Re: SSL termination for private domains

James Leavers

It sounds like we are in a similar situation to Carlo, i.e.

- We have an external pair of LBs
- These are used for SSL termination
- We upload SSL certificates to the LBs for various domains, which point
to the same VIP

If something became available that would easily allow app developers /
users to upload their own certificates, I too would happily move SSL
termination from the LBs to gorouter, as it would mean one less automation
workflow for us :-)

On 21 September 2016 at 02:04:48, Shannon Coen (scoen(a) wrote:

Carlo, Mike, others,

Do you store certs in the LB config itself, or federate/offload TLS
termination to some secure store? I'm thinking about storing user-provided
certs in the Routing API and offering them to routers/LBs from there. Would
we instead have to send the certs to some other proprietary system from
where the router/LB would have to pull from?

I've heard a few requests for integrating with systems that store the certs
so that the routers don't have access to the keys.

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Tue, Sep 20, 2016 at 5:44 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)> wrote:

thanks for keeping the ball rolling!
For the TLS termination part we are currently using a setup very similar
to the one described by Mike. We sit behind a bunch of SLBs that handle
termination for us. The main difference is that we're moving out of the
"one VIP per cert" model Mike describes to "one SNI VIP for all certs" - a
choice we made exactly to keep options open when it comes to automating
this process.
The biggest pain comes from the fact that the SLB in our organization is
handled by a different team and that therefore every cert add/update/delete
operation requires a manual operation spanning three teams (application
team, our team, SLB team); in the worst cases such operations can take
days. We may be different in this from other CF operators, but this
situation happens fairly frequently.
To put it simply, if CF (gorouter or a different component) had a way to
dynamically apply certificates specified by the users (and operators) we
would gladly switch away from our current setup.
We were also considering (idea stage, nothing really planned yet) using
either nginx or a custom-built TLS terminator for this very purpose (the
main reason we're considering something custom built is because it's
somewhat hard to get session ticket key rotation right with nginx when you
have multiple servers) - but if something functionally equivalent were to
appear upstream we would definitely prefer it.

I hope everything makes sense, if not I'll gladly answer any question you
may have.

Thanks for looking into this!


Join to automatically receive all group messages.