[Openstack] [keystone] Keystone on port 5000 - proposing change default port to 8770
Juan J. Martinez
juan at memset.com
Thu Jun 21 08:58:30 UTC 2012
On 21/06/12 09:27, Joseph Heck wrote:
> Honestly the only reason is that I've heard some fairly direct feedback that port 5000 is that MS uPnP port and hence blocked by many corporate entities, so it's just a matter of a PITA and a slight bump in setup for those groups. Thought to honestly register another port with IANA like 35357 and put it in place - wanted to see if anyone screamed first.
>
Disclaimer: I've never used keystone with nova, only swift user here!
Are you using keystone with SSL? It's recommended you use a SSL
terminator and instead of Python SSL implementation, so you're using
port 5000 in localhost only:
keystone (127.0.0.1:5000) HTTP -> SSL terminator* (public-ip:443) ->
HTTPS <- Client requests
* ie. Pound http://www.apsis.ch/pound/
If you're not using SSL I guess it makes sense to use an HTTP proxy too
because of security reasons. Running nginx/apache or something like that
in front of keystone looks like a reasonable thing to do, because it
will sanitise any malformed request.
So I think using port 5000 is not a problem because it shouldn't be used
directly in production; unless I'm missing something!
Kind regards,
Juan
More information about the Openstack
mailing list