On 3 May 2011, at 03:29, Todd Willey wrote: > We should be able to do it with a wsgi middleware and either include > it or not in the paste config file. In a heavily load-balanced > environment you'll probably want to terminate SSL before it gets > proxied to the actual api servers,
Agreed. And using a standard set of headers is good here - as then your apache/proxy configs are easy and easily reused across the board. > but it would be nice to support the > simple case where the api server could have ssl. Middleware seems > like a better, more reusable solution than a flag. Hmm - is that really the 'simple case' ? Or is having N of those in parallel the desired goal ? I am quite tempted at to launch into a L7/man-in-the-middle D/SPOF bits of kit are evil diatribe at this point. And really would like to assume that openstack ultimately gears towards a situation where one would not routinely use such (but perhaps for a few very specific locations where the 'customer' is a webbrowser or similar 'legacy' system) - and instead robustly assumes that any and all endpoints can have many CNAMEs which are tried in turn (or even bettter - full use of a DNS SRV record) - or similar loadbalancing/failover which does not requrire 'kit that can fail' inserted in the wire. Just a thought, Dw
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
