forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_aws_security_config.html.md.erb
25 lines (17 loc) · 1.88 KB
/
_aws_security_config.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
1. Click on **Security Config**.
<%= image_tag("security_config.png") %>
1. Provide an **SSL Termination Certificate** for your SSL Termination Point.
This certificate must match the one that you uploaded to AWS earlier in the
[Upload an SSL Certificate](./cloudform-template.html#upload-cert) section
of the [Deploying the CloudFormation Template for PCF on
AWS](./cloudform-template.html) topic.
<p class='note'><strong>Note</strong>: Pivotal does not recommend using a
self-signed certificate for production deployments.</p>
<%= partial 'known-issue-self-signed-certs' %>
1. Configure **Ignore SSL certificate verification**. Select this option if you are using self-signed certificates or certificates generated from Ops Manager.
1. Configure **HAProxy SSL Ciphers** and **Router SSL Ciphers**. Leave these fields blank unless you want to use a specific set of SSL ciphers for HAProxy or the Router.
1. Configure **Disable HTTP traffic to HAProxy**. If you select the **Disable HTTP traffic to HAProxy** checkbox, your deployment rejects all port 80 traffic to HAProxy. Additionally, this option sets the secure flag in the `VCAP_ID` cookie that the Router generates.
<p class='note'><strong>Note</strong>: If you enable this checkbox and your deployment is not using HAProxy, configure your external load balancer to reject port 80 traffic. If you do not do this, traffic to port 80 is forwarded to applications but loses session stickiness.</p>
1. Configure **Enable cross container traffic**. Select this checkbox to disable the restriction that prevents containers in the same DEA or Diego Cell from communicating back to the host interface. Pivotal does not recommend selecting this checkbox.
1. Configure **Enable TLS on the Router**. Select this setting to enable [SSL termination](/pivotalcf/adminguide/enabling-https-to-routers.html) on the Router.
1. Click **Save**.