Securing System and App Endpoints

Page last updated:

This topic describes how to create a public-facing website and an intranet microservice in the same app.

The configuration described in this topic may be ideal for those in financial or health sectors who need extra security and convenience managing internal and external services. If the configuration is successful, developers can only use the Cloud Foundry Command Line Interface (cf CLI) command cf push from approved network paths.


Before beginning your configuration, you will need to have registered three domains through your trusted DNS provider:

  • A System Domain for Pivotal Application Service (PAS) and its accompanying tile services

  • An Apps Domain for your intranet microservice

  • An additional domain for the public-facing portions of your app

Note: Pivotal recommends that you use the same domain name but different subdomain names for your system and app domains. Doing so allows you to use a single wildcard certificate for the domain while preventing apps from creating routes that overlap with system routes.

Step 1: Configure System and Apps Domains

  1. Log in to your Pivotal Cloud Foundry (PCF) Ops Manager

  2. Click the Pivotal Application Service tile.

    Pas tile

  3. Select the Domains pane.

  4. Enter the System Domain and Apps Domain defined in the prerequisites above.


  5. Navigate to your DNS provider to create A records that point from your apps domains to the public IP address of your load balancer.

  6. Click Save.

Step 2: Secure Apps Domain with HAProxy

WARNING: This method is easy to implement but may not be the best option for your security needs. Contact Pivotal Support if you seek a custom solution to building secure, internal services.

Note: Pivotal supports HAProxy by default. However, you may configure an internal domain using any load balancer you choose that supports host header filtering.

  1. Select the Networking pane.

  2. Enter HAProxy Protected Domains. The domain you enter will be the same domain as the Apps Domain defined in prerequisites.

  3. Enter HAProxy Trusted CIDRs separated by spaces. This field is to specify CIDRs allowed to make requests to the domains listed in the Protected Domains field. For example, entering would allow any requests originating at a host IP in that range to reach applications or services hosted on the Protected Domains list.

  4. (Optional)

    If you want to force browsers to use HTTPS when making requests to HAProxy, select Enable in the HAProxy support for HSTS field and complete the following optional configuration steps: This image depicts the HSTS configuration fields for HAProxy. Explanations of these fields follow.

    1. (Optional) Enter a Max Age in Seconds for the HSTS request. HAProxy forces HTTPS requests from browsers for the duration of this setting. The maximum age is one year, or 31536000 seconds.
    2. (Optional) Enable the Include Subdomains checkbox to force browsers to use HTTPS requests for all component subdomains.
    3. (Optional) Enable the Enable Preload checkbox to force instances of Google Chrome, Firefox, and Safari that access your HAProxy to refer to their built-in lists of known hosts that require HTTPS, of which HAProxy is one. This ensures that the first contact a browser has with your HAProxy is an HTTPS request, even if the browser has not yet received an HSTS header from HAProxy.

  5. (Optional) Configure an additional HAProxy for BOSH to secure your public-facing domain with credentials. See proxy-boshrelease on GitHub for more information.

Step 3: (Optional) Enable an Authentication Service

For added security, you may want to install an authentication service to your private domain like Single Sign-on (SSO). For more information about SSO, see Single Sign-On Overview.