Try passing in 'Server-Port-Secure: 443' header to the auth request.


On Wed, Oct 8, 2014 at 7:41 AM, Marco Garcês <> wrote:
> Hi David,
> I am indeed using Tengine 2.0.3, but I feel very strange that the
> default config is returning X-Storage-Url in the headers, in http, not
> https as the original request.
> I will try your options, and perhaps downgrading to 1.5.*, and report back.
> Thank you!
> Marco Garcês
> #sysadmin
> Maputo - Mozambique
> On Wed, Oct 8, 2014 at 4:26 PM, David Moreau Simard <> wrote:
>> Hi Marco,
>> While I do not have a RadosGW implementation right now, I do have a 
>> successful setup with tengine and Swift - it should be pretty similar.
>> What version of tengine are you trying to use ?
>> It dates back to a while.. but I remember having issues with the 2.0.x 
>> branch of tengine. We package our own version of 1.5.x.
>> In hindsight, the issues I got might've been because of the SPDY 
>> implementation but I didn't put much thought into it at the time.
>> On my end, the config is in fact very simple and looks a bit like this:
>> server {
>>   listen ip:443;
>>   server_name swift.tld;
>>   access_log /var/log/nginx/swift_https_access.log;
>>   error_log /var/log/nginx/swift_https_error.log;
>>   ssl on;
>>   ssl_certificate /etc/nginx/ssl/swift.crt;
>>   ssl_certificate_key /etc/nginx/ssl/swift.key;
>>   chunkin on;
>>   error_page 502 503 504 = @errors;
>>   error_page 411 = @chunk_411_error;
>>   location @chunk_411_error {
>>       chunkin_resume;
>>   }
>>   proxy_cache swift;
>>   location / {
>>     proxy_pass http://swift;
>>     proxy_redirect off;
>>     proxy_set_header Host $host;
>>     proxy_set_header X-Real-IP $remote_addr;
>>     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>>   }
>>   location @errors {
>>     proxy_pass;
>>     proxy_set_header X-Real-IP $remote_addr;
>>     proxy_set_header Host;
>>   }
>> }
>> Regarding the HTTP thing, maybe you could set up a redirection and see what 
>> happens - a bit like this:
>> server {
>>   listen ip:80;
>>   server_name rgw.tld;
>>   access_log /var/log/nginx/rgw_http_access.log;
>>   error_log /var/log/nginx/rgw_http_error.log;
>>   error_page 502 503 504 = @errors;
>>   if ( $scheme = 'http' ) {
>>     rewrite ^ https://$server_name$request_uri? permanent;
>>   }
>>   location @errors {
>>     proxy_pass;
>>     proxy_set_header X-Real-IP $remote_addr;
>>     proxy_set_header Host;
>>   }
>> }
>> --
>> David Moreau Simard
>> On Oct 8, 2014, at 7:53 AM, Marco Garcês <> wrote:
>>> Hi there,
>>> I am using RadosGW over NGINX, with Swift API, and everything is
>>> working great, over HTTP, but with HTTPS, I keep getting errors, and
>>> I'm guessing is something on the gateway itself.
>>> Does anyone have a working HTTPS gateway with nginx? Can you provide
>>> it, so I can compare to mine?
>>> If I do a HTTP request, using Swift client from my machine, I get the
>>> response ok, but If I try it with HTTPS, I get:
>>> Account HEAD failed: http://gateway.local/swift/v1 400 Bad Request
>>> and on nginx side:
>>> 2014/10/08 13:37:34 [info] 18198#0: *50 client sent plain HTTP request
>>> to HTTPS port while reading client request headers, client:
>>>, server: *.gatew
>>> ay.local, request: "HEAD /swift/v1 HTTP/1.1", host: "gateway.local:443"
>>> 2014/10/08 13:37:34 [info] 18197#0: *48 client closed
>>> keepalive connection
>>> I have wiresharked my connection, and there is no evidence that HTTP
>>> traffic is going out, when I make the request via HTTPS, so thats why
>>> I believe that the issue is on the gateway end.
>>> NGINX Config:
>>> server {
>>>        listen 80;
>>>        listen 443 ssl default;
>>>        server_name *.gateway.bcitestes.local gateway.bcitestes.local;
>>>        error_log logs/error_https.log debug;
>>>        client_max_body_size 10g;
>>>        # This is the important option that tengine has, but nginx does not
>>>        fastcgi_request_buffering off;
>>>        ssl_certificate      /etc/pki/tls/certs/ca_rgw.crt;
>>>        ssl_certificate_key  /etc/pki/tls/private/ca_rgw.key;
>>>        ssl_session_timeout  5m;
>>>        ssl_protocols  SSLv2 SSLv3 TLSv1;
>>>        ssl_ciphers  HIGH:!aNULL:!MD5;
>>>        ssl_prefer_server_ciphers   on;
>>>        location / {
>>>                fastcgi_pass_header     Authorization;
>>>                fastcgi_pass_request_headers on;
>>>                fastcgi_param HTTPS on;
>>>                if ($request_method  = PUT ) {
>>>                rewrite ^ /PUT$request_uri;
>>>                 }
>>>                 include fastcgi_params;
>>>                 fastcgi_param HTTPS on;
>>>                 fastcgi_pass
>>> unix:/var/run/ceph/ceph.radosgw.gateway.fastcgi.sock;
>>>         }
>>>         location /PUT/ {
>>>                 internal;
>>>                 fastcgi_pass_header     Authorization;
>>>                 fastcgi_pass_request_headers on;
>>>                 include fastcgi_params;
>>>                 fastcgi_param  CONTENT_LENGTH   $content_length;
>>>                 fastcgi_param HTTPS on;
>>>                 fastcgi_pass
>>> unix:/var/run/ceph/ceph.radosgw.gateway.fastcgi.sock;
>>>         }
>>>        }
>>> Ceph config:
>>> []
>>> host = GATEWAY
>>> keyring = /etc/ceph/
>>> rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
>>> log file = /var/log/ceph/client.radosgw.gateway.log
>>> rgw print continue = false
>>> rgw dns name = gateway.bcitestes.local
>>> rgw enable ops log = false
>>> rgw enable usage log = true
>>> rgw usage log tick interval = 30
>>> rgw usage log flush threshold = 1024
>>> rgw usage max shards = 32
>>> rgw usage max user shards = 1
>>> rgw cache lru size = 15000
>>> rgw thread pool size = 2048
>>> ------------------
>>> Thanks in advance,
>>> Marco Garcês
>>> #sysadmin
>>> Maputo - Mozambique
>>> _______________________________________________
>>> ceph-users mailing list
> _______________________________________________
> ceph-users mailing list
ceph-users mailing list

Reply via email to