⚠ This page is served via a proxy. Original site: https://github.com
This service does not collect credentials or authentication data.
Skip to content

Document ServiceControl / ServicePulse support for authentication and SSL/TLS #7947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jasontaylordev wants to merge 19 commits into
base: master
Choose a base branch
from
Open

Document ServiceControl / ServicePulse support for authentication and SSL/TLS #7947

jasontaylordev wants to merge 19 commits into from

Conversation

@jasontaylordev
Copy link
Contributor

@jasontaylordev jasontaylordev commented Dec 11, 2025

No description provided.

@jasontaylordev jasontaylordev requested review from warwickschroeder and removed request for warwickschroeder December 11, 2025 01:44
@jasontaylordev jasontaylordev force-pushed the genxp-3600-add-authentication branch from ee39943 to 576ea1b Compare December 12, 2025 00:09
@jasontaylordev jasontaylordev force-pushed the genxp-3600-add-authentication branch from 175b8ea to 604ff09 Compare January 8, 2026 06:42
@warwickschroeder
Restructure and add additional ServiceControl security details
72cbb11
@warwickschroeder
Update hosting guide for authentication
4a2d8aa
@warwickschroeder
Update ServiceControl security configuration and documentation
d3ca23f 
- Renamed "HTTPS" to "TLS" in menu.yaml and added "CORS" section.
- Enhanced configuration documentation for HTTP to HTTPS redirection in audit and monitoring instances.
- Added new settings for HTTPS port in ServiceControl configuration.
- Introduced CORS configuration documentation for ServiceControl instances.
- Updated authentication documentation to clarify the use of Microsoft Entra ID and other OIDC providers.
- Added TLS configuration documentation detailing direct HTTPS and reverse proxy setups.
- Improved overall security overview and deployment scenarios in the ServiceControl documentation.
abparticular
abparticular reviewed Jan 14, 2026
View reviewed changes
servicecontrol/security/configuration/tls.md Outdated

## Security Considerations

### Certificate Management
Copy link
Contributor

@abparticular abparticular Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section seems more like dev notes than public documentation?

Maybe

Restrict read access to the certificate file to only the ServiceControl service account
can be expanded upon and belong here?

Copy link
Contributor

@warwickschroeder warwickschroeder Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've cleaned up that list a bit, but have left a couple that the customer should know about.

  • ServiceControl supports PFX (PKCS#12) certificate files
  • Store certificate files securely with appropriate file permissions

servicecontrol/security/configuration/tls.md Outdated
- HSTS can be configured at either the reverse proxy level or in ServiceControl (but not both)
- HSTS is cached by browsers, so test carefully before enabling in production
- Start with a short max-age during initial deployment
- Consider the impact on subdomains before enabling `includeSubDomains`
Copy link
Contributor

@abparticular abparticular Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • HSTS should not be tested on localhost because browsers cache the policy, which could break other local development
  • HSTS is disabled in Development environment (ASP.NET Core excludes localhost by default)

dev notes?

  • HSTS can be configured at either the reverse proxy level or in ServiceControl (but not both)
  • HSTS is cached by browsers, so test carefully before enabling in production
  • Start with a short max-age during initial deployment

These should probably be documented and expanded upon

  • Consider the impact on subdomains before enabling includeSubDomains

I'm not sure what this means, maybe the considerations should be spelled out more?

Copy link
Contributor

@warwickschroeder warwickschroeder Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've taken a different approach and have removed the points altogether. I now have a short description of what HSTS is, and then a link that goes into more detail about the options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@warwickschroeder warwickschroeder warwickschroeder left review comments

@abparticular abparticular abparticular left review comments

Assignees

@jasontaylordev jasontaylordev

@warwickschroeder warwickschroeder

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jasontaylordev @warwickschroeder @abparticular