[chef] Re: Why port 444 for openid_url?

[Arjuna Christensen < >]

Hiya!

On 22/08/2009, at 10:09 PM, Claus Divossen wrote:

Hello!

I have a question about the openid_url in chef 0.7.8: Why does it's
default point to port 444? I had chef-server and -client version 0.7.0
already up and running, and everything was using Port 443. Version 0.7.8
can also be configured to use only 443. So, what's the idea behind the
second port and virtual host in apache, when it has the same
configuration as the first one? What's the benefit? I see only the
disadvantage that you need to open two ports in your firewall between
server and client, if there is one.

Two SSL ports are required as we can't do name-based vhosting on SSL yet, and we identified an issue with the way OpenID works internally with Ruby's net/http; the gist of the problem is that when the OpenID consumer performs the redirection step your load-balancer (Apache, Nginx, ..) will generally try and pass that connection back into itself - the same, originating ruby application (mongrel, thin, passenger..) - since the ruby part isn't expecting this, it blocks indefinitely, resulting in timeouts and a 'critical mass' of about 15 concurrent authentications.

Running the OpenID URL on a separate port (the important part is the separate load-balancer configuration) allows Apache or Nginx to correctly pass the connections around with no indeterminate blocking, timeouts, or upper-bounds.

I can understand the pain regarding opening an additional firewall port; however all internal (Registrations) usage of OpenID will be removed in 0.8.0 and replaced with an EC2-style key pair authentication system rendering all of these problems, workarounds and associated discussions moot :)

Hope this helps,

-- 
AJ Christensen, Software Engineer

Opscode, Inc.
E:  ">

Attachment: PGP.sig
Description: This is a digitally signed message part