Re: [openstack-dev] [TripleO] proxying SSL traffic for API requests

2014-03-27 Thread Nathan Kinder
On 03/26/2014 09:51 AM, Clint Byrum wrote: Excerpts from Chris Jones's message of 2014-03-26 06:58:59 -0700: Hi We don't have a strong attachment to stunnel though, I quickly dropped it in front of our CI/CD undercloud and Rob wrote the element so we could repeat the deployment. In the

Re: [openstack-dev] [TripleO] proxying SSL traffic for API requests

2014-03-27 Thread Clint Byrum
Excerpts from Nathan Kinder's message of 2014-03-27 13:25:02 -0700: On 03/26/2014 09:51 AM, Clint Byrum wrote: Excerpts from Chris Jones's message of 2014-03-26 06:58:59 -0700: Hi We don't have a strong attachment to stunnel though, I quickly dropped it in front of our CI/CD undercloud

Re: [openstack-dev] [TripleO] proxying SSL traffic for API requests

2014-03-26 Thread stuart . mclaren
Just spotted the openstack-ssl element which uses 'stunnel'... On Wed, 26 Mar 2014, stuart.mcla...@hp.com wrote: All, I know there's a preference for using a proxy to terminate SSL connections rather than using the native python code. There's a good write up of configuring the various

Re: [openstack-dev] [TripleO] proxying SSL traffic for API requests

2014-03-26 Thread Chris Jones
Hi We don't have a strong attachment to stunnel though, I quickly dropped it in front of our CI/CD undercloud and Rob wrote the element so we could repeat the deployment. In the fullness of time I would expect there to exist elements for several SSL terminators, but we shouldn't necessarily

Re: [openstack-dev] [TripleO] proxying SSL traffic for API requests

2014-03-26 Thread stuart . mclaren
Thanks Chris. Sounds like you're saying building out the apache element may be a sensible next step? -Stuart Hi We don't have a strong attachment to stunnel though, I quickly dropped it in front of our CI/CD undercloud and Rob wrote

Re: [openstack-dev] [TripleO] proxying SSL traffic for API requests

2014-03-26 Thread Clint Byrum
Excerpts from Chris Jones's message of 2014-03-26 06:58:59 -0700: Hi We don't have a strong attachment to stunnel though, I quickly dropped it in front of our CI/CD undercloud and Rob wrote the element so we could repeat the deployment. In the fullness of time I would expect there to

Re: [openstack-dev] [TripleO] proxying SSL traffic for API requests

2014-03-26 Thread Chris Jones
Hi On 26 March 2014 16:51, Clint Byrum cl...@fewbar.com wrote: quite a bit differently than app serving), there is a security implication in having the private SSL keys on the same box that runs the app. This is a very good point, thanks :) -- Cheers, Chris