Hello Ceph Users,
We've recently deployed a RGW service (0.94.3),
We've also integrated this RGW instance to an external OpenStack Keystone
identity service,
RGW + Keystone integration/service are working well,
On a high-level, our RGW service looks like:
-------------------------------------------------------------------
+-------+
|Clients+--------------------------------+
+-------+ |
|
S3, Swift (HTTPS) | +--------+
| |Keystone|
+-+-+ +----+---+
+--------------------+RGW+----------------------+ |
| +---+ | |
| +----------------------------------------------------+
| | DNS Round Robin | |
+--------------+-+------------+
+----------------+-------------+
| +--------+ +--------+ | | +--------+ +--------+
|
| |RGW1|HA1+-------+RGW1|HA2| | | |RGW2|HA1+--------+RGW2|HA2|
|
| +--------+ +--------+ | | +--------+ +--------+
|
+--------------+--------------+
+---------------+--------------+
| HAProxy + Keepalived, SSL termination |
| |
| |
+------------------------------------------------------------------------+
| +-------------------------------------+ |
| | civetweb | |
| | | |
+---+ +----+ +----+ +----+ +----+
| |RGW1| |RGW2| |RGW3| |
| +----+ +----+ +----+ |
+-------------------------------------+
|
|
+-+--+
|Ceph|
+----+
-------------------------------------------------------------------
Now, we're interested to learn how other RGW (+ Keystone) users
are preventing/mitigating brute force attacks on their RGWs?
OpenStack Keystone itself doesn't implement/limit auto-blocking,
HAproxy can be configured to do some auto blocking/mitigation though.
Regards,
Jerico_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
