Re: [Openstack] Do we need SSL on nova-api ports?

On 3 May 2011, at 01:34, Eldar Nugaev wrote: #1 Replace existed plain http to ssl #2 Add additional ports for ssl (save plain http) #3 Do nothing I suggest: a) Make SSL only the default (ideally with client cert on as well). b) Postulate that one port lower there is an optional

Re: [Openstack] Do we need SSL on nova-api ports?

On 3 May 2011, at 03:29, Todd Willey wrote: We should be able to do it with a wsgi middleware and either include it or not in the paste config file. In a heavily load-balanced environment you'll probably want to terminate SSL before it gets proxied to the actual api servers, Agreed. And

Re: [Openstack] Do we need SSL on nova-api ports?

2011/5/3 Todd Willey t...@ansolabs.com:  In a heavily load-balanced environment you'll probably want to terminate SSL before it gets proxied to the actual api servers, Why is that? It seems like a win to distribute as much processing as possible, including SSL termination? -- Soren Hansen    

Re: [Openstack] Do we need SSL on nova-api ports?

On 3 May 2011, at 10:31, Soren Hansen wrote: 2011/5/3 Todd Willey t...@ansolabs.com: In a heavily load-balanced environment you'll probably want to terminate SSL before it gets proxied to the actual api servers, Why is that? It seems like a win to distribute as much processing as

Re: [Openstack] Do we need SSL on nova-api ports?

On Tue, May 3, 2011 at 5:39 AM, Dirk-Willem van Gulik dirk-willem.van.gu...@bbc.co.uk wrote: On 3 May 2011, at 10:31, Soren Hansen wrote: 2011/5/3 Todd Willey t...@ansolabs.com: In a heavily load-balanced environment you'll probably want to terminate SSL before it gets proxied to the

Re: [Openstack] Do we need SSL on nova-api ports?

On 3 May 2011, at 13:30, Todd Willey wrote: On Tue, May 3, 2011 at 5:39 AM, Dirk-Willem van Gulik dirk-willem.van.gu...@bbc.co.uk wrote: On 3 May 2011, at 10:31, Soren Hansen wrote: 2011/5/3 Todd Willey t...@ansolabs.com: In a heavily load-balanced environment you'll probably want to

Re: [Openstack] Do we need SSL on nova-api ports?

On 05/03/2011 06:39 AM, Dirk-Willem van Gulik wrote: On 3 May 2011, at 13:30, Todd Willey wrote: On Tue, May 3, 2011 at 5:39 AM, Dirk-Willem van Gulik dirk-willem.van.gu...@bbc.co.uk wrote: On 3 May 2011, at 10:31, Soren Hansen wrote: 2011/5/3 Todd Willeyt...@ansolabs.com: In a heavily

Re: [Openstack] Do we need SSL on nova-api ports?

On Tue, May 3, 2011 at 08:09, Dirk-Willem van Gulik dirk-willem.van.gu...@bbc.co.uk wrote: a)      Make SSL only the default (ideally with client cert on as well). Sounds good to me. b)      Postulate that one port lower there is an optional HTTP port (OFF, or tied to localhost). The IETF

Re: [Openstack] Do we need SSL on nova-api ports?

On 3 May 2011, at 18:49, Richard Hartmann wrote: On Tue, May 3, 2011 at 08:09, Dirk-Willem van Gulik dirk-willem.van.gu...@bbc.co.uk wrote: a) Make SSL only the default (ideally with client cert on as well). Sounds good to me. b) Postulate that one port lower there is an

Re: [Openstack] Do we need SSL on nova-api ports?

I don't really see any reason for production apps to run on anything other than 80/443. In dev mode it is nice to have other ports, but I don't really see a reason for special ports in production systems. Vish On May 3, 2011, at 10:49 AM, Richard Hartmann wrote: On Tue, May 3, 2011 at

Re: [Openstack] Do we need SSL on nova-api ports?

Hi all. So what is the decision? I see three decisions: #1 Replace existed plain http to ssl #2 Add additional ports for ssl (save plain http) #3 Do nothing Eldar On Tue, Apr 26, 2011 at 11:27 AM, Dirk-Willem van Gulik dirk-willem.van.gu...@bbc.co.uk wrote: On 25 Apr 2011, at 19:47, Kirill

Re: [Openstack] Do we need SSL on nova-api ports?

Can we do this with a flag (or two) and just keep regular http if the flag is not set? Vish On May 2, 2011, at 4:34 PM, Eldar Nugaev wrote: Hi all. So what is the decision? I see three decisions: #1 Replace existed plain http to ssl #2 Add additional ports for ssl (save plain http)

Re: [Openstack] Do we need SSL on nova-api ports?

More practical question: Should we use the same ports for SSL-enabled services as we have for plain-HTTP now (8773/8774)? If not, which ones should I choose for my SSL-protected Nova installation? Of course I can choose any on my own system - the question is - should we agree which ports will

Re: [Openstack] Do we need SSL on nova-api ports?

We should be able to do it with a wsgi middleware and either include it or not in the paste config file. In a heavily load-balanced environment you'll probably want to terminate SSL before it gets proxied to the actual api servers, but it would be nice to support the simple case where the api

Re: [Openstack] Do we need SSL on nova-api ports?

On 04/25/2011 12:47 PM, Kirill Shileev wrote: Hi all, Recently, playing with libcloud against a private openstack installation we realized that 8773 and 8774 ports listened by openstack-nova-api expect plain HTTP. This is something that is rarely allowed in production installations. We bypass

Re: [Openstack] Do we need SSL on nova-api ports?

On 25 Apr 2011, at 19:47, Kirill Shileev wrote: Recently, playing with libcloud against a private openstack installation we realized that 8773 and 8774 ports listened by openstack-nova-api expect plain HTTP. This is something that is rarely allowed in production installations. .