[Openstack] Do we need SSL on nova-api ports?

Kirill Shileev kshileev at griddynamics.com
Mon Apr 25 17:47:53 UTC 2011


Hi all,
Recently, playing with libcloud against a private openstack installation
we realized that 8773 and 8774 ports listened by openstack-nova-api expect
plain HTTP.
This is something that is rarely allowed in production installations.

We  bypass the problem by providing stunnel proxy for those ports.
Although, the fastest solution, it does not look satisfactory from the long
term perspective.
Hence the proposal:
https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl

There is no any details so far, but the main idea is to change the default
with nova-api
to listen for SSL encoded transport.

Other option would be making this configurable, although not sure why and
where the plain HTTP might be justified.

Any thoughts, comments?

-- 
Best regards,
Kirill Shileev
Senior software engineer
www.GridDynamics.com
+7 495 787 49 44 office
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110425/fbeb3267/attachment.html>


More information about the Openstack mailing list