Configuring a spring application to use https behind an ELB

I have a couple of sites that run on AWS and take advantage of Elastic Load Balancers to handle proxying to servers in a private VPC as well handling https security. While CloudFront distributions can be configured to upgrade requests to https if they come in as HTTP, I haven’t found a way to configure ELB connections to do the same. What I wanted is for the ELB to listen on both port 80 and 443 and if a connection comes in on 80, then to redirect to the same request on 443. This way if a user just enters the URL into their browser, they’ll automatically be upgraded to https even if they didn’t remember to specify it.

It’s fairly simple to accomplish this with an Interceptor. Create a class that will handle the redirects.

 

@Component
public class SecurityInterceptor extends HandlerInterceptorAdapter {
  
  private static Logger logger = LoggerFactory.getLogger(SecurityInterceptor.class);
  
  public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
    String proto = request.getHeader("X-Forwarded-Proto");
    if (!Strings.isNullOrEmpty(proto)) {
      logger.debug("Found proto: {}", proto);
      if ("http".equalsIgnoreCase(proto)) {
        StringBuffer redirectString = createRedirect(request);
        logger.debug("Redirecting to {}", redirectString);
        response.sendRedirect(redirectString.toString());
        return false;
      }
    }
    logger.debug("No proto header found");
    return true;
  }
  
  private StringBuffer createRedirect(HttpServletRequest request) throws IOException {
    StringBuffer result = request.getRequestURL();
    result.insert(4, "s");
    
    String queryString = request.getQueryString();
    if (!Strings.isNullOrEmpty(queryString)) {
      result.append("?");
      result.append(queryString);
    }
    
    return result;
  }
  
}

Since encryption is handled by the ELB and all traffic arrives at the server as HTTP we have to rely on the x-forwarded headers to know if we should redirect the request back to a secure page.

Then I have a config class to load the Interceptor.

@Configuration
public class WebMVCConfig extends WebMvcConfigurerAdapter {
  
  @Autowired
  private SecurityInterceptor securityInterceptor;

  @Override
  public void addInterceptors(InterceptorRegistry registry) {
    registry.addInterceptor(securityInterceptor);
  }
}

This Interceptor is specific to the x-forwarded headers that ELBs will send to the backend instance.

 

Hiring for culture fit can have unintended consequences

An interesting post on “culture fit.” I’ve been catching up on the SAASTR podcasts, and a lot of the interviewees sound like they’re falling into this trap. I agree with Matt’s assertion that by trying to hire people that you would want to hang out with, you will end up hiring a lot of people that look like you. Instead, you should focus on culture agnostic characteristics:

  • Are they kind and empathetic?
  • Do they care about their work?
  • Do they have good communication skills?
  • Do they have good self-management skills?

Finally, also look for “Do they bring a valuable new perspective?”

Terminal hack to make logging into a cluster easier

I’ve been looking for a way to make it simpler to quickly login to all nodes of a cluster from a mac terminal. Discovered a small npm module that helped me do it called ttab. With this npm module I can then write a bash script:

#!/bin/bash

TYPE=$1

rs6 () {
ttab -w ssh bryan@example1.com
ttab ssh bryan@example2.com
ttab ssh bryan@example3.com
ttab ssh bryan@example4.com
ttab ssh bryan@example5.com
ttab ssh bryan@example6.com
}

if [ “rs6” = $TYPE ]
then
rs6
fi

This will open one new terminal window with 6 tabs all logged into the different servers.