How to config PlayFramework2 to support SSL?

Question

I\'ve read How to configure playframework server to support ssl and I also tried to follow http://www.playframework.org/documentation/1.1.1/releasenotes-1.1#https but it doe

Answer 1

The documentation for setting up the current version of Play (2.2.x) is here: http://www.playframework.com/documentation/2.2.x/ConfiguringHttps

Answer 2

It won't work with the approach you are taking. You are mistaking release notes of 1.x branch with 2.x branch.

in 1.x branch, it is possible. Release notes are sufficient, and they worked for me.

For 2.1+ branch, please refer to @Christina's comment. Support has been added in 2.1 and the discussion thread provides details.

Quoting James Roper's response

In dev mode, it's very easy, just:

JAVA_OPTS=-Dhttps.port=9443 play run

Play will generate a private key and self signed certificate, which obviously your browser will balk at with a big red warning. It will reuse that generated self signed certificate for each subsequent run of Play, so you should only get the browser error once. Obviously this self signed certificate is probably not what you want in production. Also important to note is that the self signed certificate generation will only work on JVMs that use the sun security libraries (eg Oracle and OpenJDK, but most notably not IBM J9). On JVMs that don't use these, you will get a NoClassDefFoundError when it tries to generate the certificate.

In prod (and this config also applies to dev) you configure it much the same way that you configure SSL ordinarily in Java, via system properties. Here's a summary:

https.port - The port that should be used

https.keyStore - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you

https.keyStoreType - The key store type, defaults to "JKS"

https.keyStorePassword - The password, defaults to ""

https.keyStoreAlgorithm - The key store algorithm, defaults to the platforms default algorithm

https.trustStore - This feature hasn't been fully implemented, currently it will always use the JDKs trust store for verifying client side certificates (which you can of course configure yourself) whether you supply a value for this or not, unless you specify "noCA", in which case, it will use a trust store that trusts all certificates with no validation or verification, which is useful for if using webid client side certificate verification.

For 2.0 branch, you have to put another server infront of play i.e either apache/nginx/other which listens on https and forwards the request to play in http.

Instructions to setup a frontend server are available at http://www.playframework.org/documentation/2.0.1/HTTPServer

So run your play server on a port. Have apache forward request from domain.com to 127.0.0.1:9443.

Sample apache config

    <VirtualHost *:443>

  ServerAdmin webmaster@localhost
  ServerName example.com
  ServerAlias *.example.com

  ErrorLog ${APACHE_LOG_DIR}/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn
  CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
  ProxyPreserveHost On
#  ProxyPass  /excluded !
  ProxyPass / http://127.0.0.1:9000/
  ProxyPassReverse / http://127.0.0.1:9000/


  #   SSL Engine Switch:
  #   Enable/Disable SSL for this virtual host.
  SSLEngine on

  #   A self-signed (snakeoil) certificate can be created by installing
  #   the ssl-cert package. See
  #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
  #   If both key and certificate are stored in the same file, only the
  #   SSLCertificateFile directive is needed.
  SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
  SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key


  #   Certificate Authority (CA):
  #   Set the CA certificate verification path where to find CA
  #   certificates for client authentication or alternatively one
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
  </Directory>

  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

Hope it helps.

Answer 3

One thing we did was to use AWS ELB to handle our SSL, then setup the SSL forwarding (HTTP -> HTTPS) using a plays filters. The main benefit, takes the SSL load off your server and you don't have to run Apache or Nginx in front of play (as some solution point out).

You can see my answer here: https://stackoverflow.com/a/23646948/690164

I also write a bit more about it in my blog: http://www.mentful.com/2014/05/25/play-framework-filter-for-aws-elastic-load-balancer-forward-http-to-https/

Answer 4

Right now you seem to need a reverse proxy managing the SSL for you. I found a ticket and a thread discussing this.

Answer 5

I'm using securesocial 3.0.3M. Set

securesocial.ssl = true 

in securesocial.conf and you should be good to go. Then restart your sbt or activator with

JAVA_OPTS=-Dhttps.port=9443 activator run

Go to localhost:9443

enjoy

Answer 6

This is useful for locally testing https:

activator "run -Dhttps.port=9005"

Then point your browser to https://localhost:9005.