forked from cloudfoundry/docs-cf-admin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
_gorouter_client_cert_oss.html.md.erb
15 lines (10 loc) · 2.05 KB
/
_gorouter_client_cert_oss.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Operators may change this behavior with the property `router.client_cert_validation`. This property accepts the following values:
* `none`: The Gorouter does not request client certificates in TLS handshakes so clients will not provide them and validation of client certificates does not occur. This option is incompatible with `forwarded_client_cert: forward` or `forwarded_client_cert: sanitize_set` XFCC configurations because these options require mutual authentication.
* `request`: The Gorouter requests client certificates in TLS handshakes. The handshake will fail if the client certificate is not signed by a CA configured in `router.ca_certs`. This is the default configuration.
* `require`: The Gorouter requests client certificates in TLS handshakes. The handshake will fail if a client cert is not provided or if the client certificate is not signed by a CA that the Gorouter trusts.
The behavior controlled by this property is global; it applies to all requests received by Gorouters so configured.
If Gorouter is the first point of TLS termination (your load balancer does not terminate TLS, and passes the request through to Gorouter over TCP), consider the following:
* Only option `none` should be used for Gorouters receiving requests for the system domain. Many clients of CF platform APIs do not present client certificates in TLS handshakes, so the first point of TLS termination for requests to the system domain must not request them.
* All options may be used for Gorouters receiving requests only for app domains, as when dedicated routers are used for an Isolation Segment.
* Options `request` and `require` will trigger browsers to prompt users to select a certificate if the browser is not already configured with a certificate signed by one of the CAs configured in `router.ca_certs`.
If Gorouter is not the first point of TLS termination, this property can be used to secure communications between the Load Balancer and Gorouter. Gorouter must be configured with the CA used to sign the client certification the load balancer will present, using `router.ca_certs`.