Undocumented JAVA: Web Application: Deploy to the Cloud – Part 4

-

Introduction

Well, well, well. Part 1, Part 2 and Part 3 are out. Now we are hosting our freshly written Java Spring Boot application on Heroku Cloud. Then Move it our our Domain and now if you have noticed when we moved the application to our domain HTTPS fell apart and we are now only running the application on HTTP only. Where did the security that heroku provided go? How can we get it back? This is all that we will be seeing in this part.


Recap of what we did so far

In Part 1 we deployed a newly written web application to Heroku. Here is what you see in the response.

$ http -v https://hero-boot.herokuapp.com/greeting
GET /greeting HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: hero-boot.herokuapp.com
User-Agent: HTTPie/0.9.2



HTTP/1.1 200 
Connection: keep-alive
Content-Type: application/json;charset=UTF-8
Date: Sun, 11 Mar 2018 01:28:53 GMT
Server: Cowboy
Transfer-Encoding: chunked
Via: 1.1 vegur

{
    "content": "Hello, World!", 
    "id": 8
}

Observations on the Httpie output:
1. The common name on the hostname and Server value Cowboy in the HTTP response header tells us that we are hitting Heroku cloud directly.
2.  Heroku provides HTTPS service to secure our application. Very thankful to Heroku.

Next in Part 2 we moved it to our domain.


$ curl -v  http://venkatvp.site./greeting\?name=Venkat 
*   Trying 23.21.74.117...
* Connected to venkatvp.site (23.21.74.117) port 80 (#0)
> GET /greeting?name=Venkat HTTP/1.1
> Host: venkatvp.site
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 
< Server: Cowboy
< Connection: keep-alive
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Sun, 11 Mar 2018 20:09:57 GMT
< Via: 1.1 vegur
< 
* Connection #0 to host venkatvp.site left intact
{"id":7,"content":"Hello, Venkat!"}

Observations on the curl output:
1. We lost the HTTPS service provided by Heroku and service is only HTTP.
2. Host got changed to the host name that we choose and not what Heroku provided.
3. The service that is running on the server is still provided by Heroku.

In Part 3, we changed our name server to Cloudflare and made Cloudflare be our shield to our service running on Heroku.


$ host -t ns  venkatvp.site.
venkatvp.site name server noah.ns.cloudflare.com.
venkatvp.site name server ali.ns.cloudflare.com.

To make sure the service is proxied via Cloudflare here is our test.

$ http -v http://venkatvp.site/greeting           
GET /greeting HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: venkatvp.site
User-Agent: HTTPie/0.9.2



HTTP/1.1 200 
CF-RAY: 3f9a6163b7c8832d-ATL
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/json;charset=UTF-8
Date: Sun, 11 Mar 2018 01:52:13 GMT
Server: cloudflare
Set-Cookie: __cfduid=d28c6a6d8b5e5d610798be7a4f8c929b11520733133; expires=Mon, 11-Mar-19 01:52:13 GMT; path=/; domain=.venkatvp.site; HttpOnly
Transfer-Encoding: chunked
Via: 1.1 vegur

{
    "content": "Hello, World!", 
    "id": 9
}

the HTTP response header has the server name as cloudflare. Thus, we are certain that the response is proxied via cloudflare.

Lets Encrypt

Cloudflare provides HTTPS service by default and we can tweak it to enforce stricter HTTPS with some simple steps.

To enable this feature, we will have to wait till the site is active via cloudflare on the Overview Page.



$ http -v https://venkatvp.site/greeting

http: error: SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)

Wait till you see the Status: Active.
Next, when your site is active, then check the status on the SSL certificate on the Crypto Page.
Then we will have to see SSL Status as Active Certificate.


You have regained your HTTPS. Congratulations!


$ curl -v https://venkatvp.site/greeting 
*   Trying 104.24.96.181...
* Connected to venkatvp.site (104.24.96.181) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 604 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256
*   server certificate verification OK
*   server certificate status verification SKIPPED
*   common name: sni161039.cloudflaressl.com (matched)
*   server certificate expiration date OK
*   server certificate activation date OK
*   certificate public key: EC
*   certificate version: #3
*   subject: OU=Domain Control Validated,OU=PositiveSSL Multi-Domain,CN=sni161039.cloudflaressl.com
*   start date: Sun, 11 Mar 2018 00:00:00 GMT
*   expire date: Mon, 17 Sep 2018 23:59:59 GMT
*   issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO ECC Domain Validation Secure Server CA 2
*   compression: NULL
* ALPN, server accepted to use http/1.1
> GET /greeting HTTP/1.1
> Host: venkatvp.site
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 
< Date: Sun, 11 Mar 2018 02:38:04 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d887d62c4d9247b367d5cded9fe65e0881520735884; expires=Mon, 11-Mar-19 02:38:04 GMT; path=/; domain=.venkatvp.site; HttpOnly
< Via: 1.1 vegur
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 3f9aa48e1fa682fd-ATL
< 
* Connection #0 to host venkatvp.site left intact
{"id":12,"content":"Hello, World!"}

Other Crypto Settings to Guard the site

Here is what is recommended to keep your site secured.


Doing so will make sure you get the Green back on your browser.

 

Conclusion

All through the journey of this 4 Part Series we have successfully deployed a simple program to Cloud and transfered the application to our domain and then secured them using Cloudflare.

Heroku provides free developer trial Dynos for 600+ hours and that means you may virtually keep one application running for almost a month for free.

If you wish to do this the only place you will have to spend is buying a domain. If you are not particular about the name of the domain, you can get a cheap domain for less than $2 and experiment.

Cloudfalre, provides one domain management for free. Which means from basic to moderate features that is sufficient for small companies and startups can benefit from these features that only large Enterprise were only able to do.

There was days I used to have a craving to host my Java based web application somewhere for learning and experiment Dev projects. Every time, I looked for hosting I got into Linux hosting that were very expensive for me to spend on development and learning stuff. With the advancement in the cloud has enabled enterprise style web application can be provided to developers for absolute no cost and this is a very positive vibe for the development community to be able to freely experiment and exercise their skills.

Comments

Post a Comment

Popular posts from this blog

Java SSL/TLS Testing Tool: Cipher Suite

-
Image
Recently I was reading about the TLS/SSL and Ciphers. I was also interested to read about the Ciphers that are provided out of the box with JDK. This looked to me like this is something we take it for granted and do not do our due diligence when talking about the Ciphers. We often times leave those topic to our organization's network and security team. From my experience, it is a topic that all the developers leave it to the Sr. Developers and then the Sr. Developers pass it on to the Management. Guess what? It is not a sweet topic to discussion. To break this kind of symptom, I have choose to make it simple and want everyone to understand the complexity and importance of knowing this. Lets get started Before we wet our hands here is some basic information that you will require to know, Word Meaning Protocol A defined set of rules and regulations that determine how data is transmitted in telecommunications and computer networking SSL
Read more

PWA: Building and publishing a PWA in 15ish minutes using Angular 5 and Service Worker

-
Image
Introduction Here is an express start to your first PWA with service workers and a 100% score from lighthouse. I have taken it as a challenge to be able to present it to you so that you may be able to put your first pwa "hello world" app in 15ish minutes. What is PWA? Progressive web apps (PWAs) take traditional web sites/applications — with all of the advantages the web brings — and add a number of features that give them many of the user experience advantages of native apps. This set of docs tells you all you need to know. - Source: https://developer.mozilla.org/en-US/Apps/Progressive If the above definition sounds interesting, then this is to get you kickstarted with PWA using Angular 5 and inspire you to build more PWAs. End of this post you should be able to build, host and publish a PWA and get motivated to read more about it. Ever since I read about PWAs It has intrested me like crazy. Before, you get excited about PWA, please look into the supported brow
Read more

Yarn and Angular-CLI

-
Background I have been thinking of a faster package management tool ever since I started using NPM (Node Package Manager). Please don’t mistake me having anything against NPM. I still love this package manager and I very much love the rich command-line that it came with. When it was created, it was really the leader and because of this NPM the whole JS world has seen a revolution. NPM surly was the spark to the revolution in the JS (Java Script) world. To make it clear for everyone why we needed a new package manager is because of the following challenges that we had with NPM, 1.      The Nested dependencies that was sometimes going in infinity loops. At times, it was impossible to delete files on the PC as the paths were too nested. 2.      Everything on the world had to depend on only one registry. https://www.npmjs.com/ 3.      Single threaded installation. The installation of the dependencies are single threaded. 4.      You are always expected to be online even i
Read more