-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy path_ssl_termin_gorouter_pcf.html.md.erb
34 lines (18 loc) · 3.12 KB
/
_ssl_termin_gorouter_pcf.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
To configure SSL termination on the Gorouter in <%= vars.app_runtime_abbr %>:
1. Configure your load balancer to pass through TCP requests from the client to the Gorouter.
1. Navigate to the <%= vars.ops_manager %> Installation Dashboard.
1. Click the <%= vars.app_runtime_abbr %> tile.
1. Select **Networking**.
1. For <%= vars.app_runtime_abbr %> deployments on OpenStack or vSphere, choose IP addresses for the Gorouters from the subnet configured for <%= vars.ops_manager %> and enter them in the **Gorouter IPs** field. Then configure your load balancer to forward requests for the above domains to these IP addresses. For more information, see [Configure Networking](../customizing/configure-pas.html#networking) in _Configuring <%= vars.app_runtime_abbr %>_.
1. In the **Certificates and private keys for the Gorouter and HAProxy** field, click the **Add** button to define at least one certificate keypair for the Gorouter and HAProxy. For each certificate keypair you add, assign a name, enter the PEM-encoded certificate chain and PEM-encoded private key. You can either upload your own certificate or generate an RSA certificate in <%= vars.app_runtime_abbr %>. For options and instructions on creating a certificate for your wildcard domains, see [Creating a Wildcard Certificate for <%= vars.platform_name %> Deployments](https://docs.pivotal.io/application-service/operating/security_config.html#create_or_obtain_certs) in _Providing a Certificate for Your TLS Termination Point_.
1. In the **Minimum version of TLS supported by the Gorouter and HAProxy**, select the minimum version of TLS to use in Gorouter communications. The Gorouter uses TLS v1.2 by default. If you need to accommodate clients that use an older version of TLS, select a lower minimum version. For a list of TLS ciphers supported by the Gorouter, see [Cipher Suites](#ciphers).
1. Under **TLS termination point**, select **Gorouter**.
1. To use a specific set of TLS ciphers for the Gorouter, configure **TLS cipher suites for the Gorouter**. Enter an ordered, colon-separated list of TLS cipher suites in the OpenSSL format. For example, if you have selected support for an earlier version of TLS, enter cipher suites supported by this version. For a list of TLS ciphers supported by the Gorouter, see [Cipher Suites](#ciphers). Otherwise, leave the default values in this field.
1. Under **HAProxy forwards requests to the Gorouter over TLS**, select **Disable**.
1. (Optional) If you are not using SSL encryption or if you are using self-signed certificates, you can select the **Disable SSL certificate verification for this environment** checkbox. Selecting this checkbox also disables SSL verification for route services.
<p class="note"><strong>Note:</strong> Select this checkbox only for development and testing environments. Do not select it for production environments.</p>
1. (Optional) If you do not want the Gorouter to accept any non-encrypted HTTP traffic, select the **Disable HTTP on the Gorouter and HAProxy** checkbox.
1. Click **Save**.
1. Select **Resource Config**.
1. In the **Instances** dropdown for the **HAProxy** job, select `0` instances.
1. Click **Save**.