Implement SSL Using Docker in Maven

Introduction

SSL (Secure Socket Layer) is an encryption-based internet security protocol for ensuring the data privacy, authentication and data integrity. It is widely used in the world of internet but it’s use in securing web over https is point of attraction. But in modern days we use TLS (Transport Layer Security) whom you can call successor of SSL.

In this article we are going to implement SSL for a maven project but you can implement it into other projects as well by following the same process and little different configuration according to your needs. We can implement SSL via Docker or configuring certificate in maven configuration but here I will walk you through the first approach.

If you wish to configure SSL certificate using maven configuration properties please visit here for more details.

Certificates

Before going into practicals you will need to know about certificates.

We will talk about 2 types of signed certificates:

1. CA Signed Certificate: These certificates are issued by a verified Certificate Authority. You can get these by providing all your business information and domain name.
2. Self Signed Certificate: These certificates can be generated without any third party authorization and you can generate it using OpenSSL CLI tool. It is free to use CLI tool to generate certificates.

So now you know what types of certificates are there and how you can get it to get your work done.

In this blog we will use self signed certificates.

Pre-requisites

1. Java 8 or higher
2. Spring boot
3. OpenSSL
4. Docker compose

Let’s skip to the Good part 😉

Implementation

• Create Kickstart Project

Create a maven project using start.spring.io  (If you are using any other language then create a kickstart project for you).

• Create Certificate

We need to create a self signed certificate or you will receive CA signed certificate from your certificate provider. 

It’s time to create a brand new certificate branded(signed) by yourself.

If you already have a private key then you can use below command to create a certificate:

We have now finished creating the keys and certificates. but where should we save them so we may use them in our projects?

Our certificate and key will be kept in a directory called cert that will be created in the root directory of our project.

Voilla!

We have created the certificate but that’s not all !!! Ruko Jara… Sabar Karo !!!

Now we need to configure Nginx server in docker environment to use this certificate.

• Create Nginx.conf file in your project’s root folder and copy below content in it:

  events { worker_connections 2048; # set the maximum number of simultaneous connections } http { server { listen 80; server_name localhost; location / { proxy_pass http://localhost:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } server { listen 443 ssl; server_name localhost; ssl_certificate /etc/nginx/cert/server.crt; ssl_certificate_key /etc/nginx/cert/server.key; location / { proxy_pass http://app:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # enable websocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } }

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

  events {     worker_connections 2048;  # set the maximum number of simultaneous connections }   http {   server {     listen 80;     server_name localhost;       location / {       proxy_pass http://localhost:80;       proxy_set_header Host $host;       proxy_set_header X-Real-IP $remote_addr;       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;     }   }     server {     listen 443 ssl;     server_name localhost;       ssl_certificate /etc/nginx/cert/server.crt;     ssl_certificate_key /etc/nginx/cert/server.key;       location / {       proxy_pass http://app:80;       proxy_set_header Host $host;       proxy_set_header X-Real-IP $remote_addr;       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;         # enable websocket support       proxy_http_version 1.1;       proxy_set_header Upgrade $http_upgrade;       proxy_set_header Connection "upgrade";     }   } }

• The events block sets the maximum number of simultaneous connections that can be handled by the Nginx worker processes.
• The http block contains two server blocks that define the virtual hosts that Nginx will listen on.
• The first server block listens on port 80 for incoming HTTP requests and sets the server_name to localhost. The location / block defines the proxy pass configuration for requests that match the root location. It passes the incoming request to http://localhost:80, sets the Host, X-Real-IP, and X-Forwarded-For headers, and forwards the request to the backend application.
• The second server block listens on port 443 for incoming HTTPS requests and sets the server_name to localhost. The ssl_certificate and ssl_certificate_key directives specify the SSL certificate and key files for this virtual host. The location / block is similar to the first server block, but it passes the incoming request to the Docker container named app using the proxy_pass directive. It also sets the Host, X-Real-IP, and X-Forwarded-For headers, and enables support for websockets by setting the Upgrade and Connection headers.

• Now we will write a docker-compose.yml file for creating containers of spring boot application and one for Nginx server.

This file defines two services, app and nginx, and a volume named cert. Here’s a breakdown of the configuration:

• The version field specifies the version of the Docker Compose file format being used.
• The services field contains two service definitions:
• The app service builds a Docker image using the Dockerfile in the current directory (context: .), and exposes port 8080 for incoming requests. It also sets environment variables for the database connection details.
• The nginx service uses the nginx image from Docker Hub, and exposes ports 80 and 443 for incoming HTTP and HTTPS requests. It also mounts the nginx.conf and cert directories as volumes inside the container. The depends_on field specifies that this service depends on the app service, which means that the app will start before nginx.

The volumes field defines a named volume named cert. This volume can be shared between containers, and will be created automatically by Docker when the Compose file is run.

That’s all??

Wait! Wait! Kaha ja rahe ho… Ruko!!! Picture abhi baki hai !

Here if you noticed we are using a Dockerfile that we didn’t create yet. So let’s create a Dockerfile in your project root directory (Same as docker-compose.yml and Nginx.conf) to build a docker image.

Create Dockerfile

This Dockerfile will compile your maven project and create a Jar file and then will run it using java -jar app.jar command.

That’s It and you are all set to fire 🔥. 

You can find the complete project here. replace certificate and key with your own in cert directory.

Don’t Forget to practically implement and leave the feedback or queries.