Heroku:使用https tomcat服务器和证书固定的Spring Boot Gradle应用程序
[英]Heroku: Spring Boot Gradle app with https tomcat server and certificate pinning
问题描述
I have a Spring Boot java app that uses a self-signed certificate to communicate with the android front-end. 
我有一个Spring Boot java应用程序,它使用自签名证书与android前端进行通信。
I use a tomcat server as my container for the app: 我使用tomcat服务器作为应用程序的容器:
compile 'org.springframework.boot:spring-boot-starter-tomcat'
Now, I have enabled https / ssl: 现在,我启用了https / ssl:
TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
tomcat.addConnectorCustomizers(connector -> {
connector.setPort(Integer.parseInt(serverPort));
connector.setSecure(true);
connector.setScheme("https");
I have to enable SSL as I want my android frontend to communicate to my server securely. 我必须启用SSL,因为我希望我的android前端安全地与我的服务器通信。 I use the technique called certificate pinning which means I add the same self-signed certificate to both my server and my android app. 我使用称为证书锁定的技术,这意味着我将相同的自签名证书添加到我的服务器和我的Android应用程序。 For any http communications between the two, the communication will be encrypted with the keys of the same certificate and hence the server and android app will be able to understand one another. 对于两者之间的任何http通信,通信将使用相同证书的密钥加密,因此服务器和Android应用程序将能够彼此理解。
When I load it into Heroku, I get errors each time I try to call the server: 当我将它加载到Heroku时,每次尝试调用服务器时都会出错:
2015-12-11T20:04:32.424629+00:00 heroku[router]: at=error code=H13 desc="Connection closed without response" method=GET path="/getfood?postid=566348364a918a12046ce96f" host=app.herokuapp.com request_id=bf975c13-69f3-45f5-9e04-ca6817b6c410 fwd="197.89.172.181" dyno=web.1 connect=0ms service=4ms status=503 bytes=0
According to this blog by Julie: http://juliekrueger.com/blog/ 根据朱莉的这篇博客: http : //juliekrueger.com/blog/
As a side note, Heroku apps are https enabled by default.
I can fix the error by just removing the ssl / https from my tomcat server, but as I mentioned, I want to use the certificate pinning technique for secure communications. 我可以通过从我的tomcat服务器中删除ssl / https来修复错误,但正如我所提到的,我想使用证书锁定技术进行安全通信。
I was thinking whether it was possible to disable the SSL on heroku side but keep my tomcat server SSL active but I already contacted Heroku and they told me that disabling the piggyback SSL that comes standard with their service is not possible. 我在想是否可以在heroku端禁用SSL,但保持我的tomcat服务器SSL处于活动状态,但我已经联系了Heroku,他们告诉我,禁用其服务标准的搭载SSL是不可能的。
I also looked at the paid alternative here called SSL Endpoint but it seems only userful for custom domains. 我还看了一下名为SSL Endpoint的付费替代方案,但它似乎只对自定义域有用。 Since all endpoints are coded within my android app and is not visible to the user, it makes no sense for me to use a custom domain. 由于所有端点都在我的Android应用程序中编码并且对用户不可见,因此使用自定义域对我没有意义。 Furthermore, I don't think it will solve my problem as its sole objective seems to be to create the custom domain: 此外,我认为它不会解决我的问题,因为它的唯一目标似乎是创建自定义域:
SSL Endpoint is only useful for custom domains.
I googled for a few days now and cannot seem to come up with a solution. 我用谷歌搜索了几天,似乎无法找到解决方案。 Disabling ssl on my tomcat side would not be acceptable in my mind as it poses too much risks. 在我的tomcat一侧禁用ssl在我看来是不可接受的,因为它带来了太大的风险。 I would even consider other services (Azure etc) if this would solve my problem. 如果这可以解决我的问题,我甚至会考虑其他服务(Azure等)。
Any ideas on how I can solve this? 关于如何解决这个问题的任何想法?
1 个解决方案
解决方案1
3 已采纳 2015-12-15 18:35:49
With Heroku, in order to use your own custom SSL, you need to use a custom domain and the SSL Endpoint addon, it will probably won't make sense for your case, but it is the only way to use your own certificate. 使用Heroku,为了使用您自己的自定义SSL,您需要使用自定义域和SSL端点插件,它可能对您的案例没有意义,但它是使用您自己的证书的唯一方法。
And I haven't tried all the providers out there, but with the ones I tried, the scenario is exactly the same, it is possible to use custom SSL cert only if you are using a custom domain. 我没有尝试过那里的所有提供商,但是对于我尝试过的提供商,情况完全相同,只有在使用自定义域时才可以使用自定义SSL证书。
Although, browsing google a bit, found this blog post where it ilustrates how to use an intermediate DNS service to comunicate with Heroku. 虽然,稍微浏览谷歌,发现这篇博客文章说明如何使用中间DNS服务与Heroku通信。 In the communication between the DNS service and Heroku, the provided heroku SSL cert is used, but from the client to the DNS service a different certificate is used, so it might be of some help. 在DNS服务和Heroku之间的通信中,使用了提供的heroku SSL证书,但是从客户端到DNS服务使用了不同的证书,因此它可能会有所帮助。
Update : A possible solution would be to use Amazon Web Services, where the deal is that you rent VM's and you are allowed to setup your own environment, meaning that you can install your own tomcat and use your own custom SSL. 更新 :可能的解决方案是使用Amazon Web Services,其中交易是您租用VM并且您可以设置自己的环境,这意味着您可以安装自己的tomcat并使用自己的自定义SSL。
Update 2 : Also there is CloudFront with AWS, where you can use your own certificates explained here 更新2 :还有支持AWS的CloudFront,您可以在此处使用自己的证书
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.