| Hello Ceph Users, We've recently deployed a RGW service (0.94.3), We've also integrated this RGW instance to an external OpenStack Keystone identity service, RGW + Keystone integration/service are working well, On a high-level, our RGW service looks like: ------------------------------------------------------------------- +-------+ |Clients+--------------------------------+ +-------+ | | S3, Swift (HTTPS) | +--------+ | |Keystone| +-+-+ +----+---+ +--------------------+RGW+----------------------+ | | +---+ | | | +----------------------------------------------------+ | | DNS Round Robin | | +--------------+-+------------+ +----------------+-------------+ | +--------+ +--------+ | | +--------+ +--------+ | | |RGW1|HA1+-------+RGW1|HA2| | | |RGW2|HA1+--------+RGW2|HA2| | | +--------+ +--------+ | | +--------+ +--------+ | +--------------+--------------+ +---------------+--------------+ | HAProxy + Keepalived, SSL termination | | | | | +------------------------------------------------------------------------+ | +-------------------------------------+ | | | civetweb | | | | | | +---+ +----+ +----+ +----+ +----+ | |RGW1| |RGW2| |RGW3| | | +----+ +----+ +----+ | +-------------------------------------+ | | +-+--+ |Ceph| +----+ ------------------------------------------------------------------- Now, we're interested to learn how other RGW (+ Keystone) users are preventing/mitigating brute force attacks on their RGWs? OpenStack Keystone itself doesn't implement/limit auto-blocking, HAproxy can be configured to do some auto blocking/mitigation though. Regards, Jerico |
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
