Actions
Feature #19246
closedrgw: use X-Forwarded-Proto header to determine original protocol under proxy
Status:
Resolved
Priority:
High
Assignee:
-
Target version:
-
% Done:
0%
Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:
Description
Current recommended configuration to support SSL is to use HAProxy in front of RGWs.
If we want to allow both http and https for clients, there is no way to distinguish protocols by RGWs.
On the other hand, RGW need the protocol information for some APIs (e.g., X-Storage-Url for Swift API).
I propose to use "X-Forwarded-Proto" header for this purpose. The header is very common on most proxies.
Current src/rgw/rgw_swift_auth.cc:
void RGW_SWIFT_Auth_Get::execute()
{
...
string swift_url = g_conf->rgw_swift_url;
...
if (swift_url.size() == 0) {
bool add_port = false;
const char *server_port = s->info.env->get("SERVER_PORT_SECURE");
const char *protocol;
if (server_port) {
add_port = (strcmp(server_port, "443") != 0);
protocol = "https";
} else {
server_port = s->info.env->get("SERVER_PORT");
add_port = (strcmp(server_port, "80") != 0);
protocol = "http";
}
const char *host = s->info.env->get("HTTP_HOST");
if (!host) {
dout(0) << "NOTICE: server is misconfigured, missing rgw_swift_url_prefix or rgw_swift_url, HTTP_HOST is not set" << dendl;
ret = -EINVAL;
goto done;
}
swift_url = protocol;
swift_url.append("://");
swift_url.append(host);
if (add_port && !strchr(host, ':')) {
swift_url.append(":");
swift_url.append(server_port);
}
}
...
}
Just a quick hack:
void RGW_SWIFT_Auth_Get::execute()
{
...
string swift_url = g_conf->rgw_swift_url;
...
if (swift_url.size() == 0) {
bool add_port = false;
const char *server_port = s->info.env->get("SERVER_PORT_SECURE");
const char *protocol = s->info.env->get("HTTP_X_FORWARDED_PROTO");
if (server_port) {
add_port = (strcmp(server_port, "443") != 0);
protocol = "https";
} else if (protocol) {
server_port = s->info.env->get("HTTP_X_FORWARDED_PORT");
if (server_port) {
if (strcmp(protocol, "https") != 0) {
add_port = (strcmp(server_port, "443") != 0);
} else {
add_port = (strcmp(server_port, "80") != 0);
}
}
} else {
server_port = s->info.env->get("SERVER_PORT");
add_port = (strcmp(server_port, "80") != 0);
protocol = "http";
}
const char *host = s->info.env->get("HTTP_HOST");
if (!host) {
dout(0) << "NOTICE: server is misconfigured, missing rgw_swift_url_prefix or rgw_swift_url, HTTP_HOST is not set" << dendl;
ret = -EINVAL;
goto done;
}
swift_url = protocol;
swift_url.append("://");
swift_url.append(host);
if (add_port && !strchr(host, ':')) {
swift_url.append(":");
swift_url.append(server_port);
}
}
...
}
Updated by Casey Bodley 3 months ago
- Related to Bug #27221: SSE encryption does not detect ssl termination in proxy added
Updated by Casey Bodley 3 months ago
- Status changed from New to Resolved
this was added by https://github.com/ceph/ceph/pull/24700 for https://tracker.ceph.com/issues/27221
Actions