[Openstack-operators] [Swift] deploying behind apache?
me at not.mn
Sat Sep 19 16:05:31 UTC 2015
On 19 Sep 2015, at 8:13, Joseph Bajin wrote:
> We don't deploy swift behind apache, but instead we are using NGINX in this
> particular case. The only reason we went with NGINX was it allowed us to
> control turning up and down particular services which apache couldn't do.
> One day we will move back to apache when we move swift into containers.
> The reason we put it behind nginx/apache was for a few different reasons:
> 1. We needed SSL for all our connections. The python implementation of SSL
> doesn't handle a lot of connectivity and starts to have issues over time.
> This has been discussed about other projects as well, so it's not just
> related to swift.
Indeed. You must not terminate TLS inside the python/eventlet process. It just doesn't work. To demonstrate this, see https://github.com/notmyname/ssl_eventlet_slowloris
> 2. We had to control our SSL ciphers. Using nginx/apache allows us to have
> that control very easily.
> 3. Python Threading - Most projects are using evenlets and that is all done
> in a single thread. The thought was Web Servers do web serving type of
> traffic very well, so hand over web serving to a web serving and allow
> scaling as well as getting rid of the single eventlet thread issue.
Be very careful, especially with nginx. In older versions of nginx, the server would spool all content locally so it could retry on failures. However, when you're using something like Swift which has very large request bodies, this will slow down requests and even cause a DOS since multiple requests could use up all the storage (memory or disk) on the server. e.g. imagine 100 concurrent 5GB uploads. You don't want the server (nginx or otherwise) to spool that 500GB locally.
 newer versions may have changed this, but be very careful with the config options
> On Sat, Sep 19, 2015 at 1:42 AM, Adam Lawson <alawson at aqorn.com> wrote:
>> Hey everyone,
>> What are the advantages to deploying swift storage and/or proxy services
>> behind apache versus not? Are there performance improvements that come into
>> play at scale? Has this been addressed before and are there any conclusions
>> drawn around these considerations I can read up on?
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the OpenStack-operators