Previously, we were using nginx as a frontend and TLS terminating proxy. This method had compatibility issues with some of the ASCLEPIOS backend components (see httpsredirectbug.odp for example)
To summarize the issue, many of the ASCLEPIOS components (keytray, abac-zuul-proxy, cbape_server, registration-authority) do not behave correctly when running behind a TLS terminating proxy, but DO function correctly when they are configured as TLS endpoints themselves.
We need to implement TLS for all exposed services. Therefore we have two options:
- Configure TLS individually for every service
- Configure TLS individually for the ASCLEPIOS components that need it, and use nginx (or similar) as a frontend for everything else.
List of services that need TLS