Re: SSL termination for private domains

Home Messages Hashtags Subgroups

#5751

Re: SSL termination for private domains

Shannon Coen #5751 Thank you all for your responses. A follow up question: for the gorouter to host certs for multiple domains, it seems only natural that it would do this via SNI. Is client support for SNI ubiquitous among apps running on your CF deployments? Would it be reasonable to require client SNI support for TLS termination at gorouter? Thanks again. Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. toggle quoted message Show quoted text On Wed, Sep 21, 2016 at 5:52 AM, James Leavers <james(a)cloudhelix.io> wrote: It sounds like we are in a similar situation to Carlo, i.e. - We have an external pair of LBs - These are used for SSL termination - We upload SSL certificates to the LBs for various domains, which point to the same VIP If something became available that would easily allow app developers / users to upload their own certificates, I too would happily move SSL termination from the LBs to gorouter, as it would mean one less automation workflow for us :-) On 21 September 2016 at 02:04:48, Shannon Coen (scoen(a)pivotal.io) wrote: Carlo, Mike, others, Do you store certs in the LB config itself, or federate/offload TLS termination to some secure store? I'm thinking about storing user-provided certs in the Routing API and offering them to routers/LBs from there. Would we instead have to send the certs to some other proprietary system from where the router/LB would have to pull from? I've heard a few requests for integrating with systems that store the certs so that the routers don't have access to the keys. Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. On Tue, Sep 20, 2016 at 5:44 PM, Carlo Alberto Ferraris < carlo.ferraris(a)rakuten.com> wrote: Mike, thanks for keeping the ball rolling! For the TLS termination part we are currently using a setup very similar to the one described by Mike. We sit behind a bunch of SLBs that handle termination for us. The main difference is that we're moving out of the "one VIP per cert" model Mike describes to "one SNI VIP for all certs" - a choice we made exactly to keep options open when it comes to automating this process. The biggest pain comes from the fact that the SLB in our organization is handled by a different team and that therefore every cert add/update/delete operation requires a manual operation spanning three teams (application team, our team, SLB team); in the worst cases such operations can take days. We may be different in this from other CF operators, but this situation happens fairly frequently. To put it simply, if CF (gorouter or a different component) had a way to dynamically apply certificates specified by the users (and operators) we would gladly switch away from our current setup. We were also considering (idea stage, nothing really planned yet) using either nginx or a custom-built TLS terminator for this very purpose (the main reason we're considering something custom built is because it's somewhat hard to get session ticket key rotation right with nginx when you have multiple servers) - but if something functionally equivalent were to appear upstream we would definitely prefer it. I hope everything makes sense, if not I'll gladly answer any question you may have. Thanks for looking into this! Carlo attachment.html
More All Messages By This Member

View All 16 Messages In Topic

#5751

Join {cf-dev@lists.cloudfoundry.org to automatically receive all group messages.

Home Hashtags Subgroups Terms