Securing System and App Endpoints

This topic describes how to create a public-facing website and an intranet microservice in the same app.

The configuration described in this topic may be ideal for those in financial or health sectors who need extra security and convenience managing internal and external services. If the configuration is successful, developers can only use the Cloud Foundry Command Line Interface (cf CLI) command cf push from approved network paths. For more information about cf push, see the push section of the cf CLI documentation.

Prerequisites

Before beginning your configuration, you must register three domains through your trusted DNS provider:

  • A system domain for Pivotal Application Service (PAS) and its accompanying tile services

  • An apps domain for your intranet microservice

  • An additional domain for the public-facing portions of your app

Note: Pivotal recommends that you use the same domain name but different subdomain names for your system and app domains. Doing so allows you to use a single wildcard certificate for the domain while preventing apps from creating routes that overlap with system routes.

Step 1: Configure System and Apps Domains

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the Pivotal Application Service tile.

  3. Select Domains.

  4. Enter the System domain and Apps domain defined in Prerequisites.

    The page header says 'Domains'. Below this header is the text 'For help configuring these fields, see the Configure Domains section of the Configuring PAS topic in the PCF documentation,' with 'Configure Domain' in blue letters to denote a clickable link. Below this text are two fields labeled 'System domain' and 'Apps domain', with red asterisks to denote that they are required fields. The 'System domain' field contains the ghost text 'system.example.com'. The 'Apps domain' field contains the ghost text 'apps.example.com'. At the bottom of the image is a rectangular blue button labeled 'Save'.

  5. Navigate to your DNS provider to create A records that point from your apps domains to the public IP address of your load balancer.

  6. Click Save.

Step 2: Secure Apps Domain with HAProxy

Warning: This method is easy to implement but may not be the best option for your security needs. Contact Pivotal Support if you seek a custom solution to building secure, internal services.

Note: Pivotal supports HAProxy by default. However, you may configure an internal domain using any load balancer you choose that supports host header filtering.

  1. In the PAS tile, select Networking.

  2. Enter HAProxy protected domains. The domain you enter should be the same domain as the Apps domain defined in Prerequisites.

  3. Enter HAProxy trusted CIDRs, separated by spaces. This specifies CIDRs allowed to make requests to the domains listed in the HAProxy protected domains field. For example, entering 10.0.1.0/24 would allow any requests originating at a host IP in that range to reach apps or services hosted on the HAProxy protected domains list.

  4. (Optional)

    If you want to force browsers to use HTTPS when making requests to HAProxy, select Enable under HAProxy support for HSTS and complete the following optional configuration steps: This image depicts the HSTS configuration fields for HAProxy. Under the text 'HAProxy support for HSTS', there is a selected radio button labeled 'Enable' Under this option is a field labeled 'Maximum age', with a red asterisk to denote that it is a required field, containing the text '31536000'. Under this field are two disabled checkboxes labeled 'Include subdomains' and 'Enable preload'. Under these checkboxes is another radio button labeled 'Disable'.

    • Maximum age in seconds for the HSTS request. HAProxy forces HTTPS requests from browsers for the duration of this setting. The maximum age is one year, or 31536000 seconds.
    • Enable the Include subdomains checkbox to force browsers to use HTTPS requests for all component subdomains.
    • Enable the Enable preload checkbox to force instances of Google Chrome, Firefox, and Safari that access your HAProxy to refer to their built-in lists of known hosts that require HTTPS, of which HAProxy is one. This ensures that the first contact a browser has with your HAProxy is an HTTPS request, even if the browser has not yet received an HSTS header from HAProxy.

  5. (Optional) Configure an additional HAProxy for BOSH to secure your public-facing domain with credentials. For more information, see proxy-boshrelease on GitHub.

Step 3: (Optional) Enable an Authentication Service

For added security, you may want to install an authentication service to your private domain like Single Sign-on (SSO). For more information about SSO, see Single Sign-On Overview.