Enabling HTTPS in your Codewind Application
09 Dec 2019 - Becca Bau
Why HTTPS?
HTTPS is becoming increasingly common as the internet shifts to an HTTPS-only environment. In an unencrypted HTTP session, data is transferred in clear text, meaning anyone can eavesdrop on your actions over the web. Also, you don’t have any additional verification to ensure you’ve connected to the correct website. You might be on a compromised network that could mine your information by directing you to imposter services. HTTPS, on the other hand, verifies that you have established a secure connection to your intended service by encrypting your sessions and checking certificates.
If you have ever used Codewind (if not, check out codewind.dev!), then you’ll know that our templates generate web services that use HTTP. We want to help you protect the integrity of the applications and services you create with Codewind. To help you keep your applications and services secure, check out these examples to see how you can convert your Codewind applications from HTTP to HTTPS.
Converting an application from HTTP to HTTPS
You can convert Codewind applications from HTTP to HTTPS. These examples feature a Python and a MicroProfile application.
Caution: Use these examples for development but not for production applications. The self-signed certificate and steps in these examples might not comply with the security policy and usage policy of your project.
Converting a Python application from HTTP to HTTPS
- Generate a private key.
openssl genrsa -des3 -out server.key 1024
- Generate a certificate signing request.
openssl req -new -key server.key -out server.csr`
- Remove the passphrase from the key
cp server.key server.key.org openssl rsa -in server.key.org -out server.key
- Generate a self-signed certificate.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
- In your Python application app.py file, use the certificate and the key.
app.run(host="0.0.0.0", port=5000, ssl_context=('/tmp/server.crt', '/tmp/server.key'))
- Update your Python application Dockerfile to include the certificate and the key.
# Copy the Certificate and the Key ADD server.crt /tmp/server.crt ADD server.key /tmp/server.key`
Converting a MicroProfile application from HTTP to HTTPS
- Generate a keystore with the Java
keytool
command.keytool -genkey -alias <alias> -keystore <path to save keystore.pfx> -storetype PKCS12 -keyalg RSA -storepass <password> -validity 730 -keysize 2048
- Install the Liberty SSL feature in the application
server.xml
file.
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
- Use the keystore in the Liberty server.xml file by entering the same path and password from when you generated a keystore with the Java
keytool
command.
<keyStore id="defaultKeyStore" location="/home/default/keystore.pfx" password="<password>" type="PKCS12"/>
- Update your MicroProfile application Dockerfile to include the keystore.
# Copy the Keystore COPY keystore.pfx /home/default/keystore.pfx
For more information, see Configuring SSL for Liberty profile.
Note: To run the Python and MicroProfile HTTPS application on Kubernetes, update the chart deployment.yaml
file to include the scheme: HTTPS
value for the livenessProbe
and readinessProbe
probes.
livenessProbe:
httpGet:
path: /
port: {{ .Values.service.servicePort }}
scheme: HTTPS
readinessProbe:
httpGet:
path: /
port: {{ .Values.service.servicePort }}
scheme: HTTPS