Search
SupportConsoleDevelopersStart a trialContact

2.6. Controlling Direct SSL Connections to Gears

download PDF
In some environments, regulations may require encrypted connections between the client and the server, therefore the need for SSL connections. SSL connections to gears are either allowed, denied, or forced. By default, direct SSL connections to gears are allowed if a cartridge supports the feature and is currently only available for customized cartridges.
Enabling SSL connection allows request to the HTTP front-end to be routed as https to applications. Non-HTTP front-end ports, for example database ports, can have SSL_TO_GEAR enabled to be exposed for direct connections using the PROXY_PORTS parameter. However, this requires setting up an external router.

Note

As an alternative, you can use a custom cartridge that supports SNI proxy to allow SSL connections over non-HTTP ports. SNI proxy uses a local proxy running on the node host and does not require an external router. Specific ports must be configured to route SSL to gears. See the OpenShift Enterprise Deployment Guide at https://access.redhat.com/site/documentation for more information. Websocket does not handle SSL connections.
Configure the SSL_ENDPOINT setting in the /etc/openshift/broker.conf file to one of the following options to control access to cartridges that specify direct connections to gears:
allow
If the cartridge being added to a new application specifies direct SSL connections to gears, configure the appropriate SSL routing. This is the default option.
deny
If the cartridge being added to a new application specifies direct SSL connections to gears, do not allow the application to be created.
force
If the cartridge being added to a new application specifies direct SSL connections to gears, set up the appropriate SSL routing. If the cartridge being added to a new application does not specify direct SSL connections to gears, do not allow the application to be created. 
# Whether cartridges that specify direct SSL connection to the gear
# are allowed, denied or forced.
SSL_ENDPOINT="allow"
# SSL_ENDPOINT="deny"
# SSL_ENDPOINT="force"
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.