Bug #23489
open[rgw] civetweb behind haproxy doesn't work with absolute URI
0%
Description
I'm sorry, maybe it isn't bug, but i don't know how to solve this problem.
I know that absolute URIs are supported in civetweb and it works fine for me without haproxy in the middle.
But if client send absolute URIs through reverse proxy(haproxy) to civetweb, civetweb breaks connection without responce.
i set:
debug rgw = 20
debug civetweb = 10
but no any messgaes in civetweb logs(access, error) and in rgw logs.
in tcpdump i only see as rgw closes connection after request with absolute URI. Relative URIs in requests work fine with haproxy.
Client:
Docker registry v2.6.2, s3 driver based on aws-sdk-go/1.2.4 (go1.7.6; linux; amd64) uses absolute URI in requests.
s3 driver options of docker registry:
s3:
region: us-east-1
bucket: docker
accesskey: 'access_key'
secretkey: 'secret_key'
regionendpoint: http://storage.my-domain.ru
secure: false
v4auth: true
ceph.conf for rgw instance:
[client]
rgw dns name = storage.my-domain.ru
rgw enable apis = s3, admin
rgw dynamic resharding = false
rgw enable usage log = true
rgw num rados handles = 8
rgw thread pool size = 256
[client.rgw.a]
host = aj15
keyring = /var/lib/ceph/radosgw/rgw.a.keyring
rgw enable static website = true
rgw frontends = civetweb authentication_domain=storage.my-domain.ru num_threads=128 port=0.0.0.0:7480 access_log_file=/var/log/ceph/civetweb.rgw.access.log error_log_file=/var/log/ceph/civetweb.rgw.error.log
debug rgw = 20
debug civetweb = 10
very simple haproxy.cfg:
global
chroot /var/empty
# /log is chroot path
log /haproxy-log local2
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl-dh-param-file /etc/pki/tls/dhparams.pem
defaults
mode http
log global
frontend s3
bind *:80
bind *:443 ssl crt /etc/pki/tls/certs/s3.pem crt /etc/pki/tls/certs/s3-buckets.pem
use_backend rgw
backend rgw
balance roundrobin
server a aj15:7480 check fall 1
server a aj16:7480 check fall 1
http haeder from tcpdump before and after haproxy:
GET http://storage.my-domain.ru/docker?max-keys=1&prefix= HTTP/1.1
Host: storage.my-domain.ru
User-Agent: aws-sdk-go/1.2.4 (go1.7.6; linux; amd64)
Authorization: AWS4-HMAC-SHA256 Credential=user:user@cloud.croc.ru/20180328/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=10043867bbb2833d50f9fe16a6991436a5c328adc5042556ce1ddf1101ee2cb9
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20180328T111255Z
Accept-Encoding: gzip
i don't understand how use haproxy and absolute URIs in requests(