[RFE] Add LBaaSv2 TLS re-encryption to backend members
Bug #1523222 reported by
Kobi Samoray
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Wishlist
|
Unassigned |
Bug Description
Most of the load balancers allow termination of TLS connections. A load balancer may run a TLS connection on the client side while running an unencrypted connection at the server side - which is called offloading and is currently supported by the LBaaSv2 API.
Another common practice is terminating the TLS connection at the load balancer - in order to allow L7 decision making or header manipulation, and running a TLS session on the server side. This is not supported by the current implementation.
This involves two items:
- Allowing a protocol of HTTPS for members.
- Toggling the bits in the haproxy config file that connect via tls to members, instead of cleartext.
Changed in neutron: | |
assignee: | nobody → Kobi Samoray (ksamoray) |
tags: | added: lbaas |
tags: | added: rfe |
tags: | added: rfe-approved |
Changed in neutron: | |
status: | Confirmed → Triaged |
tags: | removed: rfe |
tags: |
added: rfe removed: rfe-approved |
summary: |
- LBaaSv2 TLS support is limited to offloading + Add LBaaSv2 TLS re-encryption to backend members |
description: | updated |
summary: |
- Add LBaaSv2 TLS re-encryption to backend members + [RFE] Add LBaaSv2 TLS re-encryption to backend members |
To post a comment you must log in.
I believe I understand this as TLS re-encryption (or thats my own terrible name for it). Basically all traffic into the LB and out of the LB will be encrypted, but the LB will decrypt to make L7 decisions and then re-encrypt. Do I understand this correctly? If so sounds like this will be another API change and as such will need an RFE tag.