github.com/rvaralda/deis@v1.4.1/docs/managing_deis/ssl-endpoints.rst

github.com/rvaralda/deis@v1.4.1/docs/managing_deis/ssl-endpoints.rst (about)

     1  :title: SSL Endpoints
     2  :description: Configure SSL termination for your Deis cluster
     3  
     4  
     5  .. _ssl-endpoints:
     6  
     7  SSL/TLS Endpoints
     8  =================
     9  
    10  SSL/TLS is the standard security technology for establishing an encrypted link
    11  between a web server and a browser. This link ensures that all data passed between the web server
    12  and browsers remain private and integral.
    13  
    14  To enable SSL for your cluster and all apps running upon it, you can add an SSL key to your load
    15  balancer. You must either provide an SSL certificate that was registered with a CA or provide your
    16  own self-signed SSL certificate.
    17  
    18  
    19  Generating an SSL Certificate
    20  -----------------------------
    21  
    22  To generate your own self-signed SSL certificate for testing purposes, you can run the following:
    23  
    24  .. code-block:: console
    25  
    26      $ openssl genrsa -out server.key 2048
    27      $ openssl req -new -key server.key -out server.csr
    28  
    29  This will create a private key and a Certificate Signing Request. This CSR is typically sent to a
    30  CA such as Verisign, but in this example we will be using it to sign our own SSL certificate.
    31  
    32  Though most fields are self-explanatory, pay close attention to the following:
    33  
    34  +--------------+-------------------------------------------------------------------------+
    35  | Field        | Description                                                             |
    36  +==============+=========================================================================+
    37  | Country Name | The two letter code, in ISO 3166-1 format, of the country in which your |
    38  |              | organization is based.                                                  |
    39  +--------------+-------------------------------------------------------------------------+
    40  | Common Name  | This is the fully qualified domain name that you wish to secure. In     |
    41  |              | most cases, this will be a wildcard subdomain.                          |
    42  +--------------+-------------------------------------------------------------------------+
    43  
    44  To generate a temporary certificate which is good for 365 days, issue the following command:
    45  
    46  .. code-block:: console
    47  
    48      $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    49  
    50  .. note::
    51  
    52      Some SSL vendors like RapidSSL will secure both the root domain and the www subdomain if you
    53      set the Common Name to www.example.com
    54  
    55      See your vendor's documentation for more information.
    56  
    57  
    58  Installing the SSL Certificate
    59  ------------------------------
    60  
    61  On most cloud-based load balancers, you can install a SSL certificate onto the load balancer
    62  itself. This is the recommended way of enabling SSL onto a cluster, as any communication inbound to
    63  the cluster will be encrypted while the internal components of Deis will still communicate over
    64  HTTP. To enable SSL, you will need to open port 443 on the load balancer and forward it to port 80
    65  on the routers. For EC2, you'll also need to add port 443 in the security group settings for your
    66  load balancer.
    67  
    68  See your vendor's specific instructions on installing SSL on your load balancer. For EC2, see their
    69  documentation on `installing an SSL cert for load balancing`_. For Rackspace, see their
    70  `Product FAQ`_.
    71  
    72  Installing SSL on the Deis Routers
    73  ----------------------------------
    74  
    75  You can also use the Deis routers to terminate SSL connections.
    76  Use ``deisctl`` to install the certificate and private keys:
    77  
    78  .. code-block:: console
    79  
    80      $ deisctl config router set sslKey=<path-to-key> sslCert=<path-to-cert>
    81  
    82  If your certificate has intermediate certs that need to be presented as part of a
    83  certificate chain, append the intermediate certs to the bottom of the sslCert value.
    84  
    85  .. note::
    86  
    87      To secure all endpoints on the platform domain, you must use a wildcard certificate.
    88  
    89  
    90  Redirecting traffic to HTTPS
    91  ----------------------------
    92  
    93  Once your cluster is serving traffic over HTTPS, you can optionally instruct the router component
    94  to forward all traffic on HTTP to HTTPS (application traffic and requests to the controller component).
    95  
    96  This is achieved with ``deisctl``:
    97  
    98  .. code-block:: console
    99  
   100      $ deisctl config router set enforceHTTPS=true
   101  
   102  
   103  .. _`installing an SSL cert for load balancing`: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html
   104  .. _`Product FAQ`: http://www.rackspace.com/knowledge_center/product-faq/cloud-load-balancers