Spring Cloud Gateway and Eureka working in SSL with microservices defaulting to HTTP, but should be HTTPS

Question

Using Spring Boot 2.2.2 and Cloud Hoxton, I have a Cloud Gateway with Eureka and a number of WebFlux instances running behind the Gateway and discoverable via Eureka. In HTTP mode everything works OK.

When re-configuring both the Gateway and WebFlux instances to SSL, the routing from the Gateway to the WebFlux instances is still working OK However micro-services are still being sent as HTTP, not HTTPS. I assume that this is the case since the micro-service is failing with io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record.

My Gateway has the following configuration; Edit - corrected SSL config below;

server:
  port: 443
  ssl:
    enabled: true
    key-store: …
    key-store-password: …
    trust-store: …
    trust-store-password: …
eureka:
  client:
    service-url:
      defaultZone: …
  instance:
    securePortEnabled: true
    nonSecurePortEnabled: false
    leaseRenewalIntervalInSeconds: 5
cloud:
    gateway:
      httpclient:
        ssl:
          useInsecureTrustManager: true
     routes:
      - id: route1
        predicates:
          - Path=/SECURITY/**
        uri: lb://SECURITY
        filters:
          - RewritePath=/SECURITY/(?<myPath>.*), /$\{myPath}
          - TokenRelay=
          - RemoveRequestHeader=Cookie

Edit: The command line for both Gateway and micro-service also have -Djavax.net.ssl for keyStore, trustStore and their relevant passwords.

The micro-service is running on the same server with the same certificates and with the same server.ssl and eureka configuration (albeit with a different spring.application.name)

URL calls to the Gateway redirect correctly. However the code below, which resides in the Gateway causes an HTTP instead of an HTTPS call.

@Configuration
public class LoadBalancedWebClientBuilder {

    @LoadBalanced
    @Bean
    WebClient.Builder loadBalanced() {
        return WebClient.builder();
    }
}

@RestController
public class MyRestController {

  @Autowired WebClient.Builder loadBalanced;

  @GetMapping(value = "/applicationStatus", produces = MediaType.TEXT_EVENT_STREAM_VALUE)
  public Flux<DrsApplication> getApplicationActuator() {
    WebClient webClient = loadBalanced.build();
    return webClient
      .get()
      .uri("lb://SECURITY/drs/application")
      .retrieve()
      .bodyToFlux(DrsApplication.class)
      .filter(p -> p.isActive())
      .flatMap(drsApplication ->
        webClient
          .get()
          .uri("lb://" + drsApplication.getName() + "/actuator/health")
          .retrieve()
          .bodyToMono(ActuatorStatus.class)
          .onErrorReturn(new ActuatorStatus("DOWN"))
          .map(as -> {
            drsApplication.setStatus(as.getStatus());
            return drsApplication;
          })
          .repeatWhen(interval -> Flux.interval(Duration.ofSeconds(4)))
          .onErrorResume(e -> Mono.empty())
      );
  }
}

So far everything has been upgraded from HTTP to SSL, just by configuration. I was assuming that because the WebClient call is using lb it would automatically follow suite and adopt SSL.

Is my assumption correct or I do I need to modify my code or configuration?

Answer 1

You are not oblige to set server.forwardHeadersStrategy=NATIVE in your Eureka server. In my case I set eureka.instance.securePortEnabled=true in the target microservice only and in gateway I set lb:// , spring.cloud.gateway.httpclient.ssl.trusted-x509-certificates= cert.pem.

It's not secure to use spring.cloud.gateway.httpclient.ssl.use-insecure-trust-manager=true in the production. This link can help you to know more about gateway and ssl https://cloud.spring.io/spring-cloud-gateway/reference/html/#tls-and-ssl