Re: [openstack-dev] [TripleO] proxying SSL traffic for API requests

Wed, 26 Mar 2014 08:25:38 -0700 

Thanks Chris.

Sounds like you're saying building out the apache element may be a sensible
next step?

-Stuart

--------------------------------------------------------
Hi

We don't have a strong attachment to stunnel though, I quickly dropped it in 
front of our CI/CD undercloud and Rob wrote the element so we could repeat the 
deployment.

In the fullness of time I would expect there to exist elements for several SSL 
terminators, but we shouldn't necessarily stick with stunnel because it 
happened to be the one I was most familiar with :)

I would think that an httpd would be a good option to go with as the default, 
because I tend to think that we'll need an httpd running/managing the python 
code by default.

Cheers,
--
Chris Jones


On 26 Mar 2014, at 13:49, stuart.mclaren at hp.com wrote:

Just spotted the openstack-ssl element which uses 'stunnel'...



On Wed, 26 Mar 2014, stuart.mclaren at hp.com wrote:

All,

I know there's a preference for using a proxy to terminate
SSL connections rather than using the native python code.

There's a good write up of configuring the various proxies here:

http://docs.openstack.org/security-guide/content/ch020_ssl-everywhere.html

If we're not using native python SSL termination in TripleO we'll
need to pick which one of these would be a reasonable choice for
initial https support.

Pound may be a good choice -- its lightweight (6,000 lines of C),
easy to configure and gives good control over the SSL connections (ciphers etc).
Plus, we've experience with pushing large (GB) requests through it.

I'm interested if others have a strong preference for one of the other
options (stud, nginx, apache) and if so, what are the reasons you feel it
would make a better choice for a first implementation.

Thanks,

-Stuart


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to