forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecuring-endpoints.html.md.erb
57 lines (30 loc) · 3.34 KB
/
securing-endpoints.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
---
title: Securing System and Application Endpoints
---
This topic describes how to create a public-facing website and an intranet microservice in the same app.
The configuration described in this topic may be ideal for those in financial or health sectors who need extra security and convenience managing internal and external services. If the configuration is successful, developers can only use the Cloud Foundry Command Line Interface (cf CLI) command [cf push](http://cli.cloudfoundry.org/en-US/cf/push.html) from approved network paths.
## <a id="prerequisites"></a> Prerequisites
Before beginning your configuration, you will need to have registered three domains through your trusted DNS provider:
- A **System Domain** for Pivotal Application Service (PAS) and its accompanying tile services
- An **Apps Domain** for your intranet microservice
- An additional domain for the public-facing portions of your app
<p class="note"><strong>Note</strong>: Pivotal recommends that you use the same domain name but different subdomain names for your system and app domains. Doing so allows you to use a single wildcard certificate for the domain while preventing apps from creating routes that overlap with system routes.</p>
## <a id="system-domain"></a> Step 1: Configure System and Apps Domains
1. Log in to your <%= vars.first_product_name %> Ops Manager
1. Click the **Pivotal Application Service** tile.
1. Select the **Domains** pane.
1. Enter the **System Domain** and **Apps Domain** defined in the [prerequisites](#prerequisites) above.
1. Navigate to your DNS provider to create A records that point from your apps domains to the public IP address of your load balancer.
1. Click **Save**.
## <a id="load-balancer"></a> Step 2: Secure Apps Domain with HAProxy
<p class="warning note"><strong>WARNING</strong>: This method is easy to implement but may not be the best option for your security needs. Contact Pivotal Support if you seek a custom solution to building secure, internal services.</p>
<p class="note"><strong>Note: </strong>Pivotal supports HAProxy by default. However, you may configure an internal domain using any load balancer you choose that supports host header filtering.</p>
1. Select the **Networking** pane.
1. Enter **HAProxy Protected Domains**. The domain you enter will be the same domain as the **Apps Domain** defined in [prerequisites](#prerequisites).
1. Enter **HAProxy Trusted CIDRs** separated by spaces. This field is to specify CIDRs allowed to make requests to the domains listed in the **Protected Domains** field. For example, entering `10.0.1.0/24` would allow any requests originating at a host IP in that range to reach applications or services hosted on the **Protected Domains** list.
1. (Optional) <%= partial '../customizing/haproxy_hsts_config' %>
1. (Optional) Configure an additional HAProxy for BOSH to secure your public-facing domain with credentials. See [proxy-boshrelease](https://github.com/cloudfoundry-incubator/haproxy-boshrelease) on GitHub for more information.
## <a id="authentication"></a> Step 3: (Optional) Enable an Authentication Service
For added security, you may want to install an authentication service to your private domain like Single Sign-on (SSO). For more information about SSO, see [Single Sign-On Overview](https://docs.pivotal.io/p-identity/index.html).