Re: RadosGW over HTTPS

Marco Garcês <marco@xxxxxxxxx> · Thu, 9 Oct 2014 11:21:59 +0200

Fixed.. I attach the server part, for nginx/tengine config file:

server {
        listen 80;
        server_name gateway.local;
        error_log logs/error_http.log debug;
        client_max_body_size 100m;

        fastcgi_request_buffering off;

        location / {
                fastcgi_pass_header     Authorization;
                fastcgi_pass_request_headers on;

                if ($request_method  = PUT ) {
                rewrite ^ /PUT$request_uri;
                 }
                 include fastcgi_params;

                 fastcgi_pass
unix:/var/run/ceph/ceph.radosgw.gateway.fastcgi.sock;
         }

         location /PUT/ {
                 internal;
                 fastcgi_pass_header     Authorization;
                 fastcgi_pass_request_headers on;

                 include fastcgi_params;
                 fastcgi_param  CONTENT_LENGTH   $content_length;
                 fastcgi_param HTTPS on;

                 fastcgi_pass
unix:/var/run/ceph/ceph.radosgw.gateway.fastcgi.sock;
         }

        }
server {
        listen 10.2.27.80:443 ssl default;

        server_name gateway.local;
        error_log logs/error_https.log debug;
        client_max_body_size 100m;

        fastcgi_request_buffering off;

        ssl_certificate      /etc/pki/tls/certs/ca_rgw.crt;
        ssl_certificate_key  /etc/pki/tls/private/ca_rgw.key;

        ssl_session_timeout  5m;

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;
        location / {
                fastcgi_pass_header     Authorization;
                fastcgi_pass_request_headers on;
                fastcgi_param HTTPS on;
                fastcgi_param  SERVER_PORT_SECURE $server_port;

                if ($request_method  = PUT ) {
                rewrite ^ /PUT$request_uri;
                 }
                 include fastcgi_params;

                 fastcgi_pass
unix:/var/run/ceph/ceph.radosgw.gateway.fastcgi.sock;
         }

         location /PUT/ {
                 internal;
                 fastcgi_pass_header     Authorization;
                 fastcgi_pass_request_headers on;

                 include fastcgi_params;
                 fastcgi_param  CONTENT_LENGTH   $content_length;
                 fastcgi_param HTTPS on;
                 fastcgi_param  SERVER_PORT_SECURE $server_port;

                 fastcgi_pass
unix:/var/run/ceph/ceph.radosgw.gateway.fastcgi.sock;
         }

        }
}

I had the /server listening on 80 and 443 together, and I just had to
separate everything, and include the "fastcgi_param
SERVER_PORT_SECURE $server_port;" on the 443 listener.
I hope this helps someone same day! :)

Thank you once again!

Marco Garcês
#sysadmin
Maputo - Mozambique

On Thu, Oct 9, 2014 at 10:52 AM, Marco Garcês <marco@xxxxxxxxx> wrote:
> I spoke to soon...
> Now if I use HTTP I get errors!
> Let me try to debug, and post back.
>
> Thanks,
>
> Marco Garcês
> #sysadmin
> Maputo - Mozambique
> [Phone] +258 84 4105579
> [Skype] marcogarces
>
>
> On Thu, Oct 9, 2014 at 10:38 AM, Marco Garcês <marco@xxxxxxxxx> wrote:
>> Hi guys, thanks for the hints...
>> I was able to fix it, by adding the line to nginx.conf (or fastcgi_params file):
>>
>> fastcgi_param  SERVER_PORT_SECURE $server_port;
>>
>>
>> Thank you so much!
>>
>> Marco Garcês
>> #sysadmin
>> Maputo - Mozambique
>>
>>
>> On Wed, Oct 8, 2014 at 6:25 PM, Yehuda Sadeh <yehuda@xxxxxxxxxx> wrote:
>>> On Wed, Oct 8, 2014 at 9:21 AM, Marco Garcês <marco@xxxxxxxxx> wrote:
>>>> I believe so:
>>>> 2014-10-08 18:19:38.438133 7f9119b90700  2
>>>> RGWDataChangesLog::ChangesRenewThread: start
>>>> 2014-10-08 18:19:44.151527 7f90ea7fc700 20 enqueued request req=0x1b9e400
>>>> 2014-10-08 18:19:44.151558 7f90ea7fc700 20 RGWWQ:
>>>> 2014-10-08 18:19:44.151561 7f90ea7fc700 20 req: 0x1b9e400
>>>> 2014-10-08 18:19:44.151569 7f90ea7fc700 10 allocated request req=0x1b9e6f0
>>>> 2014-10-08 18:19:44.151595 7f90e97fa700 20 dequeued request req=0x1b9e400
>>>> 2014-10-08 18:19:44.151600 7f90e97fa700 20 RGWWQ: empty
>>>> 2014-10-08 18:19:44.151655 7f90e97fa700 20 CONTENT_LENGTH=
>>>> 2014-10-08 18:19:44.151659 7f90e97fa700 20 CONTENT_TYPE=
>>>> 2014-10-08 18:19:44.151660 7f90e97fa700 20 DOCUMENT_ROOT=/usr/local/nginx/html
>>>> 2014-10-08 18:19:44.151662 7f90e97fa700 20 DOCUMENT_URI=/auth
>>>> 2014-10-08 18:19:44.151663 7f90e97fa700 20 FCGI_ROLE=RESPONDER
>>>> 2014-10-08 18:19:44.151665 7f90e97fa700 20 GATEWAY_INTERFACE=CGI/1.1
>>>> 2014-10-08 18:19:44.151666 7f90e97fa700 20 HTTP_ACCEPT=*/*
>>>> 2014-10-08 18:19:44.151668 7f90e97fa700 20 HTTP_HOST=gateway.local
>>>> 2014-10-08 18:19:44.151669 7f90e97fa700 20 HTTP_SERVER_PORT_SECURE=443
>>>
>>> This is not what we expect. The server translates it into
>>> HTTP_SERVER_PORT_SECURE, whereas we need it to be SERVER_PORT_SECURE.
>>> Maybe there's a way to configure the web server to send the needed
>>> header?
>>>
>>> Yehuda
>>>
>>>> 2014-10-08 18:19:44.151670 7f90e97fa700 20 HTTP_USER_AGENT=curl/7.30.0
>>>> 2014-10-08 18:19:44.151672 7f90e97fa700 20
>>>> HTTP_X_AUTH_KEY=QoakiyY0tg8jULacsJLsmAbyZHJbY5g/Rc/dOHK3
>>>> 2014-10-08 18:19:44.151673 7f90e97fa700 20 HTTP_X_AUTH_USER=frontend:swf0002
>>>> 2014-10-08 18:19:44.151675 7f90e97fa700 20 HTTPS=on
>>>> 2014-10-08 18:19:44.151676 7f90e97fa700 20 QUERY_STRING=
>>>> 2014-10-08 18:19:44.151677 7f90e97fa700 20 REDIRECT_STATUS=200
>>>> 2014-10-08 18:19:44.151678 7f90e97fa700 20 REMOTE_ADDR=10.5.5.222
>>>> 2014-10-08 18:19:44.151679 7f90e97fa700 20 REMOTE_PORT=64145
>>>> 2014-10-08 18:19:44.151680 7f90e97fa700 20 REQUEST_METHOD=GET
>>>> 2014-10-08 18:19:44.151681 7f90e97fa700 20 REQUEST_URI=/auth
>>>> 2014-10-08 18:19:44.151682 7f90e97fa700 20 SCRIPT_NAME=/auth
>>>> 2014-10-08 18:19:44.151683 7f90e97fa700 20 SERVER_ADDR=10.2.27.80
>>>> 2014-10-08 18:19:44.151684 7f90e97fa700 20 SERVER_NAME=gateway.local
>>>> 2014-10-08 18:19:44.151685 7f90e97fa700 20 SERVER_PORT=443
>>>> 2014-10-08 18:19:44.151686 7f90e97fa700 20 SERVER_PROTOCOL=HTTP/1.1
>>>> 2014-10-08 18:19:44.151687 7f90e97fa700 20 SERVER_SOFTWARE=nginx/1.4.7
>>>> 2014-10-08 18:19:44.151690 7f90e97fa700  1 ====== starting new request
>>>> req=0x1b9e400 =====
>>>> 2014-10-08 18:19:44.151711 7f90e97fa700  2 req 2:0.000022::GET
>>>> /auth::initializing
>>>> 2014-10-08 18:19:44.151718 7f90e97fa700 10 host=gateway.local
>>>> rgw_dns_name=gateway.local
>>>> 2014-10-08 18:19:44.151757 7f90e97fa700  2 req
>>>> 2:0.000068:swift-auth:GET /auth::getting op
>>>> 2014-10-08 18:19:44.151763 7f90e97fa700  2 req
>>>> 2:0.000075:swift-auth:GET /auth:swift_auth_get:authorizing
>>>> 2014-10-08 18:19:44.151767 7f90e97fa700  2 req
>>>> 2:0.000078:swift-auth:GET /auth:swift_auth_get:reading permissions
>>>> 2014-10-08 18:19:44.151770 7f90e97fa700  2 req
>>>> 2:0.000082:swift-auth:GET /auth:swift_auth_get:init op
>>>> 2014-10-08 18:19:44.151773 7f90e97fa700  2 req
>>>> 2:0.000085:swift-auth:GET /auth:swift_auth_get:verifying op mask
>>>> 2014-10-08 18:19:44.151797 7f90e97fa700 20 required_mask= 0 user.op_mask=7
>>>> 2014-10-08 18:19:44.151799 7f90e97fa700  2 req
>>>> 2:0.000111:swift-auth:GET /auth:swift_auth_get:verifying op
>>>> permissions
>>>> 2014-10-08 18:19:44.151803 7f90e97fa700  2 req
>>>> 2:0.000115:swift-auth:GET /auth:swift_auth_get:verifying op params
>>>> 2014-10-08 18:19:44.151806 7f90e97fa700  2 req
>>>> 2:0.000117:swift-auth:GET /auth:swift_auth_get:executing
>>>> 2014-10-08 18:19:44.151874 7f90e97fa700 20 get_obj_state:
>>>> rctx=0x7f90d8018380 obj=.users.swift:frontend:swf0002
>>>> state=0x7f90d8022c18 s->prefetch_data=0
>>>> 2014-10-08 18:19:44.151895 7f90e97fa700 10 cache get:
>>>> name=.users.swift+frontend:swf0002 : type miss (requested=6, cached=3)
>>>> 2014-10-08 18:19:44.153757 7f90e97fa700 10 cache put:
>>>> name=.users.swift+frontend:swf0002
>>>> 2014-10-08 18:19:44.153763 7f90e97fa700 10 moving
>>>> .users.swift+frontend:swf0002 to cache LRU end
>>>> 2014-10-08 18:19:44.153770 7f90e97fa700 20 get_obj_state: s->obj_tag
>>>> was set empty
>>>> 2014-10-08 18:19:44.153780 7f90e97fa700 10 cache get:
>>>> name=.users.swift+frontend:swf0002 : hit
>>>> 2014-10-08 18:19:44.153828 7f90e97fa700 20 get_obj_state:
>>>> rctx=0x7f90d8018380 obj=.users.uid:frontend state=0x7f90d8023578
>>>> s->prefetch_data=0
>>>> 2014-10-08 18:19:44.153837 7f90e97fa700 10 cache get:
>>>> name=.users.uid+frontend : type miss (requested=6, cached=3)
>>>> 2014-10-08 18:19:44.154943 7f90e97fa700 10 cache put: name=.users.uid+frontend
>>>> 2014-10-08 18:19:44.154950 7f90e97fa700 10 moving .users.uid+frontend
>>>> to cache LRU end
>>>> 2014-10-08 18:19:44.154955 7f90e97fa700 20 get_obj_state: s->obj_tag
>>>> was set empty
>>>> 2014-10-08 18:19:44.154964 7f90e97fa700 10 cache get:
>>>> name=.users.uid+frontend : hit
>>>> 2014-10-08 18:19:44.155195 7f90e97fa700 20 build_token
>>>> token=1000000066726f6e74656e643a73776630303032b17a9677d4308301a0b53654f8d73f09
>>>> 2014-10-08 18:19:44.155760 7f90e97fa700  2 req
>>>> 2:0.004071:swift-auth:GET /auth:swift_auth_get:http status=204
>>>> 2014-10-08 18:19:44.155771 7f90e97fa700  1 ====== req done
>>>> req=0x1b9e400 http_status=204 ======
>>>> 2014-10-08 18:19:44.155779 7f90e97fa700 20 process_request() returned -1902
>>>> 2014-10-08 18:19:50.503255 7f911e98e700  0 WARNING:
>>>> RGWRados::log_usage(): user name empty (bucket=), skipping
>>>>
>>>>
>>>> On Wed, Oct 8, 2014 at 5:46 PM, Yehuda Sadeh <yehuda@xxxxxxxxxx> wrote:
>>>>> debug rgw = 20
>>>>
>>>>
>>>> I
>>>>
>>>> Marco Garcês
>>>> #sysadmin
>>>> Maputo - Mozambique
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com