forked from cloudfoundry/docs-cloudfoundry-concepts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_oss_xfcc_loadbalancer.html.md.erb
9 lines (5 loc) · 1.07 KB
/
_oss_xfcc_loadbalancer.html.md.erb
1
2
3
4
5
6
7
8
9
#### <a id='forward-mtls'></a>Terminating TLS for the First Time at the Load Balancer
By default, CF forwards arbitrary headers that are not otherwise mentioned in the documentation, and a load balancer can be configured to put the certificate of the originating client, received during the mutual TLS handshake, into an HTTP header that the load balancer forwards upstream. We recommend the header XFCC for this use case, as this header is used in other configuration modes described below. The value of the header should be the base64-encoded bytes of the certificate; equivalent to a PEM file with newlines, headers, and footers removed.
This mode is enabled when <code>router.forwarded\_client\_cert: always_forward</code>.
Alternatively, the operator can configure the Gorouter to forward the XFCC header set by the load balancer only when the connection with the load balancer is mutual TLS. The client certificate received by the Gorouter in the mutual TLS handshake will not be forwarded in the header.
This mode is enabled when <code>router.forwarded\_client\_cert: forward</code>.