Re: Proposal: Improving Security for HTTP Ingress to CFAR Application Containers


Mike Youngstrom
 

We would probably not deploy the improved http ingress until tcp and ssh are both working.  Our priority from the improvements in http ingress have been more on the reliable side and less on the security side.  We haven't run into any NATS mis-routing requests issues for a while and we do have TCP customers.  So, we would probably prefer to keep riding our current NATS good luck streak than disrupt our TCP customers.

Great, thanks for letting me know. Just to clarify, route integrity on its own (enabled via https://github.com/cloudfoundry/cf-deployment/blob/master/operations/experimental/enable-routing-integrity.yml) is intended primarily to improve HTTP routing reliability in the face of NATS and other component failures, and is still compatible with both CF SSH and TCP routing. This proposed more secure mode is an opt-in configuration that depends on but is separate from that "basic" route integrity.

Also, we on the Diego team think that we've finally finished ironing out a minor edge case around making sure incoming requests are handled correctly when app instances are being shutdown gracefully, so we expect to work with Release Integration in the next month or so to promote that route-integrity ops file to be a stable one and then later to be the default configuration in cf-deployment.

Oh man, after re-reading your email it now makes sense.  To be honest I didn't actually read the document you provided since it wasn't open for read to everyone so I just assumed what was in there instead.  Sorry.

Typically in our environments we use network firewalls to force that ingress into the network zones holding CF instances only happen through Enterprise load balancers and only then to specific components, e.g. gorouter, ssh-proxy, tcp router, etc., and use security groups to stop apps talking directly to other containers.  Though I imagine in the future we may deploy to environments with less strict network firewall setups.  In such an environment this configuration option would be very useful and we probably would use it without TCP routing support if we had such a situation.  But we don't currently.

Thanks for helping me through this email. :)

Mike

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.