[chef] Re: Re: Why port 444 for openid_url?

[Claus Divossen < >]

Hi!

On Sat, 2009-08-22 at 22:30 +1200, Arjuna Christensen wrote:

> Two SSL ports are required as we can't do name-based vhosting on SSL
> yet, and we identified an issue with the way OpenID works internally
> with Ruby's net/http; the gist of the problem is that when the OpenID
> consumer performs the redirection step your load-balancer (Apache,
> Nginx, ..) will generally try and pass that connection back into
> itself - the same, originating ruby application (mongrel, thin,
> passenger..) - since the ruby part isn't expecting this, it blocks
> indefinitely, resulting in timeouts and a 'critical mass' of about 15
> concurrent authentications.

So, this blocking occurs only with too many concurrent authentications?
This would explain why using the same port works for me, because I'm
still testing (and learning) and have only a handful of nodes running.

> however all internal (Registrations) usage of OpenID will be removed
> in 0.8.0 and replaced with an EC2-style key pair authentication system
> rendering all of these problems, workarounds and associated
> discussions moot :)

That's good to hear! I hope that the web interface user's login will
also get rid of Open ID. We are using Chef on an internal site, behind
firewalls with no direct internet access, and I was quite annoyed that I
had to set up an OpenID server just to log in to the admin interface.

Best Regards,
  Claus