Skip to main content
Version: Develop

General Configuration

Overview

Each a9s Data Services Framework (DSF) component is proxied by a NGINX that handles the incoming requests by terminating TLS and forwarding the unencrypted requests to the related component that only listens on localhost.

Available TLS Settings

The NGINX supports multiple upstreams than can be configured individually. Below you can see the list of supported parameters for each upstream:

ParameterRequiredDescription
nameyesUnique name of the upstream.
targetyesUpstream address of the service which should be protected, NGINX upstream parameters could be appended.
listen_portyesPort to access the upstream.
ssl_certnoThe single certificate (server/leaf certificate) that is used for the component. The X.509 certificate MUST be in PKCS#1 format and PEM encoded.
ssl_keynoThe private key for the ssl_cert. The private key MUST be in PKCS#1 format and PEM encoded. The private key MUST NOT be encrypted.
ssl_canoThe ordered certificate chain for the ssl_cert. The individual X.509 certificates MUST be in PKCS#1 format and PEM encoded. The first certificate MUST be the CA certificate that signed the certificate in ssl_cert. The last certificate MUST be the root CA certificate. The certificate chain can also only consist of the root CA.
ssl_session_timeoutnoSpecifies a time during which a client may reuse the session parameters. If not specified, the default of NGINX is used. For more information, see NGINX - Module ngx_http_ssl_module - ssl_session_timeout.
ssl_ciphersnoSpecifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library. If not explicitly set the default value from NGINX is used. For more information, see NGINX - Module ngx_http_ssl_module - ssl_ciphers.
ssl_protocolsnoEnables the specified protocols. If not explicitly set the default value from NGINX is used. For more information, see NGINX - Module ngx_http_ssl_module - ssl_protocols.
ssl_verify_clientnoEnables verification of client certificates.
ssl_client_certificatenoSpecifies the trusted CA certificates in the PEM format used to verify client certificates.
Example
- name: nginx
release: nginx
properties:
upstreams:
- name: example1-http
target: 127.0.0.1:4000
listen_port: 3000
- name: example2-https
target: 127.0.0.1:4000
listen_port: 3001
ssl_cert: ((example2_cert.certificate))
ssl_key: ((example2_cert.private_key))
ssl_ca: ((example2_cert.ca))
- name: example3-mtls
target: 127.0.0.1:4000
listen_port: 3002
ssl_cert: ((example3_cert.certificate))
ssl_key: ((example3_cert.private_key))
ssl_ca: ((example3_cert.ca))
ssl_verify_client: "on"
ssl_client_certificate: ((example2_cert.ca.ca))
Default Ports

The following ports are used by the a9s DSF components:

  • 3000 for HTTP.
  • 3001 for HTTPS.
  • 3002 for HTTPS + mTLS.

An overview of all ports used in the a9s DSF can be found at Installation - Required Ports.