route service-pcf-techmeetup
TRANSCRIPT
Route ServiceEtourneau Gwenn
@The_shinji62Pivotal Japan PCF tech meetup
06/29/2016
About meEtourneau Gwenn
Sr Solution Architect
Bef.: Platform Architect
https://github.com/shinji62
https://twitter.com/the_shinji62
Pivotal
• Spring Framework • RabbitMQ • Concourse
• Cloud Foundry • Pivotal Tracker • Gemfire
Pivotal
Pivotal
Agenda
• Route service • Usage • Demo • Q&A
Route Service
What’s that ?!
I want to forward every request to test.local.pcfdev.io through https://rproxy.mydomain.io
As a Cloud Foundry user I want to be able to forward all my request
for my.domain.com to my.service.com
Why?!• Off-load authentication • Rate-limiting • Inspect request • Plug with your internal system • Apigee Partner with Pivotal • Web Application firewall • etc …
Why?!
Normal Request
R O U T E R
App
Load Balancer
1
Client to LB
2
LB to CF router3
Router to the apps test.local.pcfdev.io
Request with RS outside CF
R O U T E R
App
Route-Service
Load Balancer
1
Client to LB
2
LB to CF router
3 Router to the route-service
4
RS to Load Balancer
6
Router to the application
5
LB to CF router
test.local.pcfdev.io
rproxy.mydomain.io
Request with RS in CF
R O U T E R
App
Route Service
Load Balancer
1
Client to Load Balancer
2
LB to CF router
5
RS to Load Balancer
7
Router to the application
6
LB to CF router
3
CF router To RS
4
Router to the route-service
rproxy.mydomain.io
test.local.pcfdev.io
Usage with User Provided• Don’t need service broker • Simply create an user provided instances • Bind the service to the hostname and domain ! • Not the application !
I want to forward every request to test.local.micropcf.io through the service “my-route-service” (https://rproxy.mydomain.io)
>$ cf create-user-provided-service my-route-service -r https://rproxy.mydomain.io>$ cf bind-route-service local.pcfdev.io my-route-service -n test
Usage with Service Broker• Catalog should include “requires:route_forwarding” • Bind response should include
“route_service_url:my.endpoint.com”
I want to forward every request to test.local.micropcf.io through the service “route-service” (https://rproxy.mydomain.io)
>$ cf bind-route-service local.micropcf.io route-service -n test
>$ cf create-service service-broker plan my-route-service
Demo
Request with RS in CF
R O U T E R
App
Route Service
Load Balancer
1
Client to Load Balancer
2
LB to CF router
5
RS to Load Balancer
7
Router to the application
6
LB to CF router
3
CF router To RS
4
Router to the route-service
Without RS
/?test=alert(1)
HACKED
With RS
/?test=alert(1)403
Denied
Documentation• Route-Service
• http://docs.cloudfoundry.org/services/route-services.html
• Blog post about Route-Service • https://www.cloudfoundry.org/route-services/
• Apigee • http://apigee.com/about/solutions/pivotal-cloud-foundry-
apigee
Examples• Rate Limiting (Java)
• https://github.com/cloudfoundry-samples/ratelimit-service
• Sleeping (Go) • https://github.com/cloudfoundry-samples/logging-route-service
• Simple reverse proxy (Go) • https://github.com/shinji62/route-service-cf
• Web Application Firewall (Nginx + Lua) • https://github.com/shinji62/waf-cloudfoundry-route-service
Q & A
Thank You !!