[Openstack] swift enforcing ssl?

Michael Barton mike-launchpad at weirdlooking.com
Wed Dec 28 21:21:46 UTC 2011

On Tue, Dec 27, 2011 at 2:11 PM, andi abes <andi.abes at gmail.com> wrote:
> Does the swift proxy enforce SSL connections if it's configured with a
> cert/key file? Or is it assumed that there's an external entity performing
> that?

The Swift proxy's SSL support is probably only useful for light
testing - SSL in python (and especially with eventlet) has
historically been slow and subtly broken.  But basically the way it
works, it's either in SSL mode or non-SSL mode.  If you configure cert
and key files, it switches to SSL mode.

In a production environment, I'd suggest putting a reverse proxy like
Pound in front of Swift to terminate SSL.

Depending on your environment, it may also be a good idea to run that
on separate hardware.  That can get SSL termination CPU usage off the
proxies, and provide all the usual benefits of load balancing like
being able to remove proxy servers from rotation without downtime.


More information about the Openstack mailing list