This project demonstrates a highly scalable, eventually consistent system using multiple services including HAProxy, Spring Boot, RabbitMQ, DynamoDB, Kafka, Redis, and React.
The system implements a CQRS (Command Query Responsibility Segregation) pattern with separate pathways for write and read operations, ensuring optimal performance and scalability.
This system implements comprehensive TLS encryption for all communications:
- HTTPS Termination: HAProxy handles SSL termination on port 8443
- Certificate Management: Automated SSL certificate generation using
ssl-cert-generator - Configuration:
load_balancer/haproxy.cfgwith SSL bindings - Certificate Storage: Shared
ssl-certsvolume across services
- Network Segmentation:
backendandinternalnetworks for secure communication - Service Mesh: mTLS configured for internal service communications
- Database Encryption: TLS for PostgreSQL, Redis, and other data stores
- Message Broker Security: RabbitMQ with TLS and authentication (
config/rabbitmq/rabbitmq.conf)
# Automatic SSL certificate generation
docker compose up ssl-cert-generator
# Manual certificate regeneration
./scripts/setup-ssl.sh
# Certificate files location
ls -la ssl-certs/
# server.crt, server.key - External HTTPS
# internal.crt, internal.key - Internal mTLSAll write requests (create, update, delete) follow an event-driven asynchronous pattern through RabbitMQ message queues:
┌──────────────┐ ┌───────────────┐ ┌──────────────┐ ┌─────────────────┐
│ │ │ │ │ │ │ │
│ React ├───►│ HAProxy ├───►│ Write Layer ├───►│ RabbitMQ │
│ Web App │ │ Load │ │ (Port 8081) │ │ Exchange │
│ (Port 3001) │ │ Balancer │ │ │ │ (Port 5672) │
│ │ │ (Port 8080) │ │ │ │ │
└──────┬───────┘ └───────────────┘ └──────┬───────┘ └─────────┬───────┘
│ 🔒 TLS │ │
│ 🔐 JWT Auth (HTTPS) 🔐 JWT Validation 🔒 TLS+Auth │
│ │ ▼
│ ┌─────────▼─────────┐ ┌─────────────────────────────────────┐
│ │ │ │ Event Routing │
│ │ Keycloak │ │ 🔒 Internal TLS │
│ │ (Port 8090) │ │ │
│ │ │ │ user.event │ coupon.event │
└─────────────────────────────►│ 🏢 Identity │ │ order.event │ notification.event│
🔒 TLS │ Provider │ │ product.event │ general.event │
(HTTPS) └───────────────────┘ └─────────────────────────────────────┘
┌─────────────────────────────┼─────────────────────────────┐
▼ ▼ ▼
┌─────────────┐ ┌─────────────┐
│ │ │ │
│ Coupon │ │ Public API │
│ Service │ │ Service │
│ (Port 8086) │ │ (Port 8082) │
│ │ │ │
└─────┬───────┘ └─────┬───────┘
│ │
│ 🔐 JWT + 🔒 TLS │ 🔐 JWT + 🔒 TLS
│ (Read Operations) │ (Read Operations)
▼ ▼
┌─────────────┐ ┌─────────────┐
│ DynamoDB │ │ DynamoDB │
│ (Port 8000) │ │ (Port 8000) │
│🔒 Local TLS │ │🔒 Local TLS │
└─────┬───────┘ └─────┬───────┘
│ │
└─────────────┐ │
▼ ▼
┌─────────────────────────────────────────────────┐
│ Kafka │
│ (Port 9092) │
│ Event Streaming │
│ 🔒 Internal TLS │
└─────────────────┬───────────────────────────────┘
│
▼
┌─────────────────┐
│ Cache Sync │
│ Service │
│ (Background) │
│ 🔒 TLS │
└─────────┬───────┘
│
▼
┌─────────────────┐
│ Redis Cache │
│ (Port 6379) │
│🔒 TLS + Auth │
└─────────────────┘
All read requests follow a synchronous cache-first pattern for optimal performance:
┌──────────────┐ ┌───────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ │ │ │ │ │ │ │
│ React ├───►│ HAProxy ├───►│ Service ├───►│ Redis Cache │
│ Web App │ │ Load │ │ (Direct Route) │ │ (Port 6379) │
│ (Port 3001) │ │ Balancer │ │ │ │ 🔒 TLS+Auth │
│ │ │ (8080→8443) │ │ │ │ │
└──────┬───────┘ └───────┬───────┘ └──────────────────┘ └─────────┬───────┘
│ │ │ │
│ 🔐 JWT Auth │🔒 TLS ┌───────┼───────┐ │🔒 TLS
│ │ ▼ ▼ │
│ ┌───────┼───────┐ ┌─────────────┐ ┌─────────────┐ │
│ ▼ ▼ │ │ │ │ │
│ ┌─────────────┐ ┌─────────────┐ │ Coupon │ │ Public API │ │
│ │ │ │ │ │ Service │ │ Service │ │
│ │ 🔐 Keycloak │ │ Public API │ │ (Port 8086) │ │ (Port 8082) │ │
│ │ Auth Check │ │ (Port 8082) │ └─────┬───────┘ └─────────────┘ │
│ │ │ │ │ │ │
│ └─────────────┘ └─────────────┘ │ 🔐 JWT + 🔒 TLS │
│ │ │ (Protected Endpoints) │
│ │🔒 TLS │ │
│ │ ▼ │
│ ┌───────▼─────────┐ ┌─────────────┐ │
│ │ │ │ │ │
└───►│ Keycloak │ │ Keycloak │◄────────────────┘
│ (Port 8090) │ │ JWT │ 🔒 TLS
│ 🔒 TLS │ │ Validation │
│ │ │ │
│ 🏢 Identity │ └─────────────┘
│ Provider │ │
└─────────────────┘ │🔒 TLS
│ ┌───────┼───────┐
│🔒 TLS ▼ ▼
│ ┌─────────────┐ ┌─────────────┐
│ │ │ │ │
│ │ Cache Hit │ │ Cache Miss │
│ │ (Fast) │ │ (Fallback) │
│ │ │ │ │
│ └─────────────┘ └─────┬───────┘
│ │
│ Routes: │🔒 TLS
│ • /api/v1/coupons │
│ • /api/v1/users │
│ • /api/read/* │
│ ▼
│ ┌─────────────┐
│ │ DynamoDB │
│ │ (Port 8000) │
│ │ (Fallback) │
│ │🔒 Local TLS │
│ └─────────────┘
│
Authentication
│🔒 TLS
▼
┌─────────────┐
│ Keycloak │
│(Port 8090) │
│ JWT │
│🔒 TLS Auth │
└─────────────┘
Location: docker-compose.yml#L582-L600
ssl-cert-generator:
image: alpine:latest
volumes:
- ssl-certs:/certs
command: >
sh -c "
apk add --no-cache openssl &&
if [ ! -f /certs/server.crt ]; then
openssl req -x509 -newkey rsa:4096 -nodes \
-keyout /certs/server.key \
-out /certs/server.crt \
-days 365 \
-subj '/CN=localhost/O=EventualConsistent/C=US'
fi"Location: load_balancer/haproxy.cfg
# HTTPS Frontend (Port 8443)
frontend https-in
bind *:8443 ssl crt /certs/server.pem
redirect scheme https code 301 if !{ ssl_fc }
# HTTP to HTTPS Redirect (Port 8080)
frontend http-in
bind *:8080
redirect scheme https code 301Configuration Files:
- Redis TLS:
config/redis.conf - RabbitMQ TLS:
config/rabbitmq/rabbitmq.conf - Database TLS:
auth/postgres-init.sql
Location: docker-compose.yml#L606-L612
networks:
backend: # Internal service communication
driver: bridge
internal: # Secure internal-only network
driver: bridge
grafana: # Monitoring network isolation
driver: bridge| Aspect | Write Operations | Read Operations | TLS Implementation |
|---|---|---|---|
| Pattern | Event-Driven (Asynchronous) | Direct Access (Synchronous) | End-to-End Encryption |
| Performance | Optimized for reliability | Optimized for speed | SSL termination at HAProxy |
| Security | JWT + TLS encryption | JWT + TLS encryption | mTLS for internal services |
| Consistency | Eventual consistency | Strong consistency from cache | Certificate rotation |
| Scaling | Horizontal via message queues | Horizontal via cache replicas | Load-balanced TLS |
| Latency | Higher (message processing) | Lower (direct cache access) | Minimal TLS overhead |
| Failure Handling | Retry queues, DLX | Circuit breakers, fallbacks | Certificate fallback |
The system has been transformed into a RabbitMQ-based event-driven architecture where specialized microservices subscribe to specific event types instead of receiving HTTP requests directly.
- Single Write Layer: All write requests go through one endpoint that routes events via RabbitMQ
- Event-Type Routing: Different event types are routed to specialized microservices
- Asynchronous Processing: Services process events independently and asynchronously
- Loose Coupling: Services don't need to know about each other
Implementation: write_layer/src/main/java/com/example/writelayer/controller/WriteController.java
- Frontend to API Gateway: Direct HTTP/REST calls with HTTPS
- API Gateway to Read Services: Direct service calls with caching and TLS
- Authentication Validation: Real-time JWT validation over TLS
- Write Operations: Event-driven via RabbitMQ with TLS and authentication
- Data Synchronization: Kafka-based event streaming with internal TLS
- Cache Updates: Background sync processes with encrypted connections
- External TLS: Client → HAProxy (SSL termination)
- Internal TLS: Service → Service (mTLS)
- Data TLS: Service → Database (encrypted connections)
- Write Path: Events processed asynchronously with secure message delivery
- Cross-Service Updates: Via event propagation with TLS encryption
- Data Reconciliation: Background sync processes with authenticated connections
- Read Path: Direct cache/database access with TLS
- Authentication: Real-time validation with encrypted JWT
- Critical Operations: Synchronous processing where needed with full encryption
┌─────────────────────────────────────────────────────────────────────────┐
│ CLIENT LAYER │
│ 🌐 Browser/Mobile App → 🔒 HTTPS (TLS 1.2+) → HAProxy (Port 8443) │
└─────────────────────────────┬───────────────────────────────────────────┘
│
┌─────────────────────────────▼───────────────────────────────────────────┐
│ PROXY/GATEWAY LAYER │
│ 🔒 SSL Termination → 🔐 JWT Validation → Load Balancing │
│ 📁 /certs/server.crt,key → Backend Routing │
└─────────────────────────────┬───────────────────────────────────────────┘
│
┌─────────────────────────────▼───────────────────────────────────────────┐
│ APPLICATION LAYER │
│ 🔒 Internal TLS → 🔐 Service Authentication → Business Logic │
│ 📁 /certs/internal.crt,key → Microservice Mesh │
└─────────────────────────────┬───────────────────────────────────────────┘
│
┌─────────────────────────────▼───────────────────────────────────────────┐
│ DATA LAYER │
│ 🔒 Database TLS → 🔐 Encrypted Storage → Access Controls │
│ 📊 Redis/PostgreSQL/DynamoDB Encryption │
└─────────────────────────────────────────────────────────────────────────┘
Reference Files:
- SSL Setup:
scripts/setup-ssl.sh - Security Configuration:
config/directory - Certificate Management:
ssl-cert-generatorservice