openstack team mailing list archive

Thread
Date

Re: Do we need SSL on nova-api ports?

To: Kirill Shileev <kshileev@xxxxxxxxxxxxxxxx>
From: Edward Konetzko <konetzed@xxxxxxxxxxxxxxxxx>
Date: Tue, 26 Apr 2011 12:52:51 -0500
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <BANLkTimo_E3AgH6aH+iO0qio6aXdzMrRng@mail.gmail.com>
Reply-to: konetzed@xxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110307 Icedove/3.0.11 ThunderBrowse/3.3.4

On 04/25/2011 12:47 PM, Kirill Shileev wrote:

Hi all,
Recently, playing with libcloud against a private openstack installation
we realized that 8773 and 8774 ports listened by openstack-nova-api
expect plain HTTP.
This is something that is rarely allowed in production installations.

We  bypass the problem by providing stunnel proxy for those ports.
Although, the fastest solution, it does not look satisfactory from the
long term perspective.
Hence the proposal:
https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl

There is no any details so far, but the main idea is to change the
default with nova-api
to listen for SSL encoded transport.

Other option would be making this configurable, although not sure why
and where the plain HTTP might be justified.

Any thoughts, comments?

--
Best regards,
Kirill Shileev
Senior software engineer
www.GridDynamics.com <http://www.GridDynamics.com>
+7 495 787 49 44 office



_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Kirill

Are you at the Openstack Confernece? Your ssl question is one of thethings I would like to discuss in the discussion session I registered,http://openstack-spring2011.sched.org/event/4bb755f74fa7528bb5a0ccd20805ec0c


Edward

References

Do we need SSL on nova-api ports?
From: Kirill Shileev, 2011-04-25