Swift: proxy architecture and auth system

asked 2011-06-23 13:13:26 -0500

c35sys gravatar image

Hi all,

In case of simultaneous http and https for proxies, is it a correct implementation to create two proxy farms behind a load-balancer ?

For example:

                                                Load Balancer
                                                           |
              |.............................|.............................|.............................| 
      proxy1 (http)^^^^proxy2 (http)^^^^proxy3 (https)^^^^proxy4 (https)

I looked at https://answers.launchpad.net/swift/+question/152909 (https://answers.launchpad.net/swift/+...) and found not easy to handle it (2 services not really managed on the same server).

If I configure first webfarm with http only and set swift cluster url to http://<load_balancer_hostname>, then I configure second webfarm with https only and set swift cluster url to https://<load_balancer_hostname>, is it a good way to implement it ?

As swith auth system is important, which middleware is the good one to choose between swauth and keystone ? My guess is swauth, as I can read from keystone documentation: "Keystone currently allows any valid token to do anything with any account."

The platform is actually using 1.4.1 version.

Thanks !

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2011-06-24 10:14:40 -0500

c35sys gravatar image

Hi Marcelo,

The load balancer used is haproxy, and is not able to do SSL termination without stunnel patch (not provided).

However, it seems a good way to create two different pools anyway, regardless where the SSL termination is.

Thanks for the information and for the auth system as well !

edit flag offensive delete link more
0

answered 2011-06-24 10:14:58 -0500

c35sys gravatar image

Thanks Marcelo Martins, that solved my question.

edit flag offensive delete link more
0

answered 2011-06-23 21:34:02 -0500

btorch gravatar image

Is your Load Balancer able to do SSL termination ? I would rather create two pools in the LB, one for HTTPS and another for HTTP. That will also free up more resources in the proxy system since it would not be doing SSL termination.

In regards to the auth system, I would suggest swauth since I believe keystone is still under development.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2011-06-23 13:13:26 -0500

Seen: 58 times

Last updated: Jun 24 '11