[openstack-dev] [Neutron][LBaaS] Feedback on SSL implementation
Jay Pipes
jaypipes at gmail.com
Fri Feb 21 19:42:07 UTC 2014
On Wed, 2014-02-19 at 22:01 -0800, Stephen Balukoff wrote:
> Front-end versus back-end protocols:
> It's actually really common for a HTTPS-enabled front-end to speak
> HTTP to the back-end. The assumption here is that the back-end
> network is "trusted" and therefore we don't need to bother with the
> (considerable) extra CPU overhead of encrypting the back-end traffic.
> To be honest, if you're going to speak HTTPS on the front-end and the
> back-end, then the only possible reason for even terminating SSL on
> the load balancer is to insert the X-Fowarded-For header. In this
> scenario, you lose almost all the benefit of doing SSL offloading at
> all!
This is exactly correct.
> If we make a policy decision right here not to allow front-end and
> back-end protocol to mismatch, this will break a lot of topologies.
Yep.
Best,
-jay
More information about the OpenStack-dev
mailing list