Merge "added docs and warnings about using SSL"

Jenkins · openstack-gerrit · commit f5af3c43051b · 2012-04-26T20:18:07.000Z
diff --git a/doc/source/deployment_guide.rst b/doc/source/deployment_guide.rst
@@ -512,8 +512,12 @@ bind_port                     80               Port for server to bind to
 swift_dir                     /etc/swift       Swift configuration directory
 workers                       1                Number of workers to fork
 user                          swift            User to run as
-cert_file                                      Path to the ssl .crt 
-key_file                                       Path to the ssl .key
+cert_file                                      Path to the ssl .crt. This
+                                               should be enabled for testing
+                                               purposes only.
+key_file                                       Path to the ssl .key. This
+                                               should be enabled for testing
+                                               purposes only.
 ============================  ===============  =============================
 
 [proxy-server]
diff --git a/doc/source/howto_installmultinode.rst b/doc/source/howto_installmultinode.rst
@@ -109,7 +109,9 @@ Configure the Proxy node
 
 .. note::
 	If you don't create the cert files, Swift silently uses http internally rather than https. This document assumes that you have created
-	these certs, so if you're following along step-by-step, create them.
+	these certs, so if you're following along step-by-step, create them. In a
+    production cluster, you should terminate SSL before the proxy server. SSL
+    support is provided for testing purposes only.
 
 #. Modify memcached to listen on the default interfaces. Preferably this should be on a local, non-public network. Edit the IP address in /etc/memcached.conf, for example::
 
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
@@ -5,6 +5,7 @@
 # swift_dir = /etc/swift
 # workers = 1
 # user = swift
+# Set the following two lines to enable SSL. This is for testing only.
 # cert_file = /etc/swift/proxy.crt
 # key_file = /etc/swift/proxy.key
 # expiring_objects_container_divisor = 86400
diff --git a/swift/common/wsgi.py b/swift/common/wsgi.py
@@ -68,11 +68,13 @@ def get_socket(conf, default_port=8080):
             if addr[0] in (socket.AF_INET, socket.AF_INET6)][0]
     sock = None
     retry_until = time.time() + 30
+    warn_ssl = False
     while not sock and time.time() < retry_until:
         try:
             sock = listen(bind_addr, backlog=int(conf.get('backlog', 4096)),
                         family=address_family)
             if 'cert_file' in conf:
+                warn_ssl = True
                 sock = ssl.wrap_socket(sock, certfile=conf['cert_file'],
                     keyfile=conf['key_file'])
         except socket.error, err:
@@ -86,6 +88,12 @@ def get_socket(conf, default_port=8080):
     # in my experience, sockets can hang around forever without keepalive
     sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)
     sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPIDLE, 600)
+    if warn_ssl:
+        ssl_warning_message = 'WARNING: SSL should only be enabled for ' \
+                              'testing purposes. Use external SSL ' \
+                              'termination for a production deployment.'
+        get_logger(conf).warning(ssl_warning_message)
+        print _(ssl_warning_message)
     return sock
 
 
