Configuring SSL/TLS Termination at HAProxy
Page last updated:
Pivotal recommends that you use HAProxy in lab and test environments only. Production environments should instead use a highly-available customer-provided load balancing solution.
CF deploys with a single instance of HAProxy for use in lab and test environments. You can use this HAProxy instance for SSL termination and load balancing to the PCF Routers.
You can generate a self-signed certificate for HAProxy if you do not want to obtain a signed certificate from a well-known certificate authority.
To use the HAProxy load balancer, you must create a wildcard A record in your DNS and configure some fields in the Elastic Runtime product tile.
Create an A record in your DNS that points to the HAProxy IP address. The A record associates the System Domain and Apps Domain that you configure in the Domains section of the Elastic Runtime tile with the HAProxy IP address.
For example, with
cf.example.comas the main subdomain for your Cloud Foundry (CF) deployment and an HAProxy IP address
203.0.113.1, you must create an A record in your DNS that serves
Name Type Data Domain *.cf A 203.0.113.1 example.com
Use the Linux
hostcommand to test your DNS entry. The
hostcommand should return your HAProxy IP address.
$ host cf.example.com cf.example.com has address 203.0.113.1 $ host anything.example.com anything.cf.example.com has address 203.0.113.1
In PCF, perform the following steps to configure SSL termination on HAProxy:
Navigate to the Ops Manager Installation Dashboard.
Click the Elastic Runtime tile in the Installation Dashboard.
For PCF deployments on OpenStack or vSphere, enter the HAProxy IP address that you used to set up a wildcard DNS record in the HAProxy IPs field. For more information, see the Elastic Runtime networking configuration topic for OpenStack or vSphere. For PCF deployments on AWS or Azure, leave the HAProxy IP address blank.
Under Select one of the point-of-entry-options, select the third option, Forward SSL to HA Proxy.
Enter your PEM-encoded certificate and your PEM-encoded private key in the fields under SSL Termination Certificate and Private Key. You can either upload your own certificate or generate a RSA certificate in Elastic Runtime. For options and instructions on creating a certificate for your wildcard domains, see Creating a Wildcard Certificate for PCF Deployments.
If you want HAProxy to only allow HTTPS traffic, select Disable HTTP traffic to HAProxy.
If you want to use a specific set of SSL ciphers for HAProxy, configure HAProxy SSL Ciphers. Enter a colon-separated list of custom SSL ciphers to pass to HAProxy. Otherwise, leave this field blank.
If you expect requests larger than the default maximum of 16 Kbytes, enter a new value (in bytes) for Request Max Buffer Size. You may need to do this, for example, to support apps that embed large cookie or query string values in headers.
If you are not using SSL encryption or if you are using self-signed certificates, you can select Disable SSL certificate verification for this environment. Selecting this checkbox also disables SSL verification for route services.
Use this checkbox only for development and testing environments. Do not select it for production environments.
Complete the rest of the Networking configuration screen, and click Save.
For PCF deployments on Azure or AWS, configure the HAProxy job in the Resource Config page of Elastic Runtime tile. For more information, see the Elastic Runtime installation instructions for Azure or AWS.