Hi Guillaume, The solution should be pretty straight forward. Fuel uses VIP under pacemaker control. Traffic goes through that VIP to HAProxy of active node. The rest nodes don't serve the traffic. Fuel doesn't use any kind of balancing. Recently, HAProxy 1.5 was released which introduces SSL termination. This allows you to use it to secure user<->VIP traffic. Additionally you may secure backend traffic though I think it's not so important.
-- Best regards, Sergii Golovatiuk, Skype #golserge IRC #holser On Tue, Jul 8, 2014 at 3:26 PM, Guillaume Thouvenin <[email protected]> wrote: > Hi folks, > > I'm currently writing a specification to enable SSL for OSt public > endpoint [1]. I'm using HAProxy to manage SSL and I have a question when we > are in HA mode (I mean with more than one HAProxy). My first thought was to > generate a self-signed certificate with puppet and put this certificate on > the controller where it can be used by HAProxy. The problem is if we have > several HAProxy. In my scenario there will be several different > certificates. So another idea is to generate the self-signed certificate > from the fuel master (using the CN of the VIP) and then distribute it to > controller nodes through a mechanism like mcollective. Does it make sense > to you? Who can help me to find where this can be done into fuel? > > Thanks a lot for your help, > Best Regards, > Guillaume > > [1] https://review.openstack.org/#/c/102273/ > > -- > Mailing list: https://launchpad.net/~fuel-dev > Post to : [email protected] > Unsubscribe : https://launchpad.net/~fuel-dev > More help : https://help.launchpad.net/ListHelp > >
-- Mailing list: https://launchpad.net/~fuel-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~fuel-dev More help : https://help.launchpad.net/ListHelp
