← Back to team overview

openstack team mailing list archive

Re: swift enforcing ssl?

 

On Tue, Dec 27, 2011 at 2:11 PM, andi abes <andi.abes@xxxxxxxxx> wrote:
> Does the swift proxy enforce SSL connections if it's configured with a
> cert/key file? Or is it assumed that there's an external entity performing
> that?

The Swift proxy's SSL support is probably only useful for light
testing - SSL in python (and especially with eventlet) has
historically been slow and subtly broken.  But basically the way it
works, it's either in SSL mode or non-SSL mode.  If you configure cert
and key files, it switches to SSL mode.

In a production environment, I'd suggest putting a reverse proxy like
Pound in front of Swift to terminate SSL.

Depending on your environment, it may also be a good idea to run that
on separate hardware.  That can get SSL termination CPU usage off the
proxies, and provide all the usual benefits of load balancing like
being able to remove proxy servers from rotation without downtime.

-Michael


Follow ups

References