[Openstack] [swift] Can replication and proxy-to-storage communication be encrypted?

John Dickinson me at not.mn
Thu Mar 31 02:55:07 UTC 2016


Your code review is correct.

There's some ideas on how to make things more secure that I expect to be tackled relatively soon, but for now it's all HTTP.

In single-site deployments, the internal Swift network (i.e. proxy to storage and storage to storage) should be on a private network). And and site-to-site connectivity for a multi-site deployment should be over a VPN or similar.

--John



On 30 Mar 2016, at 18:50, Mark Kirkwood wrote:

> Hi,
>
> I'm looking at configuring a multi region cluster, and am thinking about
> what type of encryption is needed for inter region traffic, and where
> this needs to be done (e.g VPN or swift encrypting its own communication).
>
> My quick scan of the code seems[1] to point to internal communication
> being http only - but I'm asking in case I've missed something!
>
> regards
>
> Mark
>
> [1]
> Examining files in swift/obj,proxy,common it looks like proxy-to-storage
> (and storage-to-storage) communication is always unencrypted (i.e
> common/bufferedhttp:http_connect is called without ssl set).
>
> Also looking at swift/obj/ssync_sender.py it seems to me that
> replication is not encrypted either.
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160330/6bc8cc49/attachment.sig>


More information about the Openstack mailing list