[ceph-users] [rgw] civetweb behind haproxy doesn't work with absolute URI

Rudenko Aleksandr ARudenko at croc.ru
Thu Mar 29 00:42:06 PDT 2018


Hi friends.


I'm sorry, maybe it isn't bug, but i don't know how to solve this problem.

I know that absolute URIs are supported in civetweb and it works fine for me without haproxy in the middle.

But if client send absolute URIs through reverse proxy(haproxy) to civetweb, civetweb breaks connection without responce.

i set:

debug rgw = 20
debug civetweb = 10


but no any messgaes in civetweb logs(access, error) and in rgw logs.
in tcpdump i only see as rgw closes connection after request with absolute URI. Relative URIs in requests work fine with haproxy.

Client:
Docker registry v2.6.2, s3 driver based on aws-sdk-go/1.2.4 (go1.7.6; linux; amd64) uses absolute URI in requests.

s3 driver options of docker registry:

  s3:
    region: us-east-1
    bucket: docker
    accesskey: 'access_key'
    secretkey: 'secret_key'
    regionendpoint: http://storage.my-domain.ru
    secure: false
    v4auth: true


ceph.conf for rgw instance:

[client]
    rgw dns name = storage.my-domain.ru<http://storage.my-domain.ru>
    rgw enable apis = s3, admin
    rgw dynamic resharding = false
    rgw enable usage log = true
    rgw num rados handles = 8
    rgw thread pool size = 256

[client.rgw.a]
    host = aj15
    keyring = /var/lib/ceph/radosgw/rgw.a.keyring
    rgw enable static website = true
    rgw frontends = civetweb authentication_domain=storage.my-domain.ru<http://storage.my-domain.ru> num_threads=128 port=0.0.0.0:7480 access_log_file=/var/log/ceph/civetweb.rgw.access.log error_log_file=/var/log/ceph/civetweb.rgw.error.log
    debug rgw = 20
    debug civetweb = 10


very simple haproxy.cfg:

global
    chroot /var/empty
    # /log is chroot path
    log /haproxy-log local2

    pidfile /var/run/haproxy.pid

    user haproxy
    group haproxy
    daemon

    ssl-default-bind-options no-sslv3
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    ssl-dh-param-file /etc/pki/tls/dhparams.pem

defaults
    mode http
    log global

frontend s3

    bind *:80
    bind *:443 ssl crt /etc/pki/tls/certs/s3.pem crt /etc/pki/tls/certs/s3-buckets.pem

    use_backend rgw

backend rgw

    balance roundrobin

    server a aj15:7480 check fall 1
    server a aj16:7480 check fall 1


http haeder from tcpdump before and after haproxy:

GET http://storage.my-domain.ru/docker?max-keys=1&prefix= HTTP/1.1
Host: storage.my-domain.ru<http://storage.my-domain.ru>
User-Agent: aws-sdk-go/1.2.4 (go1.7.6; linux; amd64)
Authorization: AWS4-HMAC-SHA256 Credential=user:user at cloud.croc.ru<mailto:user at cloud.croc.ru>/20180328/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=10043867bbb2833d50f9fe16a6991436a5c328adc5042556ce1ddf1101ee2cb9
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20180328T111255Z
Accept-Encoding: gzip

i don't understand how use haproxy and absolute URIs in requests(

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20180329/f48ff82a/attachment.html>


More information about the ceph-users mailing list