-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy path_ssl_termin_gorouter_lb_pcf.html.md.erb
63 lines (47 loc) · 6.34 KB
/
_ssl_termin_gorouter_lb_pcf.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
To configure SSL termination on the Gorouter and load balancer in <%= vars.app_runtime_abbr %>:
1. Create an A record in your DNS that points to your load balancer IP address. The A record associates the **System domain** and **Apps domain** that you configure in the **Domains** pane of the <%= vars.app_runtime_abbr %> tile with the IP address of your load balancer.
<br />
<br />
For example, with `<%= vars.product_name_lc %>.example.com` as the main subdomain for your <%= vars.platform_name %> deployment and a load balancer IP address `198.51.100.1`, you must create an A record in your DNS that serves `example.com` and points `*.<%= vars.product_name_lc %>` to `198.51.100.1`.
<table border="1" class="nice" >
<tr>
<th>Name</th>
<th>Type</th>
<th>Data</th>
<th>Domain</th>
</tr>
<tr>
<td>*.<%= vars.product_name_lc %></td>
<td>A</td>
<td>198.51.100.1</td>
<td>example.com</td>
</tr>
</table>
1. Navigate to the <%= vars.ops_manager %> Installation Dashboard.
1. Click the <%= vars.app_runtime_abbr %> tile.
1. Select **Networking**.
1. For <%= vars.app_runtime_abbr %> deployments on OpenStack or vSphere, choose IP addresses for the Gorouters from the subnet configured for <%= vars.ops_manager %> and enter them in the **Gorouter IPs** field. Then configure your load balancer to forward requests for the above domains to these IP addresses. For more information, see [Configure Networking](../customizing/configure-pas.html#networking) in _Configuring <%= vars.app_runtime_abbr %>_.
1. In the **Certificates and private keys for the Gorouter and HAProxy** field, click the **Add** button to define at least one certificate keypair for the Gorouter and HAProxy. For each certificate keypair that you add, assign a name, enter the PEM-encoded certificate chain and PEM-encoded private key. You can either upload your own certificate or generate an RSA certificate in <%= vars.app_runtime_abbr %>. For options and instructions on creating a certificate for your wildcard domains, see [Creating a Wildcard Certificate for <%= vars.platform_name %> Deployments](https://docs.pivotal.io/application-service/operating/security_config.html#create_or_obtain_certs) in _Providing a Certificate for Your TLS Termination Point_.
1. Under **Minimum version of TLS supported by the Gorouter and HAProxy**, select the minimum version of TLS to use in HAProxy and Gorouter communications. The Gorouter uses TLS v1.2 by default. If you need to accommodate clients that use an older version of TLS, select a lower minimum version. For a list of TLS ciphers supported by the Gorouter, see [Cipher Suites](#ciphers).
1. If you are using HAProxy:
1. Under **TLS termination point**, select **Infrastructure load balancer**.
1. Under **HAProxy forwards requests to the Gorouter over TLS**, select **Enable**.
1. In the **Certificate authority for HAProxy back end** field, specify the certificate authority (CA) that signed the certificate you configured in the **Certificate and private key for the Gorouter and HAProxy** field.
<p class="note"><strong>Note:</strong> If you used the **Generate RSA Certificate** link to generate a self-signed certificate, then the CA to specify is the <%= vars.ops_manager %> CA, which you can locate using the <code>/api/v0/certificate_authorities</code> endpoint in the <%= vars.ops_manager %> API.</p>
1. To use a specific set of TLS ciphers for HAProxy, configure **TLS cipher suites for HAProxy**. Enter an ordered, colon-separated list of TLS cipher suites in the OpenSSL format. For example, if you have selected support for an earlier version of TLS, you can enter cipher suites supported by this version. Otherwise, leave the default values in this field.
1. Proceed to step 11.
1. To use a specific set of TLS ciphers for the Gorouter, configure **TLS cipher suites for the Gorouter**. Enter an ordered, colon-separated list of TLS cipher suites in the OpenSSL format. For example, if you have selected support for an earlier version of TLS, enter cipher suites supported by this version. For a list of TLS ciphers supported by the Gorouter, see [Cipher Suites](#ciphers). Otherwise, leave the default values in this field.
1. If you are not using HAProxy:
1. Under **TLS termination point**, select any of the available options depending on your client app needs. For more information about XFCC header forwarding, see [Forward Client Certificate to Apps](../concepts/http-routing.html#forward-client-cert) in _HTTP Routing_.
1. Under **HAProxy forwards requests to the Gorouter over TLS**, select **Disable**.
1. In the <%= vars.app_runtime_abbr %> tile, select **Resource Config**.
1. In the **Instances** dropdown for the **HAProxy** job, select `0` instances.
1. Click **Save**.
1. (Optional) If you are not using SSL encryption or if you are using self-signed certificates, you can select the **Disable SSL certificate verification for this environment** checkbox. Selecting this checkbox also disables SSL verification for route services.
<p class="note"><strong>Note:</strong> Select this checkbox only for development and testing environments. Do not select it for production environments.</p>
1. (Optional) If you do not want the Gorouter to accept any non-encrypted HTTP traffic, select the **Disable HTTP on the Gorouter and HAProxy** checkbox.
1. Click **Save**.
1. After you complete the configuration in <%= vars.app_runtime_abbr %>, add your certificate or certificates to your load balancer and configure its listening port. The procedures vary depending on your IaaS.
1. Configure your load balancer to append the `X-Forwarded-For` and `X-Forwarded-Proto` headers to client requests.
<br>If you cannot configure the load balancer to provide the `X-Forwarded-For` header, the Gorouter appends it in requests forwarded to apps and system components, set to the IP address of the load balancer.
<p class='note'><strong>Note:</strong> If the load balancer accepts unencrypted requests, it <strong>must</strong> provide the <code>X-Forwarded-Proto</code> header. Conversely, if the load balancer cannot be configured to send the <code>X-Forwarded-Proto</code> header, it should not accept unencrypted requests. Otherwise, apps and platform system components that require encrypted client requests accept unencrypted requests when they should not accept them.</p>