Re: SSL termination for private domains


Carlo Alberto Ferraris
 

Mike,
thanks for keeping the ball rolling!
For the TLS termination part we are currently using a setup very similar to the one described by Mike. We sit behind a bunch of SLBs that handle termination for us. The main difference is that we're moving out of the "one VIP per cert" model Mike describes to "one SNI VIP for all certs" - a choice we made exactly to keep options open when it comes to automating this process.
The biggest pain comes from the fact that the SLB in our organization is handled by a different team and that therefore every cert add/update/delete operation requires a manual operation spanning three teams (application team, our team, SLB team); in the worst cases such operations can take days. We may be different in this from other CF operators, but this situation happens fairly frequently.
To put it simply, if CF (gorouter or a different component) had a way to dynamically apply certificates specified by the users (and operators) we would gladly switch away from our current setup.
We were also considering (idea stage, nothing really planned yet) using either nginx or a custom-built TLS terminator for this very purpose (the main reason we're considering something custom built is because it's somewhat hard to get session ticket key rotation right with nginx when you have multiple servers) - but if something functionally equivalent were to appear upstream we would definitely prefer it.

I hope everything makes sense, if not I'll gladly answer any question you may have.

Thanks for looking into this!

Carlo

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.