Serguei, You should check with your security team. Normally, they will have a strong opinion on this configuration. In many cases, the public interfaces is the one enabled SSL and the internal one is not and indeed is a common practice. Edgar On 4/13/16, 7:46 PM, "Serguei Bezverkhi (sbezverk)" <sbezverk at cisco.com> wrote: >Hello folks, > >I was wondering if you let me know if enabling keystone to listen on public interface for ports 5000 and 35357 is considered as a normal practice. Example if a customer wants to authenticate not via horizon or some other proxy but setting up OS_AUTH_URL=http://blah variable to be able to run OpenStack commands in cli. > >Thank you in advance > >Serguei > >_______________________________________________ >OpenStack-operators mailing list >OpenStack-operators at lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators