-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Server Configuration
The currently supported server modes are:
- HTTP
- HTTP/2 (requires TLS)
- HTTP - Mutual TLS
You can see an example of how they're configured in the sample application. You can run the different modes by changing the value of the SERVER_TYPE variable.
This is intended to be used when running behind an ELB HTTP listener that terminates TLS for you and passes you XFF headers. The sample is set up with the properties for this mode.
If you want to run in plaintext mode without any ELB fronting you, you'll probably want to strip the proxy headers for security reasons. You'll want to use this setting:
channelConfig.set(CommonChannelConfigKeys.allowProxyHeadersWhen, StripUntrustedProxyHeadersHandler.AllowWhen.NEVER);ELBs don't support HTTP/2 so if you're going to use HTTP/2, you'll likely be using an ELB TCP listener and terminating the protocol on Zuul. The HTTP/2 configuration therefore requires an SSL cert and proxy protocol enabled in lieu of XFF headers.
If you terminate HTTP/2 using an ALB, you can use the HTTP configuration above.
ELBs also don't support mutual TLS, so again, you'll have to use an ELB TCP listener and terminate TLS on Zuul. In this mode, you will require both a TLS cert and a trust store for incoming client certs. You likely also want to enable proxy protocol in lieu of XFF headers.
A Netflix Original Production
Tech Blog | Twitter @NetflixOSS | Jobs
-
Zuul 2.x
-
Zuul 1.x