Develop Reference

GCP GKE SMTP port 465 connection reset

I've got a Spring Boot Java application that sends emails via SMTP port 465 (non-gmail email). My configuration:
spring:
mail:
host: ssl0.ovh.net
port: 465
username: mailer#external.pl
password: mailerPassword
Locally everything works fine. When I deploy it on GCP Kubernetes cluster I've got a connection reset exception. I've read that GCP recommends some external paid providers but for my solution it's too much of a complication. Additionally I know that port 25 is disabled on GCP -> I've got port 465.
I've tried to simply add a firewall egress rule to enable traffic on every port for my VPC but it also didn't help.
What am I missing? Can anybody help my solve this puzzle?
Additional info:
My Java application is served as a simple deployment in k8s. It is exposed through LoadBalancer service on port 80.
Making a curl from given managed pod works - I receive a correct 2xx responses from various sites.

It turned out that my config map port changed from 456 to 465 but I forgot to restart the app. It works like a charm without any NAT configuration or firewall rules. Thanks for your support.

How to route HTTPS traffic through ELB to a EC2 container running a Java JHipster webApp

I have a JHipster monolithic application (Angular + Java SpringBoot + Tomcat container, everything together) deployed successfully in a EC2. I could set the security groups in order to enable 8443 incoming requests to the Public DNS and I am able to access it from any browser.
After that, I've requested a public certificate from Amazon for a domain I've already acquired with Route53.
So the idea was to use 443 instead of 8443, and the real domain (instead the Public DNS provided by AWS), so in effect I've created a ELB (all in the same VPC, security group and hosted zone). This ELB is listening in 443 and has a redirect to 8443 as default action.
But.. ERR_CONNECTION_REFUSED is what the browser shows..
It is important to mention that since AWS does not allow us to download the certificate (at least I don't see any option for that in the console) in the JDK of the EC2 where the app runs I've installed a custom certificate (generated with keytools) in order to apply it in Tomcat to listening the already mentioned 8443 port.
I also tried running in 8080 instead of 8443 (and of course updating the security groups) but no change..
Could you give me a clue about what I'm missing? So far the unique way I see is to create a new EC2 with a NGINX to act as a reverse proxy (with a rewrite policy maybe) behind the ELB, but I prefer to avoid additional complexity unless absolutely needed.
Additional data:
Tomcat server configuration:
server:
port: 8443
server.ssl.key-store: keystore.p12
server.ssl.key-store-password: thePassword
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: theKeyAlias
Security group inbound rules:
Custom TCP 8443 with 172.31.0.0/16 (the same range of the ELB)
HTTPS TCP 443 with 0.0.0.0/0 and ::/0
Also the AWS Certificate is enabled and already issued (CNAME record set was created in Route53)
**UPDATE 1 - 04 February 2019 22:21 (GMT-3) **
Guys, I finally decided to have a NGINX behind the ELB. Also I've realized that communication between NGINX and App Server could be HTTP, therefore my app is gonna listen in port 8080, simplifying a bit the scheme. I've realized also that I need only one certificate in order to have the "browser padlock" and encrypted all traffic between clients and ELB, so no matter if it is not possible to download it (it is not needed to install also in NGINX nor App. Server).

At the Apache level you should add a listener on port 443 which would proxy pass the requests on port 8443. This will make sure that all incoming requests on port 443 of the domain will be passed to the application running on port 8443 of the server
listen 443;
location /{
proxy_pass http://127.0.0.1:8443;
}

Finally issue RESOLVED I could make work fine the NGINX and also I had to change another things:
I've passed from an Application Load Balancer to a Classic Load Balancer. The final scheme is like I've explained in the UPDATE of this topic, I mean:
User connects via HTTP or HTTPS through Classic LB and then it goes to EC2 NGINX listening on port 80.
Then from NGINX to WebApp I've used a proxy_pass in this way:
location / {
proxy_pass http://172.x.y.z:8080;
}
And finally an HTTP forward in NGINX to use HTTPS exclusively:
proxy_set_header X-Forwarded-Proto $scheme;
if ( $http_x_forwarded_proto != 'https' )
{
return 301 https://$host$request_uri;
}
Lijo Abraham, your answer helped me to have a clear direction and this post shows the exactly solution applied (thats why I will green tick this post).
Many thanks and regards.
**UPDATE 1 - 10 February 2019 17:21 (GMT-3) ** Finally I've remade all again using Application ELB this time instead of Classic ELB (the latter deprecated) and everything works as expected, don't know why in the beginning ELB Classic didn't work (probably some error in security groups rules configuration or something kind of that).

How to make Spring Boot application accessible by external IP address of the server?

I'm a newbie to Spring Boot. I have a REST API application written in Spring Boot. When I execute my Spring Boot JAR, everything is okay and I can access the REST API with the localhost address instead of the actual one:
http://localhost:8083/articles
But when I try to access the REST API by my external IP address, I can't do it:
http://100.90.80.70:8083/articles
netstat -antu command in the Linux terminal gives me the following output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 0 :::8083 :::* LISTEN
As I understand, my app is accessible only in localhost, because it hasn't a foreign address.
My application.properties file has only this line:
server.port=8083
Also, when I try to add a server.address line to application.properties like that:
server.address=100.90.80.70
server.port=8083
I have the following Exception: Caused by: java.net.BindException: Cannot assign requested address.
So my question is: how to make Spring Boot application accessible by external IP address of the server? Thank you.

As #Mark said, the problem is in the firewall. I have opened 8083 port in the firewall settings and now I can access my REST API app by the external IP address:
http://100.90.80.70:8083/articles
Linux command to check firewall status:
sudo ufw status verbose
Open 8083 port for remote access by TCP protocol:
sudo ufw allow 8083/tcp
More settings here: https://www.cyberciti.biz/faq/how-to-open-firewall-port-on-ubuntu-linux-12-04-14-04-lts/

I fixed the same by configuring port forwarding on my router, to allow traffic from public ip

In my OpenStack environment, after much debugging, the solution was to create a new Security Group Rule, which looks like this:
Security Group Rule.
Note that my Spring Boot application was deployed on port 8080.
I also noticed that on ubuntu18 the firewall is disabled by default. It did not cause any problems.

Securing Neo4J with TLS through bolt protocol

Neo4J server configuration allows to set up a server-side policy to secure both HTTPS and BOLT connections.
In my installation I secured the BOLT connection by setting up a policy with PEM public and private key and settings:
dbms.connector.bolt.enabled=true
dbms.connector.bolt.tls_level=REQUIRED
bolt.ssl_policy=my_policy
dbms.ssl.policy.my_policy..base_directory=...
...
The set up works with a browser client. When I connect to the server through HTTPS, I am able to log in using ":server connect" command and use Neo4J browser with my server.
What I cannot do is figure out how other client can connect to Neo4J with secure BOLT protocol. Specifically, I tried connecting from cypher-shell and from a Java client (using Java Driver v 1.6). When TLS for BOLT is disabled, both connect without a hitch. Enabling TLS causes bad_certificate error in both clients.
I tried starting both cypher-shell and my Java client by passing JVM properties pointing to my trust store and key store
(-Djavax.net.ssl.keyStore=...
-Djavax.net.ssl.keyStorePassword=...
-Djavax.net.ssl.trustStore=...
-Djavax.net.ssl.trustStorePassword=...)
These properties have no effect on either Neo4J client. I am getting a bad_certificate exception.
I tried enabling SSL debugging (-Djavax.net.debug=ssl,handshake). Calling the Java client or cypher-shell with keystore and truststore parameters has no effect on the SSL debug output.
How do I connect to the server with TLS for BOLT enabled from cypher-shell or a Java client?
Thank you.

WebSocket not working with HAProxy in tcp mode

Consider this HAProxy configuration here:
global
chroot /var/lib/haproxy
user haproxy
group haproxy
defaults
timeout connect 10s
timeout client 50s
timeout server 50s
frontend fe_https_tomcat
mode tcp
bind *:443 ssl crt /path/cert.pem alpn h2,http/1.1
default_backend be_tomcat
backend be_tomcat
mode tcp
server localhost localhost:8081 check
The issue I have is that WebSocket do not seem to get through. My guess was that in tcp mode everything would pass through. Looks like it doesn't ... :-)
The server responds with an error 403 when the WebSocket connection is getting established.
Note that with the following http-mode setup, the WebSocket just works:
frontend fe_http_8080
mode http
bind *:8080
default_backend be_tomcat_8080
backend be_tomcat_8080
mode http
server localhost localhost:8081 check
Note that I need tcp-mode to have http/2 working.

The issue was not related to HAProxy at the end, but to the WebSocket setup in Spring.
This fixed it:
-registry.addHandler(webSocketHandler, "/ws");
+registry.addHandler(webSocketHandler, "/ws").setAllowedOrigins("*");