On 19 Sep 2015, at 8:13, Joseph Bajin wrote:
> We don't deploy swift behind apache, but instead we are using NGINX in this > particular case. The only reason we went with NGINX was it allowed us to > control turning up and down particular services which apache couldn't do. > One day we will move back to apache when we move swift into containers. > > The reason we put it behind nginx/apache was for a few different reasons: > > 1. We needed SSL for all our connections. The python implementation of SSL > doesn't handle a lot of connectivity and starts to have issues over time. > This has been discussed about other projects as well, so it's not just > related to swift. Indeed. You must not terminate TLS inside the python/eventlet process. It just doesn't work. To demonstrate this, see https://github.com/notmyname/ssl_eventlet_slowloris > 2. We had to control our SSL ciphers. Using nginx/apache allows us to have > that control very easily. > 3. Python Threading - Most projects are using evenlets and that is all done > in a single thread. The thought was Web Servers do web serving type of > traffic very well, so hand over web serving to a web serving and allow > scaling as well as getting rid of the single eventlet thread issue. > Be very careful, especially with nginx. In older versions of nginx, the server would spool all content locally so it could retry on failures[1]. However, when you're using something like Swift which has very large request bodies, this will slow down requests and even cause a DOS since multiple requests could use up all the storage (memory or disk) on the server. e.g. imagine 100 concurrent 5GB uploads. You don't want the server (nginx or otherwise) to spool that 500GB locally. --John [1] newer versions may have changed this, but be very careful with the config options > > > > > On Sat, Sep 19, 2015 at 1:42 AM, Adam Lawson <[email protected]> wrote: > >> Hey everyone, >> >> What are the advantages to deploying swift storage and/or proxy services >> behind apache versus not? Are there performance improvements that come into >> play at scale? Has this been addressed before and are there any conclusions >> drawn around these considerations I can read up on? >> >> /adam >> >> _______________________________________________ >> OpenStack-operators mailing list >> [email protected] >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> >> > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
