-
Notifications
You must be signed in to change notification settings - Fork 123
Expand file tree
/
Copy path_oss_xfcc_loadbalancer.html.md.erb
More file actions
9 lines (5 loc) · 1.11 KB
/
_oss_xfcc_loadbalancer.html.md.erb
File metadata and controls
9 lines (5 loc) · 1.11 KB
1
2
3
4
5
6
7
8
9
#### <a id='forward-mtls'></a> Terminating TLS for the First Time at the Load Balancer
By default, <%= vars.platform_name %> forwards arbitrary headers that are not otherwise mentioned in the documentation. You can configure a load balancer to put the certificate of the originating client, received during the mutual TLS handshake, into an HTTP header that the load balancer forwards upstream. <%= vars.company_name %> recommends the header XFCC for this use case, because this header is used in the other following configuration modes. The value of the header must be the base64-encoded bytes of the certificate, which is equivalent to a PEM file with newlines, headers, and footers removed.
This mode is activated when `router.forwarded_client_cert` is set to `always_forward`.
Alternatively, you can configure the Gorouter to forward the XFCC header set by the load balancer only when the connection with the load balancer is mutual TLS. The client certificate received by the Gorouter in the mutual TLS handshake is not forwarded in the header.
This mode is activated when `router.forwarded_client_cert` is set to `forward`.