openstack team mailing list archive

Thread
Date

Do we need SSL on nova-api ports?

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Kirill Shileev <kshileev@xxxxxxxxxxxxxxxx>
Date: Mon, 25 Apr 2011 21:47:53 +0400

Hi all,
Recently, playing with libcloud against a private openstack installation
we realized that 8773 and 8774 ports listened by openstack-nova-api expect
plain HTTP.
This is something that is rarely allowed in production installations.

We  bypass the problem by providing stunnel proxy for those ports.
Although, the fastest solution, it does not look satisfactory from the long
term perspective.
Hence the proposal:
https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl

There is no any details so far, but the main idea is to change the default
with nova-api
to listen for SSL encoded transport.

Other option would be making this configurable, although not sure why and
where the plain HTTP might be justified.

Any thoughts, comments?

-- 
Best regards,
Kirill Shileev
Senior software engineer
www.GridDynamics.com
+7 495 787 49 44 office

Follow ups

Re: Do we need SSL on nova-api ports?
From: Dirk-Willem van Gulik, 2011-04-26
Re: Do we need SSL on nova-api ports?
From: Edward Konetzko, 2011-04-26