Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Openresty proxy handles TLS for apps on app.internal domain #3035

Open
1 task
mogul opened this issue Mar 22, 2021 · 0 comments
Open
1 task

Openresty proxy handles TLS for apps on app.internal domain #3035

mogul opened this issue Mar 22, 2021 · 0 comments

Comments

@mogul
Copy link
Contributor

mogul commented Mar 22, 2021

User Story

In order to prevent lateral traversal between compromised apps, the data.gov ISSM wants traffic for cloud.gov apps running on the app.internal domain to be secured with TLS.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

  • GIVEN [a contextual precondition]
    [AND optionally another precondition]
    WHEN [a triggering event] happens
    THEN [a verifiable outcome]
    [AND optionally another verifiable outcome]

Background

See #2945

Security Considerations (required)

This change increases the security around traffic intended for cloud.gov apps on the app.internal domain.

Sketch

[Notes or a checklist reflecting our understanding of the selected approach]

Originally posted by @mogul in #2945 (comment)

I've identified one approach I'm comfortable with for doing this: Deploy an nginx-buildpack proxy app which uses OpenResty to auto-rotate the TLS certificate on the app.internal domain. Then deploy the actual app as a sidecar to the proxy app.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
data.gov team board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mogul