Setup SSL on cloudfoundry landscape

Carsten Otto edited this page Oct 21, 2015 · 28 revisions

Overview

The default installation of cloudfoundry is configured to communicate over http. This article will walk you through the process of setting up secure communication over ssl. After completing the steps below your cloudfoundry landscape will have both http and https endpoints as shown on the picture below. Note that ssl is terminated on the router level, so all internal communication is plain http. As of today it is not trivial to enable internal ssl communication.

ssl

This is the typical distributed cloudfoundry setup we'll be working with. It is important to mention that nginx and router nodes are running on the same machine. The nginx just sets some headers and forwards requests to the router via a unix domain socket.

Okay, enough talk, let's get down to business!

Open ssl port on the load balancer

Typically a load balancer is the first to handle client requests. In order to enable secure communication you have to open port 443 for ssl messages. You also have to configure the load balancer to reencrypt the messages before passing them on to nginx and the router. This configuration is product specific (Apache, Zeus, etc) so I won't get into more details here.

Recompile nginx with ssl module

The nginx server that cloudfoundry installs by default has no ssl support. In order to enable ssl support you have to download the sources and compile it with --with-http_ssl_module option. Run the following command nginx -V. This will print all compile-time options of nginx. Copy these options and recompile nginx with the same options plus the --with-http_ssl_module. Note that you need to have OpenSSL installed! Here is the complete set of steps:

  1. Download the latest sources with wget http://nginx.org/download/nginx-0.7.69.tar.gz
  2. Extract the archive with tar -xzf nginx-0.7.69.tar.gz
  3. cd nginx-0.7.69
  4. Execute nginx -V - this will show the compiletime opts of nginx. Copy these options.
  5. Execute ./configure with the options from step 4 plus the extra option --with-http_ssl_module
  6. Execute make
  7. Execute make install

Note: If make complains that there is an unused argument warning that is being treated as error go to nginx-0.7.69/obj/Makefile and remove the -Werror option of gcc

Configure nginx to listen for ssl on port 443

Now that you have nginx with ssl module enabled you have to configure port 443 to listen for https traffic. Here is how to do that.

That's it

Congratulations, now you have a secure channel to communicate with your landscape. Remember that all internal communication is plain http, as the router does not reencrypt the messages it receives.

Note: All services communicate with the cloud controller over http to send their service offerings and to fetch their service handles. Currently you cannot have them send https out of the box, so I recommend that you leave both http and https channels open. Otherwise your services will not work. An alternative solution may be to configure your services to send their offerings directly to cloud controller host:port, so that they do not have to cope with encryption.