, World!", 
    "id": 9
}

the HTTP response header has the server name as cloudflare. Thus, we are certain that the response is proxied via cloudflare.

Lets Encrypt

Cloudflare provides HTTPS service by default and we can tweak it to enforce stricter HTTPS with some simple steps.

To enable this feature, we will have to wait till the site is active via cloudflare on the Overview Page.



$ http -v https://venkatvp.site/greeting

http: error: SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)

Wait till you see the Status: Active.
Next, when your site is active, then check the status on the SSL certificate on the Crypto Page.
Then we will have to see SSL Status as Active Certificate.


You have regained your HTTPS. Congratulations!


$ curl -v https://venkatvp.site/greeting 
*   Trying 104.24.96.181...
* Connected to venkatvp.site (104.24.96.181) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 604 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256
*   server certificate verification OK
*   server certificate status verification SKIPPED
*   common name: sni161039.cloudflaressl.com (matched)
*   server certificate expiration date OK
*   server certificate activation date OK
*   certificate public key: EC
*   certificate version: #3
*   subject: OU=Domain Control Validated,OU=PositiveSSL Multi-Domain,CN=sni161039.cloudflaressl.com
*   start date: Sun, 11 Mar 2018 00:00:00 GMT
*   expire date: Mon, 17 Sep 2018 23:59:59 GMT
*   issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO ECC Domain Validation Secure Server CA 2
*   compression: NULL
* ALPN, server accepted to use http/1.1
> GET /greeting HTTP/1.1
> Host: venkatvp.site
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 
< Date: Sun, 11 Mar 2018 02:38:04 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d887d62c4d9247b367d5cded9fe65e0881520735884; expires=Mon, 11-Mar-19 02:38:04 GMT; path=/; domain=.venkatvp.site; HttpOnly
< Via: 1.1 vegur
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 3f9aa48e1fa682fd-ATL
< 
* Connection #0 to host venkatvp.site left intact
{"id":12,"content":"Hello, World!"}

Other Crypto Settings to Guard the site

Here is what is recommended to keep your site secured.


Doing so will make sure you get the Green back on your browser.


Conclusion

All through the journey of this 4 Part Series we have successfully deployed a simple program to Cloud and transfered the application to our domain and then secured them using Cloudflare.

Heroku provides free developer trial Dynos for 600+ hours and that means you may virtually keep one application running for almost a month for free.

If you wish to do this the only place you will have to spend is buying a domain. If you are not particular about the name of the domain, you can get a cheap domain for less than $2 and experiment.

Cloudfalre, provides one domain management for free. Which means from basic to moderate features that is sufficient for small companies and startups can benefit from these features that only large Enterprise were only able to do.

There was days I used to have a craving to host my Java based web application somewhere for learning and experiment Dev projects. Every time, I looked for hosting I got into Linux hosting that were very expensive for me to spend on development and learning stuff. With the advancement in the cloud has enabled enterprise style web application can be provided to developers for absolute no cost and this is a very positive vibe for the development community to be able to freely experiment and exercise their skills.

Comments

Popular posts from this blog

Java SSL/TLS Testing Tool: Cipher Suite

Developing Spring Boot Application using Docker - Part 1

Undocumented JAVA: Web Application: Deploy to the Cloud – Part 1