github.com/technosophos/deis@v1.7.1-0.20150915173815-f9005256004b/docs/managing_deis/ssl-endpoints.rst (about)

     1  :title: SSL Endpoints
     2  :description: Configure SSL termination for your Deis cluster
     3  
     4  
     5  .. _platform_ssl:
     6  
     7  Installing SSL for the Platform
     8  ===============================
     9  
    10  SSL/TLS is the standard security technology for establishing an encrypted link
    11  between a web server and a browser. This link ensures that all data passed between the web server
    12  and browsers remain private and integral.
    13  
    14  To enable SSL for your cluster and all apps running upon it, you can add an SSL key to your load
    15  balancer. You must either provide an SSL certificate that was registered with a CA or provide
    16  :ref:`your own self-signed SSL certificate <creating_self_signed_ssl>`.
    17  
    18  
    19  .. _load_balancer_ssl:
    20  
    21  Installing SSL on a Load Balancer
    22  ---------------------------------
    23  
    24  On most cloud-based load balancers, you can install a SSL certificate onto the load balancer
    25  itself. Any communication inbound to the cluster will be encrypted while the internal components
    26  of Deis will still communicate over HTTP.
    27  
    28  .. note::
    29  
    30      On AWS, Deis enables the :ref:`PROXY protocol <proxy_protocol>` by default, requiring
    31      installation of :ref:`SSL on the Deis routers <router_ssl>`, as described below.
    32      Disable the PROXY protocol with ``deisctl config router rm proxyProtocol`` and change
    33      existing targets and health checks from TCP to HTTP to terminate SSL connections at an
    34      Amazon ELB instead.
    35  
    36  To enable SSL, you will need to open port 443 on the load balancer and forward it to port 80 on the
    37  routers. For AWS, you'll also need to add port 443 in the security group settings for your load
    38  balancer.
    39  
    40  See your vendor's specific instructions on installing SSL on your load balancer. For AWS, see their
    41  documentation on `installing an SSL cert for load balancing`_.
    42  
    43  .. _router_ssl:
    44  
    45  Installing SSL on the Deis Routers
    46  ----------------------------------
    47  
    48  You can also use the Deis routers to terminate SSL connections.
    49  Use ``deisctl`` to install the certificate and private keys:
    50  
    51  .. code-block:: console
    52  
    53      $ deisctl config router set sslKey=<path-to-key> sslCert=<path-to-cert>
    54  
    55  If your certificate has intermediate certs that need to be presented as part of a
    56  certificate chain, append the intermediate certs to the bottom of the sslCert value.
    57  
    58  .. note::
    59  
    60      To secure all endpoints on the platform domain, you must use a wildcard certificate.
    61  
    62  
    63  Redirecting traffic to HTTPS
    64  ----------------------------
    65  
    66  Once your cluster is serving traffic over HTTPS, you can optionally instruct the router component
    67  to forward all traffic on HTTP to HTTPS (application traffic and requests to the controller component).
    68  
    69  This is achieved with ``deisctl``:
    70  
    71  .. code-block:: console
    72  
    73      $ deisctl config router set enforceHTTPS=true
    74  
    75  
    76  .. _`installing an SSL cert for load balancing`: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html