I hope this isn't a duplicate question. I set up a simple Java server based on Grizzly in GCP. It is an HTTP server servicing requests on 8080. I have not been able to set up an HTTPS server (and I tried...) and the server (which responds publicly to postman, curl, etc.) cannot receive any requests from my public website, since the website is on HTTPS. So when sending a request, this error obviously appears:
index.html was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint. This request has been blocked; the content must be served over HTTPS.
A (very...) naive attempt to just send a request to my endpoint using a link which has https and 443 results in:
failed to receive handshake, SSL/TLS connection failed
So my question is - if I am unable to define an HTTPS server (due to my own limitations), is there a way to configure a middle vm which will receive the client request on 443, send it to my actual server on 8080, then relay the response back?
CodePudding user response:
The Cloud Load Balancing service within GCP is precisely dedicated to act as an intermediate.
To configure a Load Balancer specifically for your use case in Cloud Shell you can follow these steps:
- Configure the default zone.
gcloud config set compute/zone <your-vm-zone>
- Create an Unmanaged Instance Group.
gcloud compute instance-groups unmanaged create ig-us-c1
- Add your VM to the previously created Instance Group.
gcloud compute instance-groups unmanaged add-instances ig-us-c1 --instances=<your-instance-name>
- Create an external ip for the Load Balancer.
gcloud compute addresses create <ip-name> \
--ip-version=IPV4 \
--network-tier=PREMIUM \
--global
- Create a health check.
gcloud compute health-checks create http http-basic-check \
--port 80
- Create a backend service.
gcloud compute backend-services create web-backend-service \
--load-balancing-scheme=EXTERNAL \
--protocol=HTTP \
--port-name=http \
--health-checks=http-basic-check \
--global
- Add the instance group as the backend to the backend service.
gcloud compute backend-services add-backend web-backend-service \
--instance-group=ig-us-c1 \
--instance-group-zone=<your-vm-zone> \
--global
- Create a URL map to route the incoming requests to the default backend service.
gcloud compute url-maps create web-map-https \
--default-service web-backend-service
- Create a target HTTPS proxy to route requests to your URL map.
gcloud compute target-https-proxies create https-lb-proxy \
--url-map=web-map-https \
--ssl-certificates=www-ssl-cert
Note: The [SSL Certificates] can be Self managed or Google managed; for testing purposes you can take a look at this document describing the usage of self-managed SSL certificates.
- Create a global forwarding rule to route incoming requests to the proxy.
gcloud compute forwarding-rules create https-content-rule \
--load-balancing-scheme=EXTERNAL \
--network-tier=PREMIUM \
--address=<ip-name> \
--global \
--target-https-proxy=https-lb-proxy \
--ports=443
- Create a DNS zone and record pointing to the Load Balancer external ip address.
gcloud beta dns managed-zones create example-zone --description="" --dns-name="example.com." --visibility="private" --networks="default"
gcloud beta dns record-sets transaction start --zone="example-zone"
gcloud beta dns record-sets transaction add <lb-public-ip-address> --name="*.example.com." --ttl="300" --type="A" --zone="example-zone"
gcloud beta dns record-sets transaction execute --zone="example-zone"
You can test using the command: curl https://<hostname.example.com>