[openstack-dev] [Neutron][LBaaS] Feedback on SSL implementation
Eugene Nikanorov
enikanorov at mirantis.com
Mon Feb 24 20:59:44 UTC 2014
Hi,
Barbican is the storage option we're considering, however it seems that
there's not much progress with incubation of it.
Another week point of our current state is a lack of secure communication
between neutron server and the agent, but that is solvable.
Thanks,
Eugene.
On Fri, Feb 21, 2014 at 11:42 PM, Jay Pipes <jaypipes at gmail.com> wrote:
> On Wed, 2014-02-19 at 22:01 -0800, Stephen Balukoff wrote:
>
> > Front-end versus back-end protocols:
> > It's actually really common for a HTTPS-enabled front-end to speak
> > HTTP to the back-end. The assumption here is that the back-end
> > network is "trusted" and therefore we don't need to bother with the
> > (considerable) extra CPU overhead of encrypting the back-end traffic.
> > To be honest, if you're going to speak HTTPS on the front-end and the
> > back-end, then the only possible reason for even terminating SSL on
> > the load balancer is to insert the X-Fowarded-For header. In this
> > scenario, you lose almost all the benefit of doing SSL offloading at
> > all!
>
> This is exactly correct.
>
> > If we make a policy decision right here not to allow front-end and
> > back-end protocol to mismatch, this will break a lot of topologies.
>
> Yep.
>
> Best,
> -jay
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140225/215e1a54/attachment.html>
More information about the OpenStack-dev
mailing list