openstack team mailing list archive

Thread
Date

Re: swift enforcing ssl?

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Michael Barton <mike-launchpad@xxxxxxxxxxxxxxxx>
Date: Wed, 28 Dec 2011 13:21:46 -0800
In-reply-to: <CA+KYVfjrjnpMPKPi0VowMW4mFkHz+cdbWADFZAvRwkFGYrgjDQ@mail.gmail.com>
Sender: palrich@xxxxxxxxx

On Tue, Dec 27, 2011 at 2:11 PM, andi abes <andi.abes@xxxxxxxxx> wrote:
> Does the swift proxy enforce SSL connections if it's configured with a
> cert/key file? Or is it assumed that there's an external entity performing
> that?

The Swift proxy's SSL support is probably only useful for light
testing - SSL in python (and especially with eventlet) has
historically been slow and subtly broken.  But basically the way it
works, it's either in SSL mode or non-SSL mode.  If you configure cert
and key files, it switches to SSL mode.

In a production environment, I'd suggest putting a reverse proxy like
Pound in front of Swift to terminate SSL.

Depending on your environment, it may also be a good idea to run that
on separate hardware.  That can get SSL termination CPU usage off the
proxies, and provide all the usual benefits of load balancing like
being able to remove proxy servers from rotation without downtime.

-Michael

Follow ups

Re: swift enforcing ssl?
From: Andrew Clay Shafer, 2011-12-28

References

swift enforcing ssl?
From: andi abes, 2011-12-27