openstack team mailing list archive

[Dirk-Willem van Gulik <dirk-willem.van.gulik@xxxxxxxxx>]

On 3 May 2011, at 03:29, Todd Willey wrote:

> We should be able to do it with a wsgi middleware and either include
> it or not in the paste config file.  In a heavily load-balanced
> environment you'll probably want to terminate SSL before it gets
> proxied to the actual api servers,

Agreed. And using a standard set of headers is good here - as then your apache/proxy configs are easy and easily reused across the board.

> but it would be nice to support the
> simple case where the api server could have ssl.  Middleware seems
> like a better, more reusable solution than a flag.

Hmm - is that really the 'simple case' ? Or is having N of those in parallel the desired goal ?

I am quite tempted at to launch into a L7/man-in-the-middle D/SPOF bits of kit are evil diatribe at this point.

And really would like to assume that openstack ultimately gears towards a situation where one would not routinely use such (but perhaps for a few very specific locations where the 'customer' is a webbrowser or similar 'legacy' system) - and instead robustly assumes that any and all endpoints can have many CNAMEs which are tried in turn (or even bettter - full use of a DNS SRV record) - or similar loadbalancing/failover which does not requrire 'kit that can fail' inserted in the wire.

Just a thought, 

Dw

Attachment: smime.p7s
Description: S/MIME cryptographic signature