More practical question: Should we use the same ports for SSL-enabled services as we have for plain-HTTP now (8773/8774)?
If not, which ones should I choose for my SSL-protected Nova installation? Of course I can choose any on my own system - the question is - should we agree which ports will be OFFICIAL while using SSL on Nova installations across the globe? That's will be easy for community (at least to distingush between non-SSL and SSL setup in logs/etc). Andrey. 02.05.2011, в 16:42, Vishvananda Ishaya написал(а): > Can we do this with a flag (or two) and just keep regular http if the flag is > not set? > > Vish > > On May 2, 2011, at 4:34 PM, Eldar Nugaev wrote: > >> Hi all. >> >> So what is the decision? >> I see three decisions: >> >> #1 Replace existed plain http to ssl >> #2 Add additional ports for ssl (save plain http) >> #3 Do nothing >> >> Eldar >> >> On Tue, Apr 26, 2011 at 11:27 AM, Dirk-Willem van Gulik >> <dirk-willem.van.gu...@bbc.co.uk> wrote: >>> >>> On 25 Apr 2011, at 19:47, Kirill Shileev wrote: >>> >>>> Recently, playing with libcloud against a private openstack installation >>>> we realized that 8773 and 8774 ports listened by openstack-nova-api expect >>>> plain HTTP. >>>> This is something that is rarely allowed in production installations. >>>> ..... >>>> Other option would be making this configurable, although not sure why and >>>> where the plain HTTP might be justified. >>>> >>>> Any thoughts, comments? >>> >>> An important side effect of slapping SSL with client/server certs on pretty >>> much all connection is that it makes all sort of governance and validation >>> jobs much easier from an organisational point of view. With more 'reuse' of >>> existing process and validation. >>> >>> The attack footprint/exposed estate now splits in three clean realms: >>> issuing of client cert, security of the TCP and SSL layer - and a specific >>> model for what happens within that connection. With the latter bound by the >>> previous two. Furthermore client validation can be done with narly a secret >>> in sight. >>> >>> So for those reasons alone - SSLis good. >>> >>> Dw. >>> _______________________________________________ >>> Mailing list: https://launchpad.net/~openstack >>> Post to : openstack@lists.launchpad.net >>> Unsubscribe : https://launchpad.net/~openstack >>> More help : https://help.launchpad.net/ListHelp >>> >>> >> >> >> >> -- >> Eldar >> Skype: eldar.nugaev >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
