Route ServiceEtourneau Gwenn

@The_shinji62Pivotal Japan PCF tech meetup

06/29/2016

About meEtourneau Gwenn

Sr Solution Architect

Bef.: Platform Architect

https://github.com/shinji62

https://twitter.com/the_shinji62

Pivotal

• Spring Framework • RabbitMQ • Concourse

• Cloud Foundry • Pivotal Tracker • Gemfire

Pivotal

Pivotal

Agenda

• Route service • Usage • Demo • Q&A

Route Service

What’s that ?!

I want to forward every request to test.local.pcfdev.io through https://rproxy.mydomain.io

As a Cloud Foundry user I want to be able to forward all my request

for my.domain.com to my.service.com

Why?!• Off-load authentication • Rate-limiting • Inspect request • Plug with your internal system • Apigee Partner with Pivotal • Web Application firewall • etc …

Why?!

Normal Request

R O U T E R

App

Load Balancer

1

Client to LB

2

LB to CF router3

Router to the apps test.local.pcfdev.io

Request with RS outside CF

R O U T E R

App

Route-Service

Load Balancer

1

Client to LB

2

LB to CF router

3 Router to the route-service

4

RS to Load Balancer

6

Router to the application

5

LB to CF router

test.local.pcfdev.io

rproxy.mydomain.io

Request with RS in CF

R O U T E R

App

Route Service

Load Balancer

1

Client to Load Balancer

2

LB to CF router

5

RS to Load Balancer

7

Router to the application

6

LB to CF router

3

CF router To RS

4

Router to the route-service

rproxy.mydomain.io

test.local.pcfdev.io

Usage with User Provided• Don’t need service broker • Simply create an user provided instances • Bind the service to the hostname and domain ! • Not the application !

I want to forward every request to test.local.micropcf.io through the service “my-route-service” (https://rproxy.mydomain.io)

>$ cf create-user-provided-service my-route-service -r https://rproxy.mydomain.io>$ cf bind-route-service local.pcfdev.io my-route-service -n test

Usage with Service Broker• Catalog should include “requires:route_forwarding” • Bind response should include

“route_service_url:my.endpoint.com”

I want to forward every request to test.local.micropcf.io through the service “route-service” (https://rproxy.mydomain.io)

>$ cf bind-route-service local.micropcf.io route-service -n test

>$ cf create-service service-broker plan my-route-service

Demo

Request with RS in CF

R O U T E R

App

Route Service

Load Balancer

1

Client to Load Balancer

2

LB to CF router

5

RS to Load Balancer

7

Router to the application

6

LB to CF router

3

CF router To RS

4

Router to the route-service

Without RS

/?test=alert(1)

HACKED

With RS

/?test=alert(1)403

Denied

Documentation• Route-Service

• http://docs.cloudfoundry.org/services/route-services.html

• Blog post about Route-Service • https://www.cloudfoundry.org/route-services/

• Apigee • http://apigee.com/about/solutions/pivotal-cloud-foundry-

apigee

Examples• Rate Limiting (Java)

• https://github.com/cloudfoundry-samples/ratelimit-service

• Sleeping (Go) • https://github.com/cloudfoundry-samples/logging-route-service

• Simple reverse proxy (Go) • https://github.com/shinji62/route-service-cf

• Web Application Firewall (Nginx + Lua) • https://github.com/shinji62/waf-cloudfoundry-route-service

Q & A

Thank You !!