Skip to content
This repository has been archived by the owner on Nov 30, 2021. It is now read-only.

Commit

Permalink
docs(installing): add section on installing SSL
Browse files Browse the repository at this point in the history
This section explains and describes how you can install an SSL certificate onto your load
balancer for SSL encryption between the client and the server, as well as the
applications themselves.

Note that this commit is dependent upon #1010 to be merged before SSL encryption works with Deis.
  • Loading branch information
Matthew Fisher committed Jul 18, 2014
1 parent cdf3d6e commit 93118d1
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 3 deletions.
4 changes: 1 addition & 3 deletions docs/installing_deis/configure-load-balancers.rst
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,7 @@ These ports need to be open on the load balancers:
* 80 (for application traffic and for API calls to the controller)
* 2222 (for traffic to the builder)

Optionally, you can also open port 443 and configure SSL termination on the load balancers, but
requests should still be forwarded to port 80 on the routers. Communication between Deis components
is currently unencrypted.
If you want to configure SSL termination on your load balancer, see :ref:`ssl-endpoints`.

A health check should be configured on the load balancer to send an HTTP request to /health-check at
port 80 on all nodes in the Deis cluster. The health check endpoint returns an HTTP 200. This enables
Expand Down
1 change: 1 addition & 0 deletions docs/installing_deis/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,5 @@ Installing Deis
create-cluster
configure-load-balancers
configure-dns
ssl-endpoints
upgrading-deis
65 changes: 65 additions & 0 deletions docs/installing_deis/ssl-endpoints.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
:title: SSL Endpoints
:description: Configure SSL termination for your Deis cluster


.. _ssl-endpoints:

SSL Endpoints
=============

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link
between a web server and a browser. This link ensures that all data passed between the web server
and browsers remain private and integral.

To enable SSL for your cluster and all apps running upon it, you can add an SSL key to your load
balancer. You must either provide an SSL certificate that was registered with a CA or provide your
own self-signed SSL certificate.


Generating an SSL Certificate
-----------------------------

To generate your own self-signed SSL certificate for testing purposes, you can run the following:

.. code-block:: console
$ openssl genrsa -out server.key 2048
$ openssl req -new -key server.key -out server.csr
This will create a private key and a Certificate Signing Request. This CSR is typically sent to a
CA such as Verisign, but in this example we will be using it to sign our own SSL certificate.

Though most fields are self-explanatory, pay close attention to the following:

+--------------+-------------------------------------------------------------------------+
| Field | Description |
+==============+=========================================================================+
| Country Name | The two letter code, in ISO 3166-1 format, of the country in which your |
| | organization is based. |
+--------------+-------------------------------------------------------------------------+
| Common Name | This is the fully qualified domain name that you wish to secure. In |
| | most cases, this will be a wildcard subdomain. |
+--------------+-------------------------------------------------------------------------+

To generate a temporary certificate which is good for 365 days, issue the following command:

.. code-block:: console
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
.. note::

Some SSL vendors like RapidSSL will secure both the root domain and the www subdomain if you
set the Common Name to www.example.com

See your vendor's documentation for more information.


Installing the SSL Certificate
------------------------------

On most cloud-based load balancers, you can install a SSL certificate onto the load balancer
itself. This is the recommended way of enabling SSL onto a cluster, as any communication inbound to
the cluster will be encrypted while the internal components of Deis will still communicate over
HTTP. To enable SSL, you will need to open port 443 on the load balancer and forward it to port 80
on the routers. See your vendor's specific instructions on installing SSL on your load balancer.

0 comments on commit 93118d1

Please sign in to comment.