Enable Https Endpoint for Service Fabric Application

 

In this post, I would like to share with you on hosting a website in secure mode (https) in Service Fabric.

Assume that I have a ReactJs application is running on Service Fabric with HTTP endpoint as below.

Now, to secure this site by applying the SSL and let it’s running on HTTPs endpoint by following steps.

I. Generate SSL Certificate.

Generate SSL certification just for development purpose. If you want to host the application on PRD, you should request the certificates form your company CA provider.

For localhost Service Fabric I’m using below command to generate a certificate using OpenSSL.

  • Create a private key.

  • Create certification

  • Convert cert to pfx

  • Import pfx file
    Open mmc.exe and import pfx file to Personal of Local Computer

If don’t have OpenSSL, download here.

II. Enable HTTPS for Service Fabric Application

Enable the Https for the Service Fabric Application we need to add some settings and variables to configurations and below steps show how to set them up.

1. Add the parameter.

Add a new parameter named CertThumbprint and value is Thumbprint of the certificate to Local1Node.xml and Local5Node.xml

We may have difference certificate for difference environments So we can push the Thumbprint value from the Continuous Delivery system.

2. Update the ApplicationManifest.xml

Adding one more CertThumbprint under Parameters section and one more EndpointCertificate name HttpsCert under Certificates section as below.

3. Update the Policies for Https endpoint

In the same ApplicationManifest add the below EndpointBindingPolicy config into ReactJs under ServiceManifestImport section which CertificateRef reference to the EndpointCertificate name added above and EndpointRef is a new service endpoint for https will be added later.

4. Update ServiceManifest.xml of ReactJs app.

Open ServiceManifest.xml of ReactJs and update the endpoint as below.

The name of Endpoint name and CertificateRef must be the same with EndpointRef and EndpointCertificate name which added into ApplicationManifest above.

5. Update the CommunicationListener

  • Using HttpSysCommunicationListener

If you are using HttpSysCommunicationListener then using the below setup for the endpoints.

Perfect, now run the application and we have a ReacJs is running https.

  • Using KestrelCommunicationListener 

With above configuration is not work for as KestrelCommunicationListener is not able to load the certificate from the configuration directly instead we need to add some additional code to load and binding the certificate manually as below.

The GetCertificateFromStore() method

Look into the GetCertificateFromStore you will see that I’m loading the certificate from the Config folder instead of from the Certificate Store. It means you can attach the certificate along with your application and binding it directly to the listener instead of import the certificate to every servers of Servicr Fabric cluster.

III. Working with Reverse Proxy.

However, the application is not accessible via Reversed Proxy because my local Service Fabric is running in unsecured mode and the Reverse proxy is supporting HTTP protocol.

In order to access the application via Reversed proxy, we need to run the Service Fabric in secure mode.

1. Run Local Service Fabric in a secured mode

In localhost run below PowerShell script to convert Service Fabric to secured mode.

After the done the installation, We will have secured Service Fabric cluster, and The application is accessible via Reversed proxy.

2. Run Service Fabric in secure mode in your Production.

If you PRD Service Fabric is unsecured then follow steps here to secure it.

You may have a question why should we use Reserved Proxy. I will share details in next post to explain about this.

Thanks for reading and download source code here.