SSL/TLS Lagom

[David Patrick]

Does Lagom support SSL/TLS connections? My customer requires them for nearly all networking interactions. I also need to be able to support mutual authentication (users sending me their certs). In Play, this was pretty easy to setup. But a project I made with the "LagomPlay" SBT Plugin seems to be ignoring these settings.

Thanks,
   David Patrick

[David Patrick]

It looks like LagomReloadableDevServerStart.scala has a method called "mainDevOnlyHttpsMode" (in master). Though I am not seeing how to use it.... The other method, "mainDevHttpMode" gets used by Reloader.scala; but it never uses mainDevOnlyHttpsMode.

Anyone have any ideas on how to have SSL/TLS only services?

Thanks,
   David Patrick

[David Patrick]

So, what about for production? Is there a way to disable HTTP for Lagom Services in production? Hosting only HTTPS?

Thanks,
   David Patrick

[David Patrick]

Alright.... So, it seems as though these settings work, when using sbt-native-package and "stage" to run a Lagom Service locally. I'm pretty sure it'll also work when archiving the project and deploying it that way somewhere else.

play.server.http.port                 = "disabled"
play.server.https.port                = "9443"
play.server.https.keyStore.type       = "JKS"
play.server.https.keyStore.path       = ${KS_PATH}
play.server.https.keyStore.password   = ${KS_PASS}
play.server.https.trustStore.type     = "JKS"
play.server.https.trustStore.path     = ${TS_PATH}
play.server.https.trustStore.password = ${TS_PASS}
play.http.sslengineprovider           = "utils.MySSLEngineProvider"

This worked using:

with ConfigurationServiceLocatorComponents

I doubt it'll work with ConductR this way.... I'll have to test that next.

Thanks.

[David Patrick]

Looking at the ConductR documentation, I'm guessing that most people just let HAProxy do all the SSL/TLS heavy-lifting for them?

That's going to make the 2-way SSL (mutual authentication) harder on me in development.... Then figuring how to do thing differently in staging/prod....

I think I can make do though....

I don't suppose enhancements to SSL/TLS support is on the Roadmap?

[Tim Moore]

Hi David,

Thanks for your investigation, and I apologize for not responding sooner.

It sounds like you found most of your answers, but I'll add some clarifications:

• Lagom does have some support for TLS connections, mostly by virtue of being built on top of other technologies that support it, but support is currently incomplete and undocumented
• One known limitation, as you discovered, is that the development mode does not support HTTPS
• Another is that the WebSocket client used for making streaming service calls does not support outgoing TLS ("wss" URLs) but the WebSocket server does support it, so if you are only using non-Lagom clients such as web browsers, that might be useful.
• As far as I know, most Lagom users are indeed securing things at the network perimeter and terminating TLS in HAProxy or some other load balancer
• I believe it is possible to get ConductR to use https endpoints for services, but it might require overriding some of the bundle configuration that is automatically generated by sbt-conductr. I don't believe there's straightforward, step-by-step documentation at this time. You can find an overview of the sbt-conductr options available in the readme at https://github.com/typesafehub/sbt-conductr

Internal, mutual TLS is something we are very interested in supporting and documenting fully in the future and have begun investigating and planning. I can't promise you a timeline at this point, but it is definitely on the road map.

In the meantime, if you're willing to keep digging around under the hood, I think it should be possible to accomplish what you need, and I would be very interested to hear how it goes. Please keep asking questions and I'll try to be more responsive in the future

Cheers,

Tim Moore

--
You received this message because you are subscribed to the Google Groups "Lagom Framework Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lagom-framework+unsubscribe@googlegroups.com.
To post to this group, send email to lagom-framework@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lagom-framework/b0024f0c-483a-4ad4-aa46-23b106cb5a8e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Tim Moore

Senior Engineer, Lagom, Lightbend, Inc.

tim....@lightbend.com
+61 420 981 589
Skype: timothy.m.moore

[Jimbo]

Tim,

Can I just add a bit of weight to David's request. My client has a full authorisation extension built for PLAY that uses Mutual TLS to get the subject DN for the client X509 cert. It then uses that to validate their access to resources either by group or by a white list. I'm looking at Lagom as a great way of building well scoped microservices but I'll need to apply the same approach to all it's components including the data storage. Any documentation you can provide on securing each of the parts would be really helpful. 

Cheers 

Jimbo 

On Thursday, July 27, 2017 at 11:57:19 PM UTC+1, Tim Moore wrote:

Hi David,

Thanks for your investigation, and I apologize for not responding sooner.

It sounds like you found most of your answers, but I'll add some clarifications:

• Lagom does have some support for TLS connections, mostly by virtue of being built on top of other technologies that support it, but support is currently incomplete and undocumented
• One known limitation, as you discovered, is that the development mode does not support HTTPS
• Another is that the WebSocket client used for making streaming service calls does not support outgoing TLS ("wss" URLs) but the WebSocket server does support it, so if you are only using non-Lagom clients such as web browsers, that might be useful.
• As far as I know, most Lagom users are indeed securing things at the network perimeter and terminating TLS in HAProxy or some other load balancer
• I believe it is possible to get ConductR to use https endpoints for services, but it might require overriding some of the bundle configuration that is automatically generated by sbt-conductr. I don't believe there's straightforward, step-by-step documentation at this time. You can find an overview of the sbt-conductr options available in the readme at https://github.com/typesafehub/sbt-conductr

Internal, mutual TLS is something we are very interested in supporting and documenting fully in the future and have begun investigating and planning. I can't promise you a timeline at this point, but it is definitely on the road map.

In the meantime, if you're willing to keep digging around under the hood, I think it should be possible to accomplish what you need, and I would be very interested to hear how it goes. Please keep asking questions and I'll try to be more responsive in the future

Cheers,

Tim Moore

On Thu, Jul 20, 2017 at 5:15 AM, David Patrick <patr...@gmail.com> wrote:

Looking at the ConductR documentation, I'm guessing that most people just let HAProxy do all the SSL/TLS heavy-lifting for them?

That's going to make the 2-way SSL (mutual authentication) harder on me in development.... Then figuring how to do thing differently in staging/prod....

I think I can make do though....

I don't suppose enhancements to SSL/TLS support is on the Roadmap?

--
You received this message because you are subscribed to the Google Groups "Lagom Framework Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to lagom-framewo...@googlegroups.com.
To post to this group, send email to lagom-f...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lagom-framework/b0024f0c-483a-4ad4-aa46-23b106cb5a8e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[dave.d...@closedloop.ai]

I took a look at this and did a first version of an akka-http client, which I put up a Gist for.  See:  https://stackoverflow.com/questions/48232680/can-you-use-ssl-tls-for-websockets-in-lagom

It's got some issues, but is working well for my needs.

Dave

[yani...@gmail.com]

Hi,

I'm developing client-server application using ReactJs and Lagom.

I tried to change my application to work with https requests with no success and I encountered this old discussion. 

Is it now possible to configure Lagom to work with SSL/TLS connections?

p.s. - I also tried to create a workaround using play and akka, but again I failed to find a solution.

Thanks for the help,

Yaniv.

בתאריך יום שישי, 12 בינואר 2018 בשעה 21:22:25 UTC+2, מאת dave.d...@closedloop.ai: