-
Notifications
You must be signed in to change notification settings - Fork 108
/
Copy path_gorouter_client_cert_oss.html.md.erb
18 lines (13 loc) · 2.04 KB
/
_gorouter_client_cert_oss.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
You might change this behavior with the property `router.client_cert_validation`. This property accepts the following values:
* `none`: The Gorouter does not request client certificates in TLS handshakes so clients do not have to provide them and validation of client certificates does not occur. This option is incompatible with `forwarded_client_cert: forward` or `forwarded_client_cert: sanitize_set` XFCC configurations because these options require mutual authentication.
* `request`: The Gorouter requests client certificates in TLS handshakes. The handshake fails if the client certificate is not signed by a CA configured in `router.ca_certs`. This is the default configuration.
* `require`: The Gorouter requests client certificates in TLS handshakes. The handshake fails if a client cert is not provided or if the client certificate is not signed by a CA that the Gorouter trusts.
The behavior controlled by this property is global; it applies to all requests received by Gorouters so configured.
If Gorouter is the first point of TLS termination (your load balancer does not stop TLS, and passes the request through to
Gorouter over TCP), consider the following:
* Only option `none` can be used for Gorouters receiving requests for the system domain. Many clients of CF platform APIs do not present client certificates in TLS handshakes, beacuse the first point of TLS termination for requests to the system domain must not request them.
* All options can be used for Gorouters receiving requests only for app domains, as when dedicated routers are used for an Isolation Segment.
* Options `request` and `require` initiate browsers to prompt users to select a certificate if the browser is not already configured with a certificate signed by one of the CAs configured in `router.ca_certs`.
If Gorouter is not the first point of TLS termination, this property can be used to secure communications between
the Load Balancer and Gorouter. Gorouter must be configured with the CA used to sign the client certification
the load balancer presents, using `router.ca_certs`.