← Back to team overview

openstack team mailing list archive

Re: Do we need SSL on nova-api ports?

 

We should be able to do it with a wsgi middleware and either include
it or not in the paste config file.  In a heavily load-balanced
environment you'll probably want to terminate SSL before it gets
proxied to the actual api servers, but it would be nice to support the
simple case where the api server could have ssl.  Middleware seems
like a better, more reusable solution than a flag.

-todd[1]

On Mon, May 2, 2011 at 7:42 PM, Vishvananda Ishaya
<vishvananda@xxxxxxxxx> wrote:
> Can we do this with a flag (or two) and just keep regular http if the flag is not set?
>
> Vish
>
> On May 2, 2011, at 4:34 PM, Eldar Nugaev wrote:
>
>> Hi all.
>>
>> So what is the decision?
>> I see three decisions:
>>
>> #1 Replace existed plain http to ssl
>> #2 Add additional ports for ssl (save plain http)
>> #3 Do nothing
>>
>> Eldar
>>
>> On Tue, Apr 26, 2011 at 11:27 AM, Dirk-Willem van Gulik
>> <dirk-willem.van.gulik@xxxxxxxxx> wrote:
>>>
>>> On 25 Apr 2011, at 19:47, Kirill Shileev wrote:
>>>
>>>> Recently, playing with libcloud against a private openstack installation
>>>> we realized that 8773 and 8774 ports listened by openstack-nova-api expect plain HTTP.
>>>> This is something that is rarely allowed in production installations.
>>>> .....
>>>> Other option would be making this configurable, although not sure why and where the plain HTTP might be justified.
>>>>
>>>> Any thoughts, comments?
>>>
>>> An important side effect of slapping SSL with client/server certs on pretty much all connection is that it makes all sort of governance and validation jobs much easier from an organisational point of view. With more 'reuse' of existing process and validation.
>>>
>>> The attack footprint/exposed estate now splits in three clean realms: issuing of client cert, security of the TCP and SSL layer - and a specific model for what happens within that connection. With the latter bound by the previous two. Furthermore client validation can be done with narly a secret in sight.
>>>
>>> So for those reasons alone - SSLis good.
>>>
>>> Dw.
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>>
>>
>> --
>> Eldar
>> Skype: eldar.nugaev
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>


Follow ups

References