Open kerscher opened 6 years ago
It might be a good idea to have a {fabio
+ private nginx
} module that has this ready for use in environments where vault
or other alternatives are not available.
Much of my comment here is a replay of what Yghor and I discussed yesterday in chat (to clarify the details together). The first nginx instance noted above is for fabio and TLS (to serve certs to fabio). The goal right now is to keep our interaction with TLS as minimal as possible while we map out and understand what fabio and the backend services need to make this work. Yghor is giving the http backend a shot, but it's for simplicity. A directory of TLS certs (path
backend) might be easier. We will want to use vault in the long-run, and we should aim for that above all the others, however Vault is getting updates in the stack, and vault adds complication (ACLs/config/etc) to the initial setup, so this demo is skipping that to focus on what fabio needs and how it works with TLS certs for multiple backends it is routing for.
Provide an environment with a demo HTTPS application behind
fabio
. Fabio will terminate TLS. Changes expected:http
targetfabio
configuration₁ Switched to
vault
once available, but better thanfile
since it demands no manual change on server and can be run reproducibly from Terraform