[gpfsug-discuss] Enabling SSL/HTTPS/ on Object S3.
Christian Vieser
christian.vieser at 1und1.de
Thu May 7 11:01:49 BST 2020
Hi Andi,
up to now there are no instructions available on how to enable SSL on the Swift/S3 endpoints.
The only thing is that you can enable SSL on the authentication path. So your connection to Swift authentication on port 35357 will be secured and the S3 authentication arriving at http port 8080 will internally take the SSL path, if configured properly. We have successfully done that in a test environment. Be sure to use the --pwd-file option with the "mmuserauth service create ..." and verify the proxy settings afterwards. It should look like this:
# mmobj config list --ccrfile proxy-server.conf --section filter:s3token
[filter:s3token]
auth_uri = https://127.0.0.1:35357/ use = egg:swift3#s3token
insecure = true You can correct wrong settings with # mmobj config change --ccrfile proxy-server.conf --section filter:s3token --property insecure --value true
# mmobj config change --ccrfile proxy-server.conf --section filter:s3token --property auth_uri --value 'https://127.0.0.1:35357/' Regards, Christian
> i have tried what you suggested. mmobj swift base ran fine. but after i have
> deleted the userauth and try to set it up again with ks-ssl enabled it just
> hangs:
>
> # mmuserauth service create --data-access-method object --type local
> --enable-ks-ssl
>
> still waiting for it to finish, 15 mins now.. :)
>> Basically all i need is this:
>>
>> https://s3.something.com:8080 https://s3.something.com:8080 which points
>> to the WAN ip of the CES cluster (already configured and ready)
>>
>> and endpoints like this:
>>
>> None | keystone | identity | True | public | https://cluster_domain:5000/
>> https://cluster_domain:5000/
>> RegionOne | swift | object-store | True | public |
>> https://cluster_domain:443/v1/AUTH_%(tenant_id)s
>> RegionOne | swift | object-store | True | public |
>> https://cluster_domain:8080/v1/AUTH_%(tenant_id)s
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20200507/a42eeb74/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3378 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20200507/a42eeb74/attachment-0001.bin>
More information about the gpfsug-discuss
mailing list