forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathssl-term-haproxy.html.md.erb
61 lines (47 loc) · 2.79 KB
/
ssl-term-haproxy.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
---
title: Configuring SSL/TLS Termination at HAProxy
owner: Ops Manager
---
Both Pivotal Application Service (PAS) and Isolation Segments for <%= vars.product_name_full %> include an HAProxy instance.
HAProxy is appropriate to use in a deployment when features are needed that are offered by HAProxy but are not offered by the CF Routers or IaaS-provided load balancers such as with Azure load balancers. These include filtering of protected domains from trusted networks.
While HAProxy instances provide load balancing for the Gorouters, HAProxy is not itself highly available. For production environments, use a highly-available load balancer to scale HAProxy horizontally. The load balancer does not need to terminate TLS or even operate at layer 7 (HTTP), as it can provide layer 4 load balancing of TCP connections. Use of HAProxy does not remove the need for CF Routers. The Gorouter must always be deployed for HTTP applications, and TCP Router for non-HTTP applications.
You can generate a self-signed certificate for HAProxy if you do not want to obtain a signed certificate from a well-known certificate authority.
##<a id="haproxy"></a>Procedure: Terminate SSL/TLS at HAProxy
<%= partial 'ssl_termin_haproxy_pcf' %>
##<a id="haproxy_dns"></a> How to Set Up DNS for HAProxy
You only need to perform this procedure if you are using one instance of HAProxy such as in a development environment. If you would like HAProxy to be highly available, you must have a load balancer in front of it. In this case, you would point DNS at the load balancer.
To use a single instance HAProxy load balancer in a vSphere or OpenStack deployment, create a wildcard A record in your DNS and configure some fields in the PAS product tile.
1. Create an A record in your DNS that points to the HAProxy IP address. The A
record associates the **System Domain** and **Apps Domain** that you configure
in the **Domains** section of the PAS tile with the HAProxy IP address.
<br />
<br />
For example, with `cf.example.com` as the main subdomain for your Cloud
Foundry (CF) deployment and an HAProxy IP address `203.0.113.1`, you must
create an A record in your DNS that serves `example.com` and points `*.cf`
to `203.0.113.1`.
<table >
<tr>
<th>Name</th>
<th>Type</th>
<th>Data</th>
<th>Domain</th>
</tr>
<tr>
<td>*.cf</td>
<td>A</td>
<td>203.0.113.1</td>
<td>example.com</td>
</tr>
</table>
1. Use the Linux `host` command to test your DNS entry. The `host` command
should return your HAProxy IP address.
<br />
<br />
Example:
<pre class='terminal'>
$ host cf.example.com
cf.example.com has address 203.0.113.1
$ host anything.example.com
anything.cf.example.com has address 203.0.113.1
</pre>