forked from cloudfoundry/docs-cf-admin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_ssl_termin_gorouter_lb_oss.html.md.erb
28 lines (23 loc) · 1.73 KB
/
_ssl_termin_gorouter_lb_oss.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
To enable this configuration, perform the following steps:
1. Add your certificates to your load balancer and configure its listening port. The procedures vary depending on your IaaS.
1. Configure your load balancer to append the `X-Forwarded-For` and `X-Forwarded-Proto` headers to client requests.
<br/>If the load balancer cannot be configured to provide the `X-Forwarded-For` header, the Gorouter will append it in requests forwarded to applications and system components, set to the IP address of the load balancer.
<p class='note'><strong>Note</strong>: If the load balancer accepts unencrypted requests, it <strong>must</strong> provide the X-Forwarded-Proto header. Conversely, if the load balancer cannot be configured to send the X-Forwarded-Proto header, it should not accept unencrypted requests. Otherwise, applications and platform system components that depend on the X-Forwarded-Proto header to reject unencrypted client requests will accept unencrypted requests.</p>
1. Insert the certificates into your deployment manifest for the Gorouter:
1. Open your release manifest using your preferred text editor.
1. Copy the contents of your certificate chain and private key associated with your certificate into the `properties.router.tls_pem` field.
1. Set `enable_ssl` to `true`.
```
properties:
router:
tls_pem:
- cert_chain: |
-----BEGIN CERTIFICATE-----
SSL_CERTIFICATE_SIGNED_BY_PRIVATE_KEY
-----END CERTIFICATE-----
private_key: |
-----BEGIN EXAMPLE RSA PRIVATE KEY-----
RSA_PRIVATE_KEY
-----END EXAMPLE RSA PRIVATE KEY-----
enable_ssl: true
```