forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_xforwarded_client_cert_xfcc.html.md.erb
48 lines (48 loc) · 2.74 KB
/
_xforwarded_client_cert_xfcc.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Under **Configure support for the X-Forwarded-Client-Cert header**, configure PCF handles `x-forwarded-client-cert` (XFCC) HTTP headers based on where TLS is terminated for the first time in
your deployment.
<%= image_tag 'networking_xforwarded-client-cert-xfcc.png' %>
The following table indicates which option to choose based on your deployment layout.
<table class="nice">
<tr>
<th>If your deployment is configured as follows:</th>
<th>Then select the following option:</th>
<th>Additional notes:</th>
</tr>
<tr>
<td><ul><li>The Load Balancer is terminating TLS, and
<li>Load balancer is configured to put the client certificate from a mutual authentication TLS handshake into the X-Forwarded-Client-Cert HTTP header
</li>
</ul>
</td>
<td>TLS terminated for the first time at infrastructure load balancer (default).
</td>
<td>Both HAProxy and the Gorouter forward the XFCC header when included in the request.
</td>
</tr>
<tr>
<td><ul><li>The Load Balancer is configured to pass through the TLS handshake via TCP to the instances of HAProxy, and
<li>HAProxy instance count is > 0
</li>
</ul>
</td>
<td>TLS terminated for the first time at HAProxy.</td>
<td>HAProxy sets the XFCC header with the client certificate received in the TLS handshake. The Gorouter forwards the header.
<p class="note breaking"><strong>Breaking Change</strong>: In the <b>Router behavior for Client Certificates</b> field, you cannot select the <b>Router does not request client certificates</b> option.</p></td>
</tr>
<tr>
<td><ul><li>The Load Balancer is configured to pass through the TLS handshake via TCP to instances of the Gorouter
</li>
</ul>
<p> </p>
</td>
<td>TLS terminated for the first time at the Gorouter.
</td>
<td>
The Gorouter strips the XFCC header if it is included in the request and forwards the client certificate received in the TLS handshake in a new XFCC header. <br/><br/>
If you have deployed instances of HAProxy, app traffic bypasses those instances in this configuration. If you have also configured your load balancer to route requests for ssh directly to the Diego Brain, consider reducing HAProxy instances to 0.
<p class="note breaking"><strong>Breaking Change</strong>: In the <b>Router behavior for Client Certificates</b> field, you cannot select the <b>Router does not request client certificates</b> option.</p>
</td>
</tr>
</table>
<br/>
For a description of the behavior of each configuration option, see <a href="../concepts/http-routing.html#forward-client-cert">Forward Client Certificate to Applications</a>.