Dang. I was hoping this wasn't the case. (I personally think it's a little silly not to trust your service provider to secure a network when they have root access to all the machines powering your cloud... but I digress.)
Part of the reason I was hoping this wasn't the case, isn't just because it consumes a lot more CPU on the load balancers, but because now we potentially have to manage client certificates and CA certificates (for authenticating from the proxy to back-end app servers). And we also have to decide whether we allow the proxy to use a different client cert / CA per pool, or per member. Yes, I realize one could potentially use no client cert or CA (ie. encryption but no auth)... but that actually provides almost no extra security over the unencrypted case: If you can sniff the traffic between proxy and back-end server, it's not much more of a stretch to assume you can figure out how to be a man-in-the-middle. Do any of you have a use case where some back-end members require SSL authentication from the proxy and some don't? (Again, deciding whether client cert / CA usage should attach to a "pool" or to a "member.") It's a bit of a rabbit hole, eh. Stephen On Fri, Apr 18, 2014 at 10:21 AM, Eichberger, German < german.eichber...@hp.com> wrote: > Hi Stephen, > > > > The use case is that the Load Balancer needs to look at the HTTP requests > be it to add an X-Forward field or change the timeout – but the network > between the load balancer and the nodes is not completely private and the > sensitive information needs to be again transmitted encrypted. This is > admittedly an edge case but we had to implement a similar scheme for HP > Cloud’s swift storage. > > > > German > > > > *From:* Stephen Balukoff [mailto:sbaluk...@bluebox.net] > *Sent:* Friday, April 18, 2014 8:22 AM > > *To:* OpenStack Development Mailing List (not for usage questions) > *Subject:* [openstack-dev] [Neutron][LBaaS] SSL re-encryption scenario > question > > > > Howdy, folks! > > > > Could someone explain to me the SSL usage scenario where it makes sense to > re-encrypt traffic traffic destined for members of a back-end pool? SSL > termination on the load balancer makes sense to me, but I'm having trouble > understanding why one would be concerned about then re-encrypting the > traffic headed toward a back-end app server. (Why not just use straight TCP > load balancing in this case, and save the CPU cycles on the load balancer?) > > > > We terminate a lot of SSL connections on our load balancers, but have yet > to have a customer use this kind of functionality. (We've had a few ask > about it, usually because they didn't understand what a load balancer is > supposed to do-- and with a bit of explanation they went either with SSL > termination on the load balancer + clear text on the back-end, or just > straight TCP load balancing.) > > > > Thanks, > > Stephen > > > > > -- > Stephen Balukoff > Blue Box Group, LLC > (800)613-4305 x807 > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Stephen Balukoff Blue Box Group, LLC (800)613-4305 x807
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
