Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to config PlayFramework2 to support SSL?

I've read How to configure playframework server to support ssl and I also tried to follow http://www.playframework.org/documentation/1.1.1/releasenotes-1.1#https but it doesn't work for me

many thanks~

I read the doc for Play1 because I can't find any more updated information for Play2 about https.

in application.conf, I added these lines:

https.port=9443
certificate.key.file=conf/host.key
certificate.file=conf/host.cert

I type run in the play console, and try to access the server at https://localhost:9443 the browser timed out without anything logged in the console output

like image 281
Chris Avatar asked May 25 '12 03:05

Chris


People also ask

Can I add SSL to localhost?

Steps to followDevelop a server using Node. js that is being served up using a localhost SSL certificate. Configure the Firefox web browser and the Postman API client to allow certificates that we have signed as the CA. Access the localhost with HTTPS securely from the browser or API client.

What is SSL config?

Secure Sockets Layer (SSL) configurations contain the attributes that you need to control the behavior of client and server SSL endpoints. You create SSL configurations with unique names within specific management scopes on the inbound and outbound tree in the configuration topology.


1 Answers

It won't work with the approach you are taking. You are mistaking release notes of 1.x branch with 2.x branch.

in 1.x branch, it is possible. Release notes are sufficient, and they worked for me.

For 2.1+ branch, please refer to @Christina's comment. Support has been added in 2.1 and the discussion thread provides details.

Quoting James Roper's response

In dev mode, it's very easy, just:

JAVA_OPTS=-Dhttps.port=9443 play run

Play will generate a private key and self signed certificate, which obviously your browser will balk at with a big red warning. It will reuse that generated self signed certificate for each subsequent run of Play, so you should only get the browser error once. Obviously this self signed certificate is probably not what you want in production. Also important to note is that the self signed certificate generation will only work on JVMs that use the sun security libraries (eg Oracle and OpenJDK, but most notably not IBM J9). On JVMs that don't use these, you will get a NoClassDefFoundError when it tries to generate the certificate.

In prod (and this config also applies to dev) you configure it much the same way that you configure SSL ordinarily in Java, via system properties. Here's a summary:

https.port - The port that should be used

https.keyStore - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you

https.keyStoreType - The key store type, defaults to "JKS"

https.keyStorePassword - The password, defaults to ""

https.keyStoreAlgorithm - The key store algorithm, defaults to the platforms default algorithm

https.trustStore - This feature hasn't been fully implemented, currently it will always use the JDKs trust store for verifying client side certificates (which you can of course configure yourself) whether you supply a value for this or not, unless you specify "noCA", in which case, it will use a trust store that trusts all certificates with no validation or verification, which is useful for if using webid client side certificate verification.

For 2.0 branch, you have to put another server infront of play i.e either apache/nginx/other which listens on https and forwards the request to play in http.

Instructions to setup a frontend server are available at http://www.playframework.org/documentation/2.0.1/HTTPServer

So run your play server on a port. Have apache forward request from domain.com to 127.0.0.1:9443.

Sample apache config

    <VirtualHost *:443>

  ServerAdmin webmaster@localhost
  ServerName example.com
  ServerAlias *.example.com

  ErrorLog ${APACHE_LOG_DIR}/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn
  CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
  ProxyPreserveHost On
#  ProxyPass  /excluded !
  ProxyPass / http://127.0.0.1:9000/
  ProxyPassReverse / http://127.0.0.1:9000/


  #   SSL Engine Switch:
  #   Enable/Disable SSL for this virtual host.
  SSLEngine on

  #   A self-signed (snakeoil) certificate can be created by installing
  #   the ssl-cert package. See
  #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
  #   If both key and certificate are stored in the same file, only the
  #   SSLCertificateFile directive is needed.
  SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
  SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key


  #   Certificate Authority (CA):
  #   Set the CA certificate verification path where to find CA
  #   certificates for client authentication or alternatively one
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
  </Directory>

  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

Hope it helps.

like image 178
Nasir Avatar answered Sep 22 '22 20:09

Nasir