[openstack-dev] [TripleO] proxying SSL traffic for API requests

Nathan Kinder nkinder at redhat.com
Thu Mar 27 20:25:02 UTC 2014

On 03/26/2014 09:51 AM, Clint Byrum wrote:
> Excerpts from Chris Jones's message of 2014-03-26 06:58:59 -0700:
>> Hi
>> We don't have a strong attachment to stunnel though, I quickly dropped it in front of our CI/CD undercloud and Rob wrote the element so we could repeat the deployment.
>> In the fullness of time I would expect there to exist elements for several SSL terminators, but we shouldn't necessarily stick with stunnel because it happened to be the one I was most familiar with :)
>> I would think that an httpd would be a good option to go with as the default, because I tend to think that we'll need an httpd running/managing the python code by default.
> I actually think that it is important to separate SSL termination from
> the app server. In addition to reasons of scale (SSL termination scales
> quite a bit differently than app serving), there is a security implication
> in having the private SSL keys on the same box that runs the app.

There is also a security implication in having network traffic from the
SSL terminator to the application in the clear.  If the app is
compromised, one could just read all incoming traffic anyway since it is
not encrypted.

> So if we use apache for running the python app servers, that is not a
> reason to also use apache for SSL. Quite the opposite I think.
> As far as "which is best".. there are benefits and drawbacks for all of
> them, and it is modular enough that we can just stick with stunnel and
> users who find problems with it can switch it out without too much hassle.
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list