openstack team mailing list archive

["Juan J. Martinez" <juan@xxxxxxxxxx>]

On 21/06/12 09:27, Joseph Heck wrote:
> Honestly the only reason is that I've heard some fairly direct feedback that port 5000 is that MS uPnP port and hence blocked by many corporate entities, so it's just a matter of a PITA and a slight bump in setup for those groups. Thought to honestly register another port with IANA like 35357 and put it in place - wanted to see if anyone screamed first.
> 

Disclaimer: I've never used keystone with nova, only swift user here!

Are you using keystone with SSL? It's recommended you use a SSL
terminator and instead of Python SSL implementation, so you're using
port 5000 in localhost only:

keystone (127.0.0.1:5000) HTTP -> SSL terminator* (public-ip:443) ->
HTTPS <- Client requests

* ie. Pound http://www.apsis.ch/pound/

If you're not using SSL I guess it makes sense to use an HTTP proxy too
because of security reasons. Running nginx/apache or something like that
in front of keystone looks like a reasonable thing to do, because it
will sanitise any malformed request.

So I think using port 5000 is not a problem because it shouldn't be used
directly in production; unless I'm missing something!

Kind regards,

Juan