You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/service-fabric/service-fabric-reverseproxy-configure-secure-communication.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -73,7 +73,7 @@ Specify the **ApplicationCertificateValidationPolicy** with value **ServiceCommo
73
73
74
74
To specify the list of service common name and issuer thumbprints, add a [**ApplicationGateway/Http/ServiceCommonNameAndIssuer**](./service-fabric-cluster-fabric-settings.md#applicationgatewayhttpservicecommonnameandissuer) section under **fabricSettings**, as shown below. Multiple certificate common name and issuer thumbprint pairs can be added in the **parameters** array.
75
75
76
-
If the endpoint reverse proxy is connecting to presents a certificate who's common name and issuer thumbprint matches any of the values specified here, SSL channel is established.
76
+
If the endpoint reverse proxy is connecting to presents a certificate who's common name and issuer thumbprint matches any of the values specified here, a TLS channel is established.
77
77
Upon failure to match the certificate details, reverse proxy fails the client's request with a 502 (Bad Gateway) status code. The HTTP status line will also contain the phrase "Invalid SSL Certificate."
78
78
79
79
```json
@@ -140,7 +140,7 @@ Specify the **ApplicationCertificateValidationPolicy** with value **ServiceCerti
140
140
}
141
141
```
142
142
143
-
If the thumbprint of the server certificate is listed in this config entry, reverse proxy succeeds the SSL connection. Otherwise, it terminates the connection and fails the client's request with a 502 (Bad Gateway). The HTTP status line will also contain the phrase "Invalid SSL Certificate."
143
+
If the thumbprint of the server certificate is listed in this config entry, reverse proxy succeeds the TLS connection. Otherwise, it terminates the connection and fails the client's request with a 502 (Bad Gateway). The HTTP status line will also contain the phrase "Invalid SSL Certificate."
144
144
145
145
## Endpoint selection logic when services expose secure as well as unsecured endpoints
146
146
Service fabric supports configuring multiple endpoints for a service. For more information, see [Specify resources in a service manifest](service-fabric-service-manifest-resources.md).
@@ -170,12 +170,12 @@ Reverse proxy selects one of the endpoints to forward the request based on the *
170
170
> When operating in **SecureOnlyMode**, if a client has specified a **ListenerName** corresponding to an HTTP(unsecured) endpoint, reverse proxy fails the request with a 404 (Not Found) HTTP status code.
171
171
172
172
## Setting up client certificate authentication through the reverse proxy
173
-
SSL termination happens at the reverse proxy and all the client certificate data is lost. For the services to perform client certificate authentication, specify the **ForwardClientCertificate** setting in the [**ApplicationGateway/Http**](./service-fabric-cluster-fabric-settings.md#applicationgatewayhttp) section.
173
+
TLS termination happens at the reverse proxy and all the client certificate data is lost. For the services to perform client certificate authentication, specify the **ForwardClientCertificate** setting in the [**ApplicationGateway/Http**](./service-fabric-cluster-fabric-settings.md#applicationgatewayhttp) section.
174
174
175
-
1. When **ForwardClientCertificate** is set to **false**, reverse proxy will not request the client certificate during its SSL handshake with the client.
175
+
1. When **ForwardClientCertificate** is set to **false**, reverse proxy will not request the client certificate during its TLS handshake with the client.
176
176
This is the default behavior.
177
177
178
-
2. When **ForwardClientCertificate** is set to **true**, reverse proxy requests the client's certificate during its SSL handshake with the client.
178
+
2. When **ForwardClientCertificate** is set to **true**, reverse proxy requests the client's certificate during its TLS handshake with the client.
179
179
It will then forward the client certificate data in a custom HTTP header named **X-Client-Certificate**. The header value is the base64 encoded PEM format string of the client's certificate. The service can succeed/fail the request with appropriate status code after inspecting the certificate data.
180
180
If the client does not present a certificate, reverse proxy forwards an empty header and let the service handle the case.
0 commit comments