General Configuration
Overview
Each a9s Data Services Framework (DSF) component is proxied by a NGINX that handles the incoming requests by terminating TLS and forwarding the unencrypted requests to the related component that only listens on localhost.
Available TLS Settings
The NGINX supports multiple upstreams than can be configured individually. Below you can see the list of supported parameters for each upstream:
Parameter | Required | Description |
---|---|---|
name | yes | Unique name of the upstream. |
target | yes | Upstream address of the service which should be protected, NGINX upstream parameters could be appended. |
listen_port | yes | Port to access the upstream. |
ssl_cert | no | The single certificate (server/leaf certificate) that is used for the component. The X.509 certificate MUST be in PKCS#1 format and PEM encoded. |
ssl_key | no | The private key for the ssl_cert . The private key MUST be in PKCS#1 format and PEM encoded. The private key MUST NOT be encrypted. |
ssl_ca | no | The ordered certificate chain for the ssl_cert . The individual X.509 certificates MUST be in PKCS#1 format and PEM encoded. The first certificate MUST be the CA certificate that signed the certificate in ssl_cert . The last certificate MUST be the root CA certificate. The certificate chain can also only consist of the root CA. |
ssl_session_timeout | no | Specifies a time during which a client may reuse the session parameters. If not specified, the default of NGINX is used. For more information, see NGINX - Module ngx_http_ssl_module - ssl_session_timeout. |
ssl_ciphers | no | Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library. If not explicitly set the default value from NGINX is used. For more information, see NGINX - Module ngx_http_ssl_module - ssl_ciphers. |
ssl_protocols | no | Enables the specified protocols. If not explicitly set the default value from NGINX is used. For more information, see NGINX - Module ngx_http_ssl_module - ssl_protocols. |
ssl_verify_client | no | Enables verification of client certificates. |
ssl_client_certificate | no | Specifies the trusted CA certificates in the PEM format used to verify client certificates. |
Example
- name: nginx
release: nginx
properties:
upstreams:
- name: example1-http
target: 127.0.0.1:4000
listen_port: 3000
- name: example2-https
target: 127.0.0.1:4000
listen_port: 3001
ssl_cert: ((example2_cert.certificate))
ssl_key: ((example2_cert.private_key))
ssl_ca: ((example2_cert.ca))
- name: example3-mtls
target: 127.0.0.1:4000
listen_port: 3002
ssl_cert: ((example3_cert.certificate))
ssl_key: ((example3_cert.private_key))
ssl_ca: ((example3_cert.ca))
ssl_verify_client: "on"
ssl_client_certificate: ((example2_cert.ca.ca))
Default Ports
The following ports are used by the a9s DSF components:
3000
for HTTP.3001
for HTTPS.3002
for HTTPS + mTLS.
An overview of all ports used in the a9s DSF can be found at Installation - Required Ports.