added docs and warnings about using SSL

Change-Id: I766b2da0a3769869b5b6c5565106e9032fea8c3e
2012-04-23 16:27:43 -05:00 · 2012-04-23 16:27:43 -05:00 · 3053c53ef7
commit 3053c53ef7
parent ebfa3dd2c1
4 changed files with 18 additions and 3 deletions
--- a/doc/source/deployment_guide.rst
+++ b/doc/source/deployment_guide.rst
@ -512,8 +512,12 @@ bind_port                     80               Port for server to bind to
 swift_dir                     /etc/swift       Swift configuration directory
 workers                       1                Number of workers to fork
 user                          swift            User to run as
-cert_file                                      Path to the ssl .crt 
-key_file                                       Path to the ssl .key
+cert_file                                      Path to the ssl .crt. This
+                                               should be enabled for testing
+                                               purposes only.
+key_file                                       Path to the ssl .key. This
+                                               should be enabled for testing
+                                               purposes only.
 ============================  ===============  =============================

 [proxy-server]
--- a/doc/source/howto_installmultinode.rst
+++ b/doc/source/howto_installmultinode.rst
@ -109,7 +109,9 @@ Configure the Proxy node

 .. note::
 	If you don't create the cert files, Swift silently uses http internally rather than https. This document assumes that you have created
-	these certs, so if you're following along step-by-step, create them.
+	these certs, so if you're following along step-by-step, create them. In a
+    production cluster, you should terminate SSL before the proxy server. SSL
+    support is provided for testing purposes only.

 #. Modify memcached to listen on the default interfaces. Preferably this should be on a local, non-public network. Edit the IP address in /etc/memcached.conf, for example::

--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@ -5,6 +5,7 @@
 # swift_dir = /etc/swift
 # workers = 1
 # user = swift
+# Set the following two lines to enable SSL. This is for testing only.
 # cert_file = /etc/swift/proxy.crt
 # key_file = /etc/swift/proxy.key
 # expiring_objects_container_divisor = 86400
--- a/swift/common/wsgi.py
+++ b/swift/common/wsgi.py
@ -68,11 +68,13 @@ def get_socket(conf, default_port=8080):
            if addr[0] in (socket.AF_INET, socket.AF_INET6)][0]
    sock = None
    retry_until = time.time() + 30
+    warn_ssl = False
    while not sock and time.time() < retry_until:
        try:
            sock = listen(bind_addr, backlog=int(conf.get('backlog', 4096)),
                        family=address_family)
            if 'cert_file' in conf:
+                warn_ssl = True
                sock = ssl.wrap_socket(sock, certfile=conf['cert_file'],
                    keyfile=conf['key_file'])
        except socket.error, err:
@ -86,6 +88,12 @@ def get_socket(conf, default_port=8080):
    # in my experience, sockets can hang around forever without keepalive
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)
    sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPIDLE, 600)
+    if warn_ssl:
+        ssl_warning_message = 'WARNING: SSL should only be enabled for ' \
+                              'testing purposes. Use external SSL ' \
+                              'termination for a production deployment.'
+        get_logger(conf).warning(ssl_warning_message)
+        print _(ssl_warning_message)
    return sock