cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Syed Ahmed <sah...@cloudops.com>
Subject Re: [New Feature FS] SSL Offload Support for Cloudstack
Date Wed, 09 Oct 2013 14:38:32 GMT
Thanks Murali for your response.

> - any reason why you choose assignTo/RemoveFrom load balancer rule API's

I thought this made more sense than create/updateLoadbalancerRule as
we would have to call update to delete a cert which I find somewhat
confusing. Also this is semantically similar to attaching instances as
in you have a separate entity which is being bound to different LBs.

> - to me SSL termination is value added service from providers perspective,
> So only if network offering permits, SSL termination can be used.

Got it. This seems the logical way. Good point.

> I see session persistence based on SSL session id's please see if
> this can supported.

I was looking at persistence based on SSL session id's [1]  and found
that this is supported for SSL bridge type of configuration where
netscaler just bridges the data without any encryption/decryption. I
am not sure about health checks and autoscale. I will look that up.


> - on the requirement #4, don't infer protocol based on the public/private
> ports and impose restrictions. Current createLoadBalancer API does not
> take protocol parameter so its inferred at device layer. NetScaler seems
> to support SSL with other TCP ports as well.


Would it be a good Idea to add protocol to the createLoadBalancer API.
I think this makes sense in the long run as currently I cannot create
a HTTP loadbalncer for port 8080 from cloudstack.

> One general implementation note, network rules can be reprogrammed. So
> operations to configure SSL cert, binding cert to virtual server etc need
> to be idempotent at NetScaler resource.

Thanks. I'll keep that in  mind when implementing the resource layer.

Thank a lot again for the replies. This is really helpful.

-- REFERENCES --

[1]  http://support.citrix.com/proddocs/topic/netscaler-load-balancing-93/ns-lb-persistence-configuring-ssl-session-id-tsk.html




-Syed

On Wed, Oct 9, 2013 at 5:57 AM, Murali Reddy <Murali.Reddy@citrix.com> wrote:
> Thanks Syed for the FS.
>
> Couple of comments:
>
> - any reason why you choose assignTo/RemoveFrom load balancer rule API's
> to assign/remove certificate to LB rules? These api's are basically for
> controlling VM membership with a load balancer rule. Can
> create/updateLoadBalancerRule api's b used for registering and
> de-registering certificate with load balancer rule?
>
> - to me SSL termination is value added service from providers perspective,
> its better we expose service differentiation in the network offering (e.g
> dedicated load balancer capability of LB service in the network offering).
> So only if network offering permits, SSL termination can be used.
>
> - does adding SSL termination support to load balancer affect/complement
> current session persistence, health monitoring, auto scale functionality
> anyway? I see session persistence based on SSL session id's please see if
> this can supported.
>
> - as commented by other, fail fast at service layer on invalid certificate.
>
> - on the requirement #4, don't infer protocol based on the public/private
> ports and impose restrictions. Current createLoadBalancer API does not
> take protocol parameter so its inferred at device layer. NetScaler seems
> to support SSL with other TCP ports as well.
>
> One general implementation note, network rules can be reprogrammed. So
> operations to configure SSL cert, binding cert to virtual server etc need
> to be idempotent at NetScaler resource.
>
> [1]
> http://support.citrix.com/proddocs/topic/netscaler-ssl-93/ns-ssl-offloading
> -other-tcp-protocols-tsk.html
>
> On 08/10/13 11:44 PM, "Syed Ahmed" <sahmed@cloudops.com> wrote:
>
>>Hi,
>>
>>I have been working on adding SSL offload functionality to cloudstack
>>and make it work for Netscaler. I have an initial design documented at
>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Offloading+Supp
>>ort
>>and I would really love your feedback. The bug for this is
>>https://issues.apache.org/jira/browse/CLOUDSTACK-4821 .
>>
>>Thanks,
>>-Syed
>>
>>
>>
>
>

Mime
View raw message