Skip to main content

HTTPS Server on the Cloud

David Liu4/3/26About 5 min

HTTPS Server on the Cloud

CIS5550 DNS password

  • Username: liudawei
  • Password: R7tcE8W2

Folks, I've released HW3 just now. To test your solution for this assignment, you will need an account on AWS Academy, which will basically give you access to AWS with some (limited) free credits - $50, if I remember correctly. Could everyone please look for this invite, under the email address they're officially enrolled with, and accept it today if at all possible? If you don't see the invite yet, please give it a few hours (in case of delays) and double-check all of your email accounts, including the various spam folders. If, by the end of today (2/11) you still can't find the invite, please post a followup below or contact me via email, and I'll resend it.

A quick word on the Academy accounts: $50 should be more than enough to complete the homework assignments and the project, but you do need to be a bit careful - please don't waste your credits (e.g., by allocating overly fancy and expensive EC2 instance types), and please do free up any resources you allocate as soon as you no longer need them. It's always a good idea to keep an eye on your account balance and to investigate if you see it drop without a clear reason. The TAs and I would be more than happy to help you investigate and fix unexplained credit drains, but if you do run out of credits, there is nothing we can do - we don't have any spare credits to give you, and we can't make Amazon refund you credits you spent accidentally. At that point your only option would then be to create an account on the 'regular' AWS and to start paying for any additional resources out of pocket. One again, this shouldn't happen - $20 or so should be enough to comfortably finish all the AWS activities during the semester, as long as you are being a bit careful, and you have more than twice that much.

Another puzzle piece you will need for HW3 is an account on our DNS server. This isn't ready yet, but it should be soon, and you can start the assignment without it - you'll only need this once you're ready to start requesting your TLS certificate. I'll make another announcement about this later.

Overview

For this assignment, you will extend your dynamic HTTP server from HW2 with support for sessions and HTTPS, and you will deploy it on a real cloud platform, with a valid, CA-signed TLS certificate.

Implementation-wise, this assignment should actually be quite a bit easier than the first two assignments. The main challenge is in the AWS deployment, but we’ve included detailed steps for this in Section 3 below. Please do not try the deployment step at the last minute! If something unexpected happens, it may take a bit of time to find the problem, and if you need to update your DNS record, the changes can take hours to propagate everywhere, and there is no way you or we can speed this up.

As in the earlier assignments, please do use Google, answers from the discussion group, the Java API reference and, if necessary, a good Java book to solve simple problems on your own. The Spark Framework documentation may be useful if you have questions about the API. If none of these steps solve your problem, please post on the discussion group, and we will be happy to help!

Requirements

Please start by downloading the HW3 package from http://cis5550.net/hw3.zip. This contains a README file with a short questionnaire, an Eclipse project definition (which you can ignore if you are not using Eclipse), a small test suite, and four interfaces (Request, Response, Session, and Route). Notice that the Request interface is a bit different from the one that was included with HW2. Your solution must meet the following requirements:

HTTPS support: There should be an additional static method called securePort in your Server class, which should accept a port number. If this method is called before the first route is defined, your server should accept requests both via HTTP and via HTTPS, on different ports; the port number for HTTPS is the argument to securePort, and the port number for HTTP is the argument to port, if it has been called, or 80 otherwise. If securePort has been called, your server should load the TLS certificate from a file called keystore.jks, using a default keystore password of secret, which (for HW3 purposes) you may hardcode in your solution.

Sessions: You should implement the additional session() method in the Request interface. When this method is first called for a given request, your server should check whether the request included a cookie with the name SessionID and the value of that cookie is currently associated with a Session object. If such an object is found, the method should return it; otherwise, it should 1) pick a fresh, random session ID of at least 120 bits, 2) instantiate a new Session object, 3) associate this object with the chosen session ID, 4) add a Set-Cookie header to the response that sets the SessionID cookie to the chosen session ID, and 5) return the Session object. If the method is called again while the server is still handling the same request, it should return the same Session object. When the method is never called, no session objects or SessionID cookies should be created.

Session expiration: Each Session object should have a maximum active interval tmax, which can be set with the maxActiveInterval method and should be 300 seconds by default. When, for a period tmax, the server has not received any requests with the session ID that is associated with the object, the object should “expire”, and the server should behave as if the object did not exist. You do not need to delete session objects immediately when they expire, but you should delete expired objects periodically; when the server receives no more requests, all existing Session objects should be deleted eventually.

AWS deployment: You should deploy your server on an EC2 instance, such that it can be reached by https://<yourname>.cis5550.net/, where <yourname> is the login name of your SEAS account. (For instance, my own login name is ahae, so I would deploy my server at ahae.cis5550.net.) The server’s main page should say “Hello World - this is <yourname>”, with your own full name instead of “<yourname>”. You should obtain a TLS certificate from Let’s Encrypt for your domain name, and use it in this deployment. Once the server is deployed, you should open https://<yourname>.cis5550.net/ in a standard web browser (Firefox, Safari, Chrome, Edge, or something comparable), make a screenshot, and include this screenshot as a file called screenshot.png or screenshot.jpg (depending on the format of the screenshot) with your submission.

Low delay: Your server should respond to requests immediately, instead of waiting for Nagle’s algorithm. You can achieve this by calling conn.setTcpNoDelay(true) right after the accept() call. This is important to keep response times low in later homeworks.

Miscellaneous: The intention is that you will reuse and extend your Server implementation from HW2; you can simply copy over your code (except for the four interfaces that were included in the HW3 package) to the HW3 project. All the original requirements from HW2 continue to apply.

Packaging: Your solution should be in a directory called HW3, which should contain 1) the README file from the HW3 package, with all the fields filled in; 2) the screenshot, as described above; 3) your keystore.jks file with the Let’s Encrypt certificate (which you will have to download from your EC2 instance); and 4) a subdirectory called src with all of your source code, including the files we provided, and in the directory structure Java expects (with subdirectories for packages). Your solution must compile without errors if, from the HW3 folder, you run javac --source-path src src/cis5550/webserver/Server.java. Please do try this before you submit! Submissions that fail this basic check will receive a zero.

Extra credit

If you like, you can implement the following additional features for some extra credit. If you do, please indicate this in the README file you submit!

Add support for multiple hosts (+10 points):

This extra credit is only available if you’ve already done the “multiple hosts” EC on HW2. (If you haven’t done that, you can implement it now, but you won’t receive additional credit.) Add two additional arguments to your host method – the first should be the name of an additional key store file for the new host, and the second should be the corresponding password. Then, generate additional certificates and use the SNI extension to pick the correct one for an incoming connection. You can use the SNIInspector class in the cis5550.tools package to read the SNI hostname; the file should contain additional instructions. (If you need additional accounts on dns.cis5550.net for testing, please contact the instructor.) For any routes that were defined before host is called, you should use the original keystore.jks file, and these routes should be “default routes” that are used if no SNI hostname is included in the request at all, or if the hostname is not among the ones given as arguments to host.

Have a closer look at the Set-Cookie: header and use the security features it provides – including at least HttpOnly, Secure (if HTTPS is used), and SameSite attributes.

David's Blog
Copyright © 2026 David Liu