[Openstack] Do we need SSL on nova-api ports?

Edward Konetzko konetzed at quixoticagony.com
Tue May 3 15:30:48 UTC 2011


On 05/03/2011 06:39 AM, Dirk-Willem van Gulik wrote:
>
> On 3 May 2011, at 13:30, Todd Willey wrote:
>
>> On Tue, May 3, 2011 at 5:39 AM, Dirk-Willem van Gulik
>> <dirk-willem.van.gulik at bbc.co.uk>  wrote:
>>>
>>> On 3 May 2011, at 10:31, Soren Hansen wrote:
>>>
>>>> 2011/5/3 Todd Willey<todd at ansolabs.com>:
>>>>> In a heavily load-balanced environment you'll probably want to terminate SSL before it gets
>>>>> proxied to the actual api servers,
>>>>
>>>> Why is that? It seems like a win to distribute as much processing as
>>>> possible, including SSL termination?
>>>
>>> Because most load balancing vendors are either 1) convinced that they need to go up the stack and have gradually made it impossible to do blind socket LB - and insist on looking at headers and what not, or 2) is soo far out of touch and old that blind socket forwarding is not overly practical as the outdated means to inform the LB what to blindly forward where is just too painful.
>>
>> I was thinking of hardware acceleration.
>
> Aye, Agreed - though these days - once the intial DSA/RSA negotiation is done - the rest is getting less and less painful[1] in modern environments - and give its very cloudy nature - quite likely distributed with enough CPU spare cycles.
>>
>>> But yes - a bright vendor/standard would indeed do a clever pass through to the distributed boxes for at least the initial exchange; optionally facilitate session sharing and/or providing it in-line and after the exchange it could be informed of the session key and then do a bit more than just blind forwarding.
>>>
>>> Dw.
>
> Dw.
>
> 1: http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

How about nova-api does not get ssl/tls support but there is a reference 
way of setting up apache/nginx to be used as the web server for nova-api?

I would much rather have the ability to run the api behind a web server 
that has the ability load modules to do whatever an end users wants e.g. 
ssl.

To answers Sorens earlier question basically think of it this way ssl 
offload at the lb is needed if you have a layer 7 lb and want to use its 
fancy tricks.  I have seen software based lbs do ssl offload at numbers 
that would probably make some of the hardware lb guys worry.




More information about the Openstack mailing list