[Openstack] Do we need SSL on nova-api ports?

Dirk-Willem van Gulik dirk-willem.van.gulik at bbc.co.uk
Tue May 3 09:39:58 UTC 2011


On 3 May 2011, at 10:31, Soren Hansen wrote:

> 2011/5/3 Todd Willey <todd at ansolabs.com>:
>> In a heavily load-balanced environment you'll probably want to terminate SSL before it gets
>> proxied to the actual api servers,
> 
> Why is that? It seems like a win to distribute as much processing as
> possible, including SSL termination?

Because most load balancing vendors are either 1) convinced that they need to go up the stack and have gradually made it impossible to do blind socket LB - and insist on looking at headers and what not, or 2) is soo far out of touch and old that blind socket forwarding is not overly practical as the outdated means to inform the LB what to blindly forward where is just too painful.

But yes - a bright vendor/standard would indeed do a clever pass through to the distributed boxes for at least the initial exchange; optionally facilitate session sharing and/or providing it in-line and after the exchange it could be informed of the session key and then do a bit more than just blind forwarding.

Dw.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4817 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110503/9e99758c/attachment.bin>


More information about the Openstack mailing list