forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathssl-term.html.md.erb
132 lines (101 loc) · 4.75 KB
/
ssl-term.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
---
title: Configuring Pivotal Cloud Foundry SSL Termination for vSphere Deployments
owner: Ops Manager
---
<strong><%= modified_date %></strong>
To use SSL termination in [Pivotal Cloud Foundry](https://network.pivotal.io/products/pivotal-cf) (PCF), you must
configure the Pivotal-deployed HAProxy load balancer or your own load balancer.
Pivotal recommends that you use HAProxy in lab and test environments only.
Production environments should instead use a highly-available customer-provided
load balancing solution.
Select an SSL termination method to determine the steps you must take to
configure Elastic Runtime.
##<a id="haproxy"></a>Using the Pivotal HAProxy Load Balancer##
PCF deploys with a single instance of HAProxy for use in lab and test
environments.
You can use this HAProxy instance for SSL termination and load balancing to the
PCF Routers.
HAProxy can generate a self-signed certificate if you do not want to obtain a
signed certificate from a well-known certificate authority.
<%= partial '../customizing/known-issue-self-signed-certs' %>
To use the HAProxy load balancer, you must create a wildcard A record in your
DNS and configure three fields in the Elastic Runtime product tile.
1. Create an A record in your DNS that points to the HAProxy IP address. The A
record associates the **System Domain** and **Apps Domain** that you configure
in the **Domains** section of the Elastic Runtime tile with the HAProxy IP address.
<br />
<br />
For example, with `cf.example.com` as the main subdomain for your CF install
and an HAProxy IP address `203.0.113.1`, you must create an A record in your
DNS that serves `example.com` and points `*.cf` to `203.0.113.1`.
<table >
<tr>
<th>Name</th>
<th>Type</th>
<th>Data</th>
<th>Domain</th>
</tr>
<tr>
<td>*.cf</td>
<td>A</td>
<td>203.0.113.1</td>
<td>example.com</td>
</tr>
</table>
1. Use the Linux `host` command to test your DNS entry. The `host` command
should return your HAProxy IP address.
<br />
<br />
Example:
<pre class='terminal'>
$ host cf.example.com
cf.example.com has address 203.0.113.1
$ host anything.example.com
anything.cf.example.com has address 203.0.113.1
</pre>
1. From the PCF Ops Manager Dashboard, click on the Elastic Runtime tile.
1. Select **Networking**.
1. Leave the **Router IPs** field blank. HAProxy assigns the router IPs internally.
1. Enter the IP address for HAProxy in the **HAProxy IPs** field.
1. Provide your SSL certificate in the **SSL Termination Certificate and Private Key** field. See [Providing a Certificate for your SSL Termination Point](./security_config.html#config) for details.
[Return to the Getting Started Guide](../installing/index.html)
##<a id="other"></a>Using Another Load Balancer##
Production environments should use a highly-available customer-provided load
balancing solution that does the following:
* Provides SSL termination with wildcard DNS location
* Provides load balancing to each of the PCF Router IPs
* Adds appropriate `x-forwarded-for` and `x-forwarded-proto` HTTP headers
You must register static IP addresses for PCF with your load balancer and
configure three fields in the Elastic Runtime product tile.
1. Register one or more static IP address for PCF with your load
balancer.
1. Create an A record in your DNS that points to your load balancer IP address.
The A record associates the **System Domain** and **Apps Domain** that you
configure in the **Domains** section of the Elastic Runtime tile with the IP address of
your load balancer.
<br />
<br />
For example, with `cf.example.com` as the main subdomain for your CF install
and a load balancer IP address `198.51.100.1`, you must create an A record in
your DNS that serves `example.com` and points `*.cf` to `198.51.100.1`.
<table border="1" class="nice" >
<tr>
<th>Name</th>
<th>Type</th>
<th>Data</th>
<th>Domain</th>
</tr>
<tr>
<td>*.cf</td>
<td>A</td>
<td>198.51.100.1</td>
<td>example.com</td>
</tr>
</table>
1. From the PCF Ops Manager Dashboard, click on the Elastic Runtime tile.
1. Select **Networking**.
1. In the **Router IPs** field, enter the static IP address for PCF that you have registered with your load balancer.
1. Leave the **HAProxy IPs** field blank.
1. Provide your SSL certificate in the **SSL Termination Certificate and Private Key** field. See [Providing a Certificate for your SSL Termination Point](./security_config.html#config) for details.
<p class='note'><strong>Note</strong>: When adding or removing PCF routers, you must update your load balancing solution configuration with the appropriate IP addresses.</p>
[Return to the Installing Pivotal Cloud Foundry Guide](../installing/index.html)