[openstack-dev] [TripleO] Haproxy configuration options

Dmitriy Shulyak dshulyak at mirantis.com
Thu May 22 15:35:55 UTC 2014 

Created spec https://review.openstack.org/#/c/94907/

I think it is WIP still, but would be nice to hear some comments/opinions


On Thu, May 22, 2014 at 1:59 AM, Robert Collins
<robertc at robertcollins.net>wrote:

> On 18 May 2014 08:17, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> <mark.m.miller at hp.com> wrote:
> > We are considering the following connection chain:
> >
> >                -> HAProxy   ->   stunnel         ->    OS services bound
> to 127.0.0.1
> >                      Virtual IP         server IP
> localhost 127.0.0.1
> >                      secure              SSL terminate     unsecure
>
> Interestingly, and separately, HAProxy can do SSL termination now, so
> we might want to consider just using HAProxy for that.
>
> > In this chain none of the ports need to changed. One of the major issues
> I have come across is the hard coding of the Keystone ports in the
> OpenStack service's configuration files. With the above connection scheme
> none of the ports need to change.
>
> But we do need to have HAProxy not wildcard bind, as Greg points out,
> and to make OS services bind to 127.0.0.1 as Jan pointed out.
>
> I suspect we need to put this through the specs process (which ops
> teams are starting to watch) to ensure we get enough input.
>
> I'd love to see:
>  - SSL by default
>  - A setup we can document in the ops guide / HA openstack install
> guide - e.g we don't need to be doing it a third different way (or we
> can update the existing docs if what we converge on is better).
>  - Only SSL enabled endpoints accessible from outside the machine (so
> python processes bound to localhost as a security feature).
>
> Eventually we may need to scale traffic beyond one HAProxy, at which
> point we'll need to bring something altogether more sophisticated in -
> lets design that when we need it.
> Sooner than that we're likely going to need to scale load beyond one
> control plane server at which point the HAProxy VIP either needs to be
> distributed (so active-active load receiving) or we need to go
> user -> haproxy (VIP) -> SSL endpoint (on any control plane node) ->
> localhost bound service.
>
> HTH,
> Rob
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140522/0c3b5cdf/attachment.html>

More information about the OpenStack-dev mailing list