<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Hi Christian,<div><br></div><div>Thanks for answering!</div><div><br></div><div>We solved this with lab services a while back now, and ended up setting up haproxys I front of the ces nodes and then they handle the ssl encryption to the S3 API</div><div><br></div><div>Thanks</div><div>Andi Christiansen<br><br><div dir="ltr">Sendt fra min iPhone</div><div dir="ltr"><br><blockquote type="cite">Den 7. maj 2020 kl. 12.08 skrev Christian Vieser <christian.vieser@1und1.de>:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<pre>Hi Andi,</pre>
<pre>up to now there are no instructions available on how to enable SSL on the Swift/S3 endpoints.</pre>
<pre>The only thing is that you can enable SSL on the authentication path. So your connection to Swift authentication on port 35357 will be secured and the S3 authentication arriving at http port 8080 will internally take the SSL path, if configured properly. We have successfully done that in a test environment. Be sure to use the --pwd-file option with the "mmuserauth service create ..." and verify the proxy settings afterwards. It should look like this:</pre>
<pre class="code-java"># mmobj config list --ccrfile proxy-server.conf --section filter:s3token
[filter:s3token]
auth_uri = https:<span class="code-comment">//127.0.0.1:35357/
</span>use = egg:swift3#s3token
insecure = <span class="code-keyword">true
You can correct wrong settings with
</span># mmobj config change --ccrfile proxy-server.conf --section filter:s3token --property insecure --value <span class="code-keyword">true</span>
# mmobj config change --ccrfile proxy-server.conf --section filter:s3token --property auth_uri --value <span class="code-quote">'https:<span class="code-comment">//127.0.0.1:35357/'
Regards,
Christian
</span></span><span class="code-keyword"></span></pre>
<pre>> i have tried what you suggested. mmobj swift base ran fine. but after i have
> deleted the userauth and try to set it up again with ks-ssl enabled it just
> hangs:
>
> # mmuserauth service create --data-access-method object --type local
> --enable-ks-ssl
>
> still waiting for it to finish, 15 mins now.. :)
>> Basically all i need is this:
>>
>> <a rel="nofollow" href="https://s3.something.com:8080">https://s3.something.com:8080</a> <a rel="nofollow" href="https://s3.something.com:8080">https://s3.something.com:8080</a> which points
>> to the WAN ip of the CES cluster (already configured and ready)
>>
>> and endpoints like this:
>>
>> None | keystone | identity | True | public | <a rel="nofollow" href="https://cluster_domain:5000/">https://cluster_domain:5000/</a>
>> <a rel="nofollow" href="https://cluster_domain:5000/">https://cluster_domain:5000/</a>
>> RegionOne | swift | object-store | True | public |
>> <a rel="nofollow" href="https://cluster_domain:443/v1/AUTH_%">https://cluster_domain:443/v1/AUTH_%</a>(tenant_id)s
>> RegionOne | swift | object-store | True | public |
>> <a rel="nofollow" href="https://cluster_domain:8080/v1/AUTH_%">https://cluster_domain:8080/v1/AUTH_%</a>(tenant_id)s</pre>
<span>_______________________________________________</span><br><span>gpfsug-discuss mailing list</span><br><span>gpfsug-discuss at spectrumscale.org</span><br><span>http://gpfsug.org/mailman/listinfo/gpfsug-discuss</span><br></div></blockquote></div></body></html>