-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy path_ssl_termin_lb_only_pcf.html.md.erb
52 lines (36 loc) · 4.3 KB
/
_ssl_termin_lb_only_pcf.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
To configure SSL termination on the load balancer only in <%= vars.app_runtime_abbr %>:
1. Create an A record in your DNS that points to your load balancer IP address. The A record associates the **System domain** and **Apps domain** that you configure in the **Domains** pane of the <%= vars.app_runtime_abbr %> tile with the IP address of your load balancer.
<br />
<br />
For example, with `<%= vars.product_name_lc %>.example.com` as the main subdomain for your <%= vars.platform_name %> deployment and a load balancer IP address `198.51.100.1`, you must create an A record in your DNS that serves `example.com` and points `*.<%= vars.product_name_lc %>` to `198.51.100.1`.
<table border="1" class="nice" >
<tr>
<th>Name</th>
<th>Type</th>
<th>Data</th>
<th>Domain</th>
</tr>
<tr>
<td>*.<%= vars.product_name_lc %></td>
<td>A</td>
<td>198.51.100.1</td>
<td>example.com</td>
</tr>
</table>
1. Navigate to the <%= vars.ops_manager %> Installation Dashboard.
1. Click the <%= vars.app_runtime_abbr %> tile.
1. Select **Networking**.
1. For <%= vars.app_runtime_abbr %> deployments on OpenStack or vSphere, choose IP addresses for the Gorouters from the subnet configured for <%= vars.ops_manager %> and enter them in the **Gorouter IPs** field. Then configure your load balancer to forward requests for the above domains to these IP addresses. For more information, see [Configure Networking](../customizing/configure-pas.html#networking) in _Configuring <%= vars.app_runtime_abbr %>_.
1. In the **Certificates and private keys for the Gorouter and HAProxy** field, click the **Add** button to define one certificate keypair for the Gorouter and HAProxy. Since you have opted for unencrypted traffic behind the load balancer, then you can generate an RSA certificate in <%= vars.app_runtime_abbr %>.
1. In the **Minimum version of TLS supported by the Gorouter and HAProxy**, select the minimum version of TLS to use in HAProxy communications. HAProxy use TLS v1.2 by default. If you need to accommodate clients that use an older version of TLS, select a lower minimum version. For a list of TLS ciphers supported by the HAProxy, see [Cipher Suites](#ciphers).
1. Under **TLS termination point**, select **Infrastructure load balancer**.
1. To use a specific set of TLS ciphers for HAProxy, configure **TLS cipher suites for HAProxy**. Enter an ordered, colon-separated list of TLS cipher suites in the OpenSSL format. For example, if you have selected support for an earlier version of TLS, enter cipher suites supported by this version. Otherwise, leave the default values in this field.
1. Under **HAProxy forwards all requests to the Gorouter over TLS**, select **Disable**.
1. (Optional) If you are not using SSL encryption or if you are using self-signed certificates, you can select the **Disable SSL certificate verification for this environment** checkbox. Selecting this checkbox also disables SSL verification for route services.
<p class="note"><strong>Note:</strong> Select this checkbox only for development and testing environments. Do not select it for production environments.</p>
1. (Optional) If you do not want the Gorouter to accept any non-encrypted HTTP traffic, enable the **Disable HTTP on the Gorouter and HAProxy** checkbox.
1. Click **Save**.
1. After you complete the configuration in <%= vars.app_runtime_abbr %>, add your certificate or certificates to your load balancer and configure its listening port. The procedures vary depending on your IaaS.
1. Configure your load balancer to append the `X-Forwarded-For` and `X-Forwarded-Proto` headers to client requests.
<br/>If the load balancer cannot be configured to provide the `X-Forwarded-For` header, the Gorouter appends it in requests forwarded to apps and system components, set to the IP address of the load balancer.
<p class='note'><strong>Note:</strong> If the load balancer accepts unencrypted requests, it <strong>must</strong> provide the <code>X-Forwarded-Proto</code> header. Conversely, if the load balancer cannot be configured to send the <code>X-Forwarded-Proto</code> header, it should not accept unencrypted requests. Otherwise, apps and platform system components that require encrypted client requests accept unencrypted requests when they should not accept them.</p>