Hi Sergii, So just to rephrase, generated a self-signed certificate from the fuel master with the correct CN for the VIP and distributed the certificate to all HAProxy should be easy. Cool :). Otherwise I'm using HAProxy >= 1.5 and this version will be generated by OSCI fuel team I guess. Securing the backend traffic will be done as a second step I think.
Thanks for your confirmation. On Tue, Jul 8, 2014 at 10:20 PM, Sergii Golovatiuk <[email protected] > wrote: > Hi Guillaume, > > The solution should be pretty straight forward. Fuel uses VIP under > pacemaker control. Traffic goes through that VIP to HAProxy of active node. > The rest nodes don't serve the traffic. Fuel doesn't use any kind of > balancing. Recently, HAProxy 1.5 was released which introduces SSL > termination. This allows you to use it to secure user<->VIP traffic. > Additionally you may secure backend traffic though I think it's not so > important. > > -- > Best regards, > Sergii Golovatiuk, > Skype #golserge > IRC #holser > > > On Tue, Jul 8, 2014 at 3:26 PM, Guillaume Thouvenin <[email protected]> > wrote: > >> Hi folks, >> >> I'm currently writing a specification to enable SSL for OSt public >> endpoint [1]. I'm using HAProxy to manage SSL and I have a question when we >> are in HA mode (I mean with more than one HAProxy). My first thought was to >> generate a self-signed certificate with puppet and put this certificate on >> the controller where it can be used by HAProxy. The problem is if we have >> several HAProxy. In my scenario there will be several different >> certificates. So another idea is to generate the self-signed certificate >> from the fuel master (using the CN of the VIP) and then distribute it to >> controller nodes through a mechanism like mcollective. Does it make sense >> to you? Who can help me to find where this can be done into fuel? >> >> Thanks a lot for your help, >> Best Regards, >> Guillaume >> >> [1] https://review.openstack.org/#/c/102273/ >> >> -- >> Mailing list: https://launchpad.net/~fuel-dev >> Post to : [email protected] >> Unsubscribe : https://launchpad.net/~fuel-dev >> More help : https://help.launchpad.net/ListHelp >> >> >
-- Mailing list: https://launchpad.net/~fuel-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~fuel-dev More help : https://help.launchpad.net/ListHelp
