This repository has been archived by the owner on Nov 30, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 797
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs(installing): add section on installing SSL
This section explains and describes how you can install an SSL certificate onto your load balancer for SSL encryption between the client and the server, as well as the applications themselves. Note that this commit is dependent upon #1010 to be merged before SSL encryption works with Deis.
- Loading branch information
Matthew Fisher
committed
Jul 18, 2014
1 parent
cdf3d6e
commit 93118d1
Showing
3 changed files
with
67 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,4 +17,5 @@ Installing Deis | |
create-cluster | ||
configure-load-balancers | ||
configure-dns | ||
ssl-endpoints | ||
upgrading-deis |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
:title: SSL Endpoints | ||
:description: Configure SSL termination for your Deis cluster | ||
|
||
|
||
.. _ssl-endpoints: | ||
|
||
SSL Endpoints | ||
============= | ||
|
||
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link | ||
between a web server and a browser. This link ensures that all data passed between the web server | ||
and browsers remain private and integral. | ||
|
||
To enable SSL for your cluster and all apps running upon it, you can add an SSL key to your load | ||
balancer. You must either provide an SSL certificate that was registered with a CA or provide your | ||
own self-signed SSL certificate. | ||
|
||
|
||
Generating an SSL Certificate | ||
----------------------------- | ||
|
||
To generate your own self-signed SSL certificate for testing purposes, you can run the following: | ||
|
||
.. code-block:: console | ||
$ openssl genrsa -out server.key 2048 | ||
$ openssl req -new -key server.key -out server.csr | ||
This will create a private key and a Certificate Signing Request. This CSR is typically sent to a | ||
CA such as Verisign, but in this example we will be using it to sign our own SSL certificate. | ||
|
||
Though most fields are self-explanatory, pay close attention to the following: | ||
|
||
+--------------+-------------------------------------------------------------------------+ | ||
| Field | Description | | ||
+==============+=========================================================================+ | ||
| Country Name | The two letter code, in ISO 3166-1 format, of the country in which your | | ||
| | organization is based. | | ||
+--------------+-------------------------------------------------------------------------+ | ||
| Common Name | This is the fully qualified domain name that you wish to secure. In | | ||
| | most cases, this will be a wildcard subdomain. | | ||
+--------------+-------------------------------------------------------------------------+ | ||
|
||
To generate a temporary certificate which is good for 365 days, issue the following command: | ||
|
||
.. code-block:: console | ||
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt | ||
.. note:: | ||
|
||
Some SSL vendors like RapidSSL will secure both the root domain and the www subdomain if you | ||
set the Common Name to www.example.com | ||
|
||
See your vendor's documentation for more information. | ||
|
||
|
||
Installing the SSL Certificate | ||
------------------------------ | ||
|
||
On most cloud-based load balancers, you can install a SSL certificate onto the load balancer | ||
itself. This is the recommended way of enabling SSL onto a cluster, as any communication inbound to | ||
the cluster will be encrypted while the internal components of Deis will still communicate over | ||
HTTP. To enable SSL, you will need to open port 443 on the load balancer and forward it to port 80 | ||
on the routers. See your vendor's specific instructions on installing SSL on your load balancer. |