Swift: proxy architecture and auth system

Asked by Christophe Le Guern

Hi all,

In case of simultaneous http and https for proxies, is it a correct implementation to create two proxy farms behind a load-balancer ?

For example:

                                                    Load Balancer
                                                               |
                  |.............................|.............................|.............................|
          proxy1 (http)^^^^proxy2 (http)^^^^proxy3 (https)^^^^proxy4 (https)

I looked at https://answers.launchpad.net/swift/+question/152909 and found not easy to handle it (2 services not really managed on the same server).

If I configure first webfarm with http only and set swift cluster url to http://<LOAD_BALANCER_HOSTNAME>,
then I configure second webfarm with https only and set swift cluster url to https://<LOAD_BALANCER_HOSTNAME>, is it a good way to implement it ?

As swith auth system is important, which middleware is the good one to choose between swauth and keystone ?
My guess is swauth, as I can read from keystone documentation: "Keystone currently allows any valid token to do anything with any account."

The platform is actually using 1.4.1 version.

Thanks !

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Object Storage (swift) Edit question
Assignee:
No assignee Edit question
Solved by:
Marcelo Martins
Solved:
Last query:
Last reply:
Revision history for this message
Best Marcelo Martins (btorch) said :
#1

Is your Load Balancer able to do SSL termination ? I would rather create two pools in the LB, one for HTTPS and another for HTTP. That will also free up more resources in the proxy system since it would not be doing SSL termination.

In regards to the auth system, I would suggest swauth since I believe keystone is still under development.

Revision history for this message
Christophe Le Guern (c35sys) said :
#2

Hi Marcelo,

The load balancer used is haproxy, and is not able to do SSL termination without stunnel patch (not provided).

However, it seems a good way to create two different pools anyway, regardless where the SSL termination is.

Thanks for the information and for the auth system as well !

Revision history for this message
Christophe Le Guern (c35sys) said :
#3

Thanks Marcelo Martins, that solved my question.