forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_ssl_termin_gorouter_lb_pcf.html.md.erb
73 lines (53 loc) · 6.26 KB
/
_ssl_termin_gorouter_lb_pcf.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Perform the following steps to configure SSL termination on the Gorouter and load balancer in <%= vars.first_product_name %>:
1. Create an A record in your DNS that points to your load balancer IP address.
The A record associates the **System Domain** and **Apps Domain** that you
configure in the **Domains** section of the Pivotal Application Service (PAS) tile with the IP address of
your load balancer.
<br />
<br />
For example, with `cf.example.com` as the main subdomain for your Cloud
Foundry (CF) deployment and a load balancer IP address `198.51.100.1`, you
must create an A record in your DNS that serves `example.com` and points
`*.cf` to `198.51.100.1`.
<table border="1" class="nice" >
<tr>
<th>Name</th>
<th>Type</th>
<th>Data</th>
<th>Domain</th>
</tr>
<tr>
<td>*.cf</td>
<td>A</td>
<td>198.51.100.1</td>
<td>example.com</td>
</tr>
</table>
1. Navigate to the Ops Manager Installation Dashboard.
1. Click the PAS tile in the Installation Dashboard.
1. Click **Networking**.
1. For <%= vars.product_name %> deployments on OpenStack or vSphere, choose IP addresses for the Gorouters from the subnet configured for Ops Manager and enter them in the **Router IPs** field. Then configure your load balancer to forward requests for the above domains to these IP addresses. For more information, see [Configuring PAS](../customizing/configure-pas.html).
1. In the **Certificates and Private Keys for HAProxy and Router** field, click the **Add** button to define at least one certificate keypair for HAProxy and Router. For each certificate keypair that you add, assign a name, enter the PEM-encoded certificate chain and PEM-encoded private key. You can either upload your own certificate or generate an RSA certificate in PAS. For options and instructions on creating a certificate for your wildcard domains, see [Creating a Wildcard Certificate for <%= vars.product_name %> Deployments](../opsguide/security_config.html#create_or_obtain_certs).
1. In the **Minimum version of TLS supported by HAProxy and Router**, select the minimum version of TLS to use in HAProxy and Gorouter communications. The Gorouter use TLS v1.2 by default. If you need to accommodate clients that use an older version of TLS, select a lower minimum version. For a list of TLS ciphers supported by the Gorouter, see [Cipher Suites](#ciphers).
1. If you are using **HAProxy**, complete the following steps:
1. Under **HAProxy forwards requests to Router over TLS**, select **Enable**.
1. In the **Certificate Authority for HAProxy Backend** field, specify the Certificate Authority (CA) that signed the certificate you configured in the **Certificate and Private Key for HAProxy and Router** field.
<p class="note">If you used the **Generate RSA Certificate** link to generate a self-signed certificate, then the CA to specify is the Ops Manager CA, which you can locate at the `/api/v0/certificate_authorities` endpoint in the Ops Manager API.</p>
1. If you want to use a specific set of TLS ciphers for HAProxy, configure **TLS Cipher Suites for HAProxy**. Enter an ordered, colon-separated list of TLS cipher suites in the OpenSSL format. For example, if you have selected support for an earlier version of TLS, you can enter cipher suites supported by this version. Otherwise, leave the default values in this field.
1. In the **Configure the CF Router support for the X-Forwarded-Client-Cert header** field, select **Always forward the XFCC header in the request, regardless of the whether the client connection is mTLS**.
1. Proceed to step 11.
1. If you want to use a specific set of TLS ciphers for the Gorouter, configure **TLS Cipher Suites for Router**. Enter an ordered, colon-separated list of TLS cipher suites in the OpenSSL format. For example, if you have selected support for an earlier version of TLS, you can enter cipher suites supported by this version. For a list of TLS ciphers supported by the Gorouter, see [Cipher Suites](#ciphers). Otherwise, leave the default values in this field.
1. If you are not using HAProxy, complete the following steps:
1. Under **HAProxy forwards requests to Router over TLS**, select **Disable**.
1. In the **Configure the CF Router support for the X-Forwarded-Client-Cert header** field, select any of the available options depending on your client application needs. For more information about XFCC header forwarding, see [Forward Client Certificate to Applications](../concepts/http-routing.html#forward-client-cert).
1. In the PAS tile, click **Resource Config**.
1. In the **Instances** drop down for the **HAProxy** job, select `0` instances.
1. Click **Save**.
1. (Optional) If you are not using SSL encryption or if you are using self-signed certificates, you can select **Disable SSL certificate verification for this environment**. Selecting this checkbox also disables SSL verification for route services.
<p class="note">Use this checkbox only for development and testing environments. Do not select it for production environments.</p>
1. (Optional) If you do not want HAProxy or the Gorouter to accept any non-encrypted HTTP traffic, select the **Disable HTTP on HAProxy and Router** checkbox.
1. Click **Save**.
1. After you complete the configuration in <%= vars.product_name %>, add your certificate or certificates to your load balancer, and configure its listening port. The procedures vary depending on your IaaS.
1. Configure your load balancer to append the `X-Forwarded-For` and `X-Forwarded-Proto` headers to client requests.
<br>If you cannot configure the load balancer to provide the `X-Forwarded-For` header, the Gorouter appends it in requests forwarded to applications and system components, set to the IP address of the load balancer.
<p class='note'><strong>Note</strong>: If the load balancer accepts unencrypted requests, it <strong>must</strong> provide the <code>X-Forwarded-Proto</code> header. Conversely, if the load balancer cannot be configured to send the <code>X-Forwarded-Proto</code> header, it should not accept unencrypted requests. Otherwise, applications and platform system components that require encrypted client requests will accept unencrypted requests when they should not accept them.</p>