Re: Proposal: Improving Security for HTTP Ingress to CFAR Application Containers


Eric Malm <emalm@...>
 

On Thu, Aug 16, 2018 at 9:16 PM, Mike Youngstrom <youngm@...> wrote:
Oh man, after re-reading your email it now makes sense.  To be honest I didn't actually read the document you provided since it wasn't open for read to everyone so I just assumed what was in there instead.  Sorry.

Huh, something weird has been going on with the permissions on that document: this is the third time now that I've had to change them back to allowing global comments. If for some reason that reverts back to a more restricted mode (on this proposal document or any others I've posted here) please let me know via an access request or via email or Slack and I'll correct it again.
 
Typically in our environments we use network firewalls to force that ingress into the network zones holding CF instances only happen through Enterprise load balancers and only then to specific components, e.g. gorouter, ssh-proxy, tcp router, etc., and use security groups to stop apps talking directly to other containers.  Though I imagine in the future we may deploy to environments with less strict network firewall setups.  In such an environment this configuration option would be very useful and we probably would use it without TCP routing support if we had such a situation.  But we don't currently.

Thanks for helping me through this email. :)

Sure, thanks for the extra feedback, and for hanging in there!

Best,
Eric 

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.