[Openstack] [swift] Can replication and proxy-to-storage communication be encrypted?
John Dickinson
me at not.mn
Thu Mar 31 02:55:07 UTC 2016
Your code review is correct.
There's some ideas on how to make things more secure that I expect to be tackled relatively soon, but for now it's all HTTP.
In single-site deployments, the internal Swift network (i.e. proxy to storage and storage to storage) should be on a private network). And and site-to-site connectivity for a multi-site deployment should be over a VPN or similar.
--John
On 30 Mar 2016, at 18:50, Mark Kirkwood wrote:
> Hi,
>
> I'm looking at configuring a multi region cluster, and am thinking about
> what type of encryption is needed for inter region traffic, and where
> this needs to be done (e.g VPN or swift encrypting its own communication).
>
> My quick scan of the code seems[1] to point to internal communication
> being http only - but I'm asking in case I've missed something!
>
> regards
>
> Mark
>
> [1]
> Examining files in swift/obj,proxy,common it looks like proxy-to-storage
> (and storage-to-storage) communication is always unencrypted (i.e
> common/bufferedhttp:http_connect is called without ssl set).
>
> Also looking at swift/obj/ssync_sender.py it seems to me that
> replication is not encrypted either.
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160330/6bc8cc49/attachment.sig>
More information about the Openstack
mailing list