You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#### <a id='forward-mtls'></a> Terminating TLS for the First Time at the Load Balancer
By default, <%= vars.platform_name %> forwards arbitrary headers that are not otherwise mentioned in the documentation. You can configure a load balancer to put the certificate of the originating client, received during the mutual TLS handshake, into an HTTP header that the load balancer forwards upstream. <%= vars.company_name %> recommends the header XFCC for this use case, because this header is used in the other following configuration modes. The value of the header must be the base64-encoded bytes of the certificate, which is equivalent to a PEM file with newlines, headers, and footers removed.
This mode is activated when `router.forwarded_client_cert` is set to `always_forward`.
Alternatively, you can configure the Gorouter to forward the XFCC header set by the load balancer only when the connection with the load balancer is mutual TLS. The client certificate received by the Gorouter in the mutual TLS handshake is not forwarded in the header.
This mode is activated when `router.forwarded_client_cert` is set to `forward`.