Skip to content
This repository has been archived by the owner on Nov 29, 2017. It is now read-only.

cloudfoundry-community-attic/sslproxy-boshrelease

Repository files navigation

Bosh release for a SSL Proxy

One of the fastest ways to get a SSL proxy in front of your CloudFoundry router running on any infrastructure is to deploy this bosh release.

Usage

To use this BOSH release, first upload it to your bosh:

bosh upload release https://bosh.io/d/github.com/cloudfoundry-community/sslproxy-boshrelease?v=6

To deploy it you will need the source repository that contains templates:

git clone https://github.com/cloudfoundry-community/sslproxy-boshrelease.git
cd sslproxy-boshrelease
git checkout v5

Now update the examples/openstack*.yml woth your settings (look up for #CHANGE).

Finally, target and deploy. For deployment to a bosh running on openstack:

bosh deployment examples/dns.yml
bosh verify deployment
bosh deploy

The bosh verify deployment is a local bosh CLI plugin to pre-verify your deployment file for correctness and matching SSL certificate/key.

Self-signed certificates by default

By default you do not need to provide a signed SSL certificate. This is very useful for dev/test deployments.

It will mean that Chrome users, for example, will see the red-screen-of-fear. So, its not ideal for production and your lovely end users.

BYO certificates

For production you will want to configure your SSL proxy with a signed certificate. You will need two files (or their contents):

  • certificate key without a passphrase
  • certificate (with chained intermediate certificates)

The certificate key file will likely have a .key suffix and its contents will look like:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA5y0/Mzx0t5cMTCvXHocTjF7XCYLxP0EKwA2eI41q+tMblQ7m
...
N2bfPlzHpvFMOBsoQBK1XzrbobeZ7h96yLIw5tFwcO4P6ASCJeQt
-----END RSA PRIVATE KEY-----

The chained certificate file will contain multiple certificates. The top one is the certificate you purchased. Downwards in the file are the intermediate certificates, finishing the the root certificate. You may need to construct the chained certificate yourself.

For example, the chained certificate contents will look like:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The content of these two files will now be added to the properties section of your deployment file:

properties:
  router:
    servers:
      - 0.router.default.cf.microbosh
      - 1.router.default.cf.microbosh

  sslproxy:
    https:
      ssl_key: |
        -----BEGIN RSA PRIVATE KEY-----
        MIIEowIBAAKCAQEA5y0/Mzx0t5cMTCvXHocTjF7XCYLxP0EKwA2eI41q+tMblQ7m
        ...
        N2bfPlzHpvFMOBsoQBK1XzrbobeZ7h96yLIw5tFwcO4P6ASCJeQt
      ssl_cert: |
        -----BEGIN CERTIFICATE-----
        MIIFAzCCA+ugAwIBAgIDAeiTMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----

Note, the | after ssl_key: and ssl_cert: means the following lines are a multi-line string and the end-of-line \n are to be retained.

After Steps

Once your SSL proxy is deployed all you need to do is point your Cloud Foundry floating IP at it. i.e. if your DNS name for the Cloud Foundry director is *.cf.mycloud.com, then you need to point that to your SSL proxy IP.

Development

Create new final release

To create a new final release you need to get read/write API credentials to the @cloudfoundry-community s3 account.

Please email Dr Nic Williams and he will create unique API credentials for you.

Create a config/private.yml file with the following contents:

---
blobstore:
  s3:
    access_key_id:     ACCESS
    secret_access_key: PRIVATE

You can now create final releases for everyone to enjoy!

bosh create release
# test this dev release
git commit -m "updated sslproxy"
bosh create release --final
git commit -m "creating vXYZ release"
git tag vXYZ
git push origin master --tags