spring-boot-admin icon indicating copy to clipboard operation
spring-boot-admin copied to clipboard
verified publisher icon codecentric

SSL in management URL

Open MichiBaum opened this issue 8 months ago • 5 comments

Spring Boot Admin Server information

  • Version: Spring boot (spring-boot-dependencies): 3.4.5 Spring Cloud (spring-cloud-dependencies): 2024.0.1 Spring Admin (spring-boot-admin-dependencies): 3.4.5

  • Webflux or Servlet application: servlet application

Client information

  • Spring Boot versions: Spring boot (spring-boot-dependencies): 3.4.5 Spring Cloud (spring-cloud-dependencies): 2024.0.1 Spring Admin (spring-boot-admin-dependencies): 3.4.5

  • Used discovery mechanism: eureka

  • Webflux or Servlet application: servlet application

Description

Hi Everyone

I got a Gateway (Eureka) and a Spring Boot Admin Server running in a Docker Network.

Now i got my Gateway (Server Properties) configured with ssl and listening on Port 443 but my Actuator endpoints (configured with management) are without ssl and listening on Port 80. ()

Gateway config:

server:
  port: 443
  ssl:
    enabled: true
    bundle: server
....
management:
  server:
    port: 80
    ssl:
      enabled: false

The spring boot admin client creates the management url correctly (takes port 80) but it does not apply ssl.enabled=false

In the Admin Server Journal i see my gateway registrytion with following:

{
    "registration": {
        "name": "GATEWAY-SERVICE",
        "managementUrl": "https://172.18.0.16:80/actuator",
        "healthUrl": "https://172.18.0.16:80/actuator/health",
        "serviceUrl": "https://172.18.0.16:443",
        "source": "discovery",
        "metadata": {
            "prometheus.path": "/actuator/prometheus",
            "management.port": "80"
        }
    }
}

managementUrl & healthUrl should not be with https. I think I could override the Url with spring.boot.client.management-url as quickfix

If you need more information please ask. Thx

MichiBaum avatar May 21 '25 07:05 MichiBaum 

Ssl ssl = (management.getSsl() != null) ? management.getSsl() : server.getSsl();
return UriComponentsBuilder.newInstance()
	.scheme(getScheme(ssl))
	.host(getManagementHost())
	.port(getLocalManagementPort())
	.path(getManagementContextPath())
	.toUriString();

MichiBaum avatar May 21 '25 07:05 MichiBaum

There was something why it was implemented that way but I think it should not be this way. If server and management are different it should not use the same ssl config by default. Nowadays the developer can create a bundle and use the same bundle if he wants the same ssl configuration for server and management.

Keep in mind that this change would be breaking. If this change is applied it should be applied in servlet & reactive.

MichiBaum avatar May 21 '25 08:05 MichiBaum

de.codecentric.boot.admin.client.registration.DefaultApplicationFactory#getScheme can handle null values

MichiBaum avatar May 21 '25 08:05 MichiBaum

Indeed this seems wrong.

@erikpetzold @SteKoe any thoughts?

Also in my environment with version 3.5.5 I'll have an application having the server with TLS but the management part exposed on another port without TLS. I wonder if this won't work for me as well.

cdprete avatar Sep 27 '25 10:09 cdprete

Indeed this seems wrong.

@erikpetzold @SteKoe any thoughts?

Also in my environment with version 3.5.5 I'll have an application having the server with TLS but the management part exposed on another port without TLS. I wonder if this won't work for me as well.

It somehow works for me with 3.5.5.

cdprete avatar Oct 02 '25 07:10 cdprete