Re: share haproxy config for radosgw

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Freddy, 

Thanks for posting this, I went through these settings on the haproxy manual, and was wondering why

- You have added http-server-close? Because rgw does not support keep alives(? I don't know)

- Why did you add the option forwardfor, this is not logged anywhere in radosgw not? At least I am having such[1] logging.

- I guess you do not have any acl's because this config of yours is already on the internal network. I was thinking of maybe allowing correct url's, so I do not have such logs

WARNING: RGWRados::log_usage(): user name empty (bucket=), skipping



[1]
Feb  8 11:00:11 xxx radosgw: 2021-02-08 11:00:11.658 7f51e4fa5700  0 WARNING: RGWRados::log_usage(): user name empty (bucket=), skipping
Feb  8 11:00:23 xxx radosgw: 2021-02-08 11:00:23.778 7f50d3168700  1 ====== starting new request req=0x5651b43085f0 =====
Feb  8 11:00:23 xxx radosgw: 2021-02-08 11:00:23.779 7f50d3168700  1 ====== req done req=0x5651b43085f0 op status=0 http_status=200 latency=0
.000999983s ======
Feb  8 11:00:28 xxx radosgw: 2021-02-08 11:00:28.365 7f51a8312700  1 ====== starting new request req=0x5651b44a65f0 =====
Feb  8 11:00:28 xxx radosgw: 2021-02-08 11:00:28.365 7f51a8312700  1 ====== req done req=0x5651b44a65f0 op status=0 http_status=200 latency=0
s ======
Feb  8 11:00:28 xxx radosgw: 2021-02-08 11:00:28.854 7f2727831700  1 ====== starting new request req=0x55d8d46865f0 =====
Feb  8 11:00:28 xxx radosgw: 2021-02-08 11:00:28.855 7f2727831700  1 ====== req done req=0x55d8d46865f0 op status=0 http_st




> -----Original Message-----
> From: Freddy Andersen <freddy@xxxxxxxxxxxxxx>
> Sent: 08 February 2021 05:18
> To: Szabo, Istvan (Agoda) <Istvan.Szabo@xxxxxxxxx>; Marc <Marc@f1-
> outsourcing.eu>; ceph-users@xxxxxxx
> Subject: Re: share haproxy config for radosgw
> 
> Something like this works…
> 
> 
> 
> # HAProxy configuration
> 
> 
> 
> #------------------
> 
> # Global settings
> 
> #------------------
> 
> global
> 
>     log /dev/log    local0
> 
>     log /dev/log    local1 notice
> 
>     user haproxy
> 
>     group haproxy
> 
>     chroot  /var/lib/haproxy
> 
>     daemon
> 
>     stats socket /var/lib/haproxy/stats mode 660 level admin
> 
>     maxconn 65536
> 
>     spread-checks 4
> 
>     tune.ssl.default-dh-param        2048
> 
>     ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
> AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
> SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-
> RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
> 
>     ssl-default-bind-ciphersuites
> TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA2
> 56
> 
>     ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
> 
>     ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
> AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
> SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-
> RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
> 
>     ssl-default-server-ciphersuites
> TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA2
> 56
> 
>     ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-
> tickets
> 
> 
> 
> #------------------
> 
> # common defaults that all the 'listen' and 'backend' sections will
> 
> # use- if not designated in their block
> 
> #------------------
> 
> defaults
> 
>     log global
> 
>     mode http
> 
>     retries 3
> 
>     balance roundrobin
> 
>     option              abortonclose
> 
>     option              redispatch
> 
>     option              dontlognull
> 
>     option              log-health-checks
> 
>     maxconn 20480
> 
>     timeout connect         5s
> 
>     timeout client          50s
> 
>     timeout server          50s
> 
>     timeout http-request    20s
> 
>     timeout http-keep-alive 30s
> 
>     timeout check           10s
> 
>     errorfile 400 /etc/haproxy/errors/400.http
> 
>     errorfile 403 /etc/haproxy/errors/403.http
> 
>     errorfile 408 /etc/haproxy/errors/408.http
> 
>     errorfile 500 /etc/haproxy/errors/500.http
> 
>     errorfile 502 /etc/haproxy/errors/502.http
> 
>     errorfile 503 /etc/haproxy/errors/503.http
> 
>     errorfile 504 /etc/haproxy/errors/504.http
> 
> 
> 
> #------------------
> 
> # frontend instances
> 
> #------------------
> 
> frontend ext-http-in
> 
>     bind   10.1.2.10:80 name s3
> 
>     bind   10.1.2.10:443 ssl crt certificate.pem name secure-s3
> 
>     maxconn 25000
> 
>     option              forwardfor if-none
> 
>     option              http-server-close
> 
>     option              httplog
> 
>     default_backend be_rgw-zone1
> 
>     use_backend be_rgw-zone1 if host_s3
> 
> 
> 
> #------------------
> 
> # backend instances
> 
> #------------------
> 
> backend be_rgw-zone1
> 
>     mode http
> 
>     option http-server-close
> 
>     http-request set-header X-Forwarded-Port %[dst_port]
> 
>     http-request add-header X-Forwarded-Proto https if { ssl_fc }
> 
>     server radosgw-vip1 10.1.2.1:80 check
> 
>     server radosgw-vip2 10.1.2.2:80 check
> 
>     server radosgw-vip3 10.1.2.3:80 check
> 
> 
> 
> From: Szabo, Istvan (Agoda) <Istvan.Szabo@xxxxxxxxx>
> Date: Sunday, February 7, 2021 at 8:25 PM
> To: Marc <Marc@xxxxxxxxxxxxxxxxx>, ceph-users@xxxxxxx <ceph-
> users@xxxxxxx>
> Subject:  Re: share haproxy config for radosgw
> 
> Let me join to this thread, I'd be interested also with HTTPS and beast
> configuration on HA+Proxy level. Haven't managed to make it ever work.
> 
> 
> -----Original Message-----
> From: Marc <Marc@xxxxxxxxxxxxxxxxx>
> Sent: Monday, February 8, 2021 5:19 AM
> To: ceph-users@xxxxxxx
> Subject:  share haproxy config for radosgw
> 
> Email received from outside the company. If in doubt don't click links
> nor open attachments!
> ________________________________
> 
> I was wondering if someone could post a config for haproxy. Is there
> something specific to configure? Like binding clients to a specific
> backend server, client timeouts, security specific to rgw etc.
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> email to ceph-users-leave@xxxxxxx
> 
> ________________________________
> This message is confidential and is for the sole use of the intended
> recipient(s). It may also be privileged or otherwise protected by
> copyright or other legal rules. If you have received it by mistake
> please let us know by reply email and delete it from your system. It is
> prohibited to copy this message or disclose its content to anyone. Any
> confidentiality or privilege is not waived or lost by any mistaken
> delivery or unauthorized disclosure of the message. All messages sent to
> and from Agoda may be monitored to ensure compliance with company
> policies, to protect the company's interests and to remove potential
> malware. Electronic messages may be intercepted, amended, lost or
> deleted, or contain viruses.
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx

_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux