forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_ssl_termin_haproxy_pcf.html.md.erb
68 lines (51 loc) · 3.78 KB
/
_ssl_termin_haproxy_pcf.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
To use the HAProxy load balancer, you must create a wildcard A record in your
DNS and configure some fields in the Elastic Runtime product tile.
1. Create an A record in your DNS that points to the HAProxy IP address. The A
record associates the **System Domain** and **Apps Domain** that you configure
in the **Domains** section of the Elastic Runtime tile with the HAProxy IP address.
<br />
<br />
For example, with `cf.example.com` as the main subdomain for your Cloud
Foundry (CF) deployment and an HAProxy IP address `203.0.113.1`, you must
create an A record in your DNS that serves `example.com` and points `*.cf`
to `203.0.113.1`.
<table >
<tr>
<th>Name</th>
<th>Type</th>
<th>Data</th>
<th>Domain</th>
</tr>
<tr>
<td>*.cf</td>
<td>A</td>
<td>203.0.113.1</td>
<td>example.com</td>
</tr>
</table>
1. Use the Linux `host` command to test your DNS entry. The `host` command
should return your HAProxy IP address.
<br />
<br />
Example:
<pre class='terminal'>
$ host cf.example.com
cf.example.com has address 203.0.113.1
$ host anything.example.com
anything.cf.example.com has address 203.0.113.1
</pre>
In PCF, perform the following steps to configure SSL termination on HAProxy:
1. Navigate to the Ops Manager Installation Dashboard.
1. Click the **Elastic Runtime** tile in the Installation Dashboard.
1. Click **Networking**.
1. For PCF deployments on OpenStack or vSphere, enter the HAProxy IP address that you used to set up a wildcard DNS record in the **HAProxy IPs** field. For more information, see the Elastic Runtime networking configuration topic for [OpenStack](../customizing/openstack-er-config.html#networking) or [vSphere](../customizing/azure-er-config.html#networking). For PCF deployments on AWS or Azure, leave the HAProxy IP address blank.
1. Under **Select one of the point-of-entry-options**, select the third option, **Forward SSL to HA Proxy**.
1. Enter your PEM-encoded certificate and your PEM-encoded private key in the fields under **SSL Termination Certificate and Private Key**. You can either upload your own certificate or generate a RSA certificate in Elastic Runtime. For options and instructions on creating a certificate for your wildcard domains, see [Creating a Wildcard Certificate for PCF Deployments](../opsguide/security_config.html#create_or_obtain_certs).
1. If you want HAProxy to only allow HTTPS traffic, select **Disable HTTP traffic to HAProxy**.
1. If you want to use a specific set of SSL ciphers for HAProxy, configure **HAProxy SSL Ciphers**. Enter a colon-separated list of custom SSL ciphers to pass to HAProxy. Otherwise, leave this field blank.
1. If you expect requests larger than the default maximum of 16 Kbytes, enter a new value (in bytes) for **Request Max Buffer Size**. You may need to do this, for example, to support apps that embed large cookie or query string values in headers.
1. If you are not using SSL encryption or if you are using self-signed certificates, you can select **Disable SSL certificate verification for this environment**. Selecting this checkbox also disables SSL verification for route services.
<p class="note">Use this checkbox only for development and testing environments. Do not select it for production environments.</p>
<%= image_tag 'images/ert_haproxy_certs.png' %>
1. Complete the rest of the **Networking configuration** screen, and click **Save**.
1. For PCF deployments on Azure or AWS, configure the HAProxy job in the **Resource Config** page of Elastic Runtime tile. For more information, see the Elastic Runtime installation instructions for [Azure](../customizing/azure-er-config.html#networking) or [AWS](../customizing/cloudform-er-config.html#config-elb).