Very often you’ll deploy them on the same server, so no plaintext goes over the wire.
-Rob From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) Sent: 05 March 2014 20:31 To: Douglas Mendizabal; Tiwari, Arvind; Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack@lists.openstack.org Subject: Re: [Openstack] [Barbican] HTTPS Connection Question Hello, I now have a web server question. I just configured NGINX to server as an HTTPS front end. If I am not mistaken, NGINX receives the HTTPS requests and then makes an HTTP request to the uWSGI server which parses the request and calls Barbican directly passing in the request parameters. Is this correct? If so, how do I remove uWSGI as a middleman? Insecure HTTP requests are not permitted in my environment. Regards, Mark Miller From: Douglas Mendizabal [mailto:douglas.mendiza...@rackspace.com] Sent: Wednesday, March 05, 2014 9:07 AM To: Tiwari, Arvind; Miller, Mark M (EB SW Cloud - R&D - Corvallis); Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack@lists.openstack.org <mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] [Barbican] HTTPS Connection Question Arvind, I think you are confused about HTTPS support. >> Barbican does not support SSL , I have added BP for the same. This is a false statement. Barbican does not need to support SSL. It’s up to the container (aka the Web Server) being used to provide SSL for the application, just as you’ve shown in the wiki entry to set up Nginx with SSL. There is nothing that we can do to “add SSL to Barbican”, so I’m not sure what your blueprint is trying to accomplish. Thanks, -Doug From: <Tiwari>, Arvind <arvind.tiw...@hp.com <mailto:arvind.tiw...@hp.com> > Date: Tuesday, March 4, 2014 at 7:08 PM To: "Miller, Mark M (EB SW Cloud - R&D - Corvallis)" <mark.m.mil...@hp.com <mailto:mark.m.mil...@hp.com> >, Douglas Mendizabal <douglas.mendiza...@rackspace.com <mailto:douglas.mendiza...@rackspace.com> >, "Ferreira, Rafael" <r...@io.com <mailto:r...@io.com> >, Remo Mattei <r...@italy1.com <mailto:r...@italy1.com> >, Wyllys Ingersoll <wyllys.ingers...@evault.com <mailto:wyllys.ingers...@evault.com> >, "openstack@lists.openstack.org <mailto:openstack@lists.openstack.org> " <openstack@lists.openstack.org <mailto:openstack@lists.openstack.org> > Subject: RE: [Openstack] [Barbican] HTTPS Connection Question Hi Mark, Barbican does not support SSL , I have added BP for the same. https://blueprints.launchpad.net/barbican/+spec/transport-layer-security-is-needed-in-barbican I have added this page which uses NginX (I like better than APache) to provide SSL support https://github.com/cloudkeep/barbican/wiki/Deploy-OpenStack-Barbican-with-Nginx-web-server Hope this will help. Thanks, Arvind From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) Sent: Tuesday, March 04, 2014 4:34 PM To: Douglas Mendizabal; Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack@lists.openstack.org <mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] [Barbican] HTTPS Connection Question Hello Doug, Thank you for the information. I will keep you informed if we decide to use Apache2 as a front end. Regards, Mark From: Douglas Mendizabal [mailto:douglas.mendiza...@rackspace.com] Sent: Tuesday, March 04, 2014 2:47 PM To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack@lists.openstack.org <mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] [Barbican] HTTPS Connection Question Hi Mark, I hope I can answer your questions: 1. HTTP support should be provided by the web server used to host barbican, not by barbican itself. The files where you noticed the “protocol = http” settings are uwsgi configuration files the Barbican team uses to run Barbican using uwsgi during development. The settings are just default development settings, and should be tuned to your particular situation. You can find more information about uwsgi config options on their official documentation. [1] In particular, you may be interested in enabling HTTPS support documentation. [2] 2. As I mentioned above, the dev team uses uwsgi to run Barbican, however there are no dependencies on uwsgi built into barbican. This means that, in theory, you should be able to run Barbican using Apache + mod_uwsgi, or Nginx + gunicorn, or any other web server capable of hosting a WSGI app. That said, we have not actually built environments with alternative web servers, so we don’t currently have any documentation on how to set that up. If you decide to deploy Barbican using Apache, we’d love to hear about your experience and help out in any way we can (join us at #openstack-barbican on Freenode). I would encourage you to contribute to our documentation wiki if you are successful. Regards, -Doug Mendizabal [1] http://uwsgi-docs.readthedocs.org/en/latest/Options.html [2] http://uwsgi-docs.readthedocs.org/en/latest/HTTPS.html?highlight=ssl#https-support-from-1-3 From: <Miller>, "Mark M (EB SW Cloud - R&D - Corvallis)" <mark.m.mil...@hp.com <mailto:mark.m.mil...@hp.com> > Date: Tuesday, March 4, 2014 at 12:44 PM To: "Ferreira, Rafael" <r...@io.com <mailto:r...@io.com> >, Remo Mattei <r...@italy1.com <mailto:r...@italy1.com> >, Wyllys Ingersoll <wyllys.ingers...@evault.com <mailto:wyllys.ingers...@evault.com> >, "openstack@lists.openstack.org <mailto:openstack@lists.openstack.org> " <openstack@lists.openstack.org <mailto:openstack@lists.openstack.org> > Subject: Re: [Openstack] [Barbican] HTTPS Connection Question Hello, I’ve been digging and digging and I have not been able to locate the following information: 1. Does Barbican provide support for HTTPS connections to it? I noticed “protocol=http” in several .ini files and a .conf file, but no information on how to configure Barbican to use it. 2. The quickstart wiki shows how to install Barbican behind the uwsgi server. Is it possible to install Barbican behind Apache2? Is there any documentation or example configuration guides? Thanks, Mark
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
