|
| 1 | +:title: SSL Endpoints |
| 2 | +:description: Configure SSL termination for your Deis cluster |
| 3 | + |
| 4 | + |
| 5 | +.. _ssl-endpoints: |
| 6 | + |
| 7 | +SSL Endpoints |
| 8 | +============= |
| 9 | + |
| 10 | +SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link |
| 11 | +between a web server and a browser. This link ensures that all data passed between the web server |
| 12 | +and browsers remain private and integral. |
| 13 | + |
| 14 | +To enable SSL for your cluster and all apps running upon it, you can add an SSL key to your load |
| 15 | +balancer. You must either provide an SSL certificate that was registered with a CA or provide your |
| 16 | +own self-signed SSL certificate. |
| 17 | + |
| 18 | + |
| 19 | +Generating an SSL Certificate |
| 20 | +----------------------------- |
| 21 | + |
| 22 | +To generate your own self-signed SSL certificate for testing purposes, you can run the following: |
| 23 | + |
| 24 | +.. code-block:: console |
| 25 | +
|
| 26 | + $ openssl genrsa -out server.key 2048 |
| 27 | + $ openssl req -new -key server.key -out server.csr |
| 28 | +
|
| 29 | +This will create a private key and a Certificate Signing Request. This CSR is typically sent to a |
| 30 | +CA such as Verisign, but in this example we will be using it to sign our own SSL certificate. |
| 31 | + |
| 32 | +Though most fields are self-explanatory, pay close attention to the following: |
| 33 | + |
| 34 | ++--------------+-------------------------------------------------------------------------+ |
| 35 | +| Field | Description | |
| 36 | ++==============+=========================================================================+ |
| 37 | +| Country Name | The two letter code, in ISO 3166-1 format, of the country in which your | |
| 38 | +| | organization is based. | |
| 39 | ++--------------+-------------------------------------------------------------------------+ |
| 40 | +| Common Name | This is the fully qualified domain name that you wish to secure. In | |
| 41 | +| | most cases, this will be a wildcard subdomain. | |
| 42 | ++--------------+-------------------------------------------------------------------------+ |
| 43 | + |
| 44 | +To generate a temporary certificate which is good for 365 days, issue the following command: |
| 45 | + |
| 46 | +.. code-block:: console |
| 47 | +
|
| 48 | + $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt |
| 49 | +
|
| 50 | +.. note:: |
| 51 | + |
| 52 | + Some SSL vendors like RapidSSL will secure both the root domain and the www subdomain if you |
| 53 | + set the Common Name to www.example.com |
| 54 | + |
| 55 | + See your vendor's documentation for more information. |
| 56 | + |
| 57 | + |
| 58 | +Installing the SSL Certificate |
| 59 | +------------------------------ |
| 60 | + |
| 61 | +On most cloud-based load balancers, you can install a SSL certificate onto the load balancer |
| 62 | +itself. This is the recommended way of enabling SSL onto a cluster, as any communication inbound to |
| 63 | +the cluster will be encrypted while the internal components of Deis will still communicate over |
| 64 | +HTTP. To enable SSL, you will need to open port 443 on the load balancer and forward it to port 80 |
| 65 | +on the routers. See your vendor's specific instructions on installing SSL on your load balancer. |
0 commit comments