cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Murali Reddy <Murali.Re...@citrix.com>
Subject Re: [New Feature FS] SSL Offload Support for Cloudstack
Date Wed, 09 Oct 2013 09:57:51 GMT
Thanks Syed for the FS.

Couple of comments:

- any reason why you choose assignTo/RemoveFrom load balancer rule API's
to assign/remove certificate to LB rules? These api's are basically for
controlling VM membership with a load balancer rule. Can
create/updateLoadBalancerRule api's b used for registering and
de-registering certificate with load balancer rule?

- to me SSL termination is value added service from providers perspective,
its better we expose service differentiation in the network offering (e.g
dedicated load balancer capability of LB service in the network offering).
So only if network offering permits, SSL termination can be used.

- does adding SSL termination support to load balancer affect/complement
current session persistence, health monitoring, auto scale functionality
anyway? I see session persistence based on SSL session id's please see if
this can supported.

- as commented by other, fail fast at service layer on invalid certificate.

- on the requirement #4, don't infer protocol based on the public/private
ports and impose restrictions. Current createLoadBalancer API does not
take protocol parameter so its inferred at device layer. NetScaler seems
to support SSL with other TCP ports as well.

One general implementation note, network rules can be reprogrammed. So
operations to configure SSL cert, binding cert to virtual server etc need
to be idempotent at NetScaler resource.

[1] 
http://support.citrix.com/proddocs/topic/netscaler-ssl-93/ns-ssl-offloading
-other-tcp-protocols-tsk.html

On 08/10/13 11:44 PM, "Syed Ahmed" <sahmed@cloudops.com> wrote:

>Hi,
>
>I have been working on adding SSL offload functionality to cloudstack
>and make it work for Netscaler. I have an initial design documented at
>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Offloading+Supp
>ort 
>and I would really love your feedback. The bug for this is
>https://issues.apache.org/jira/browse/CLOUDSTACK-4821 .
>
>Thanks,
>-Syed
>
>
>



Mime
View raw message