Hi Freddy,
Thanks for posting this, I went through these settings on the haproxy manual, and was
wondering why
- You have added http-server-close? Because rgw does not support keep alives(? I don't
know)
- Why did you add the option forwardfor, this is not logged anywhere in radosgw not? At
least I am having such[1] logging.
- I guess you do not have any acl's because this config of yours is already on the
internal network. I was thinking of maybe allowing correct url's, so I do not have
such logs
WARNING: RGWRados::log_usage(): user name empty (bucket=), skipping
[1]
Feb 8 11:00:11 xxx radosgw: 2021-02-08 11:00:11.658 7f51e4fa5700 0 WARNING:
RGWRados::log_usage(): user name empty (bucket=), skipping
Feb 8 11:00:23 xxx radosgw: 2021-02-08 11:00:23.778 7f50d3168700 1 ====== starting new
request req=0x5651b43085f0 =====
Feb 8 11:00:23 xxx radosgw: 2021-02-08 11:00:23.779 7f50d3168700 1 ====== req done
req=0x5651b43085f0 op status=0 http_status=200 latency=0
.000999983s ======
Feb 8 11:00:28 xxx radosgw: 2021-02-08 11:00:28.365 7f51a8312700 1 ====== starting new
request req=0x5651b44a65f0 =====
Feb 8 11:00:28 xxx radosgw: 2021-02-08 11:00:28.365 7f51a8312700 1 ====== req done
req=0x5651b44a65f0 op status=0 http_status=200 latency=0
s ======
Feb 8 11:00:28 xxx radosgw: 2021-02-08 11:00:28.854 7f2727831700 1 ====== starting new
request req=0x55d8d46865f0 =====
Feb 8 11:00:28 xxx radosgw: 2021-02-08 11:00:28.855 7f2727831700 1 ====== req done
req=0x55d8d46865f0 op status=0 http_st
-----Original Message-----
From: Freddy Andersen <freddy(a)cfandersen.com>
Sent: 08 February 2021 05:18
To: Szabo, Istvan (Agoda) <Istvan.Szabo(a)agoda.com>om>; Marc <Marc@f1-
outsourcing.eu>; ceph-users(a)ceph.io
Subject: Re: share haproxy config for radosgw
Something like this works…
# HAProxy configuration
#------------------
# Global settings
#------------------
global
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
chroot /var/lib/haproxy
daemon
stats socket /var/lib/haproxy/stats mode 660 level admin
maxconn 65536
spread-checks 4
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-
RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA2
56
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-
RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA2
56
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-
tickets
#------------------
# common defaults that all the 'listen' and 'backend' sections will
# use- if not designated in their block
#------------------
defaults
log global
mode http
retries 3
balance roundrobin
option abortonclose
option redispatch
option dontlognull
option log-health-checks
maxconn 20480
timeout connect 5s
timeout client 50s
timeout server 50s
timeout http-request 20s
timeout http-keep-alive 30s
timeout check 10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#------------------
# frontend instances
#------------------
frontend ext-http-in
bind 10.1.2.10:80 name s3
bind 10.1.2.10:443 ssl crt certificate.pem name secure-s3
maxconn 25000
option forwardfor if-none
option http-server-close
option httplog
default_backend be_rgw-zone1
use_backend be_rgw-zone1 if host_s3
#------------------
# backend instances
#------------------
backend be_rgw-zone1
mode http
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server radosgw-vip1 10.1.2.1:80 check
server radosgw-vip2 10.1.2.2:80 check
server radosgw-vip3 10.1.2.3:80 check
From: Szabo, Istvan (Agoda) <Istvan.Szabo(a)agoda.com>
Date: Sunday, February 7, 2021 at 8:25 PM
To: Marc <Marc(a)f1-outsourcing.eu>eu>, ceph-users(a)ceph.io <ceph-
users(a)ceph.io>
Subject: [ceph-users] Re: share haproxy config for radosgw
Let me join to this thread, I'd be interested also with HTTPS and beast
configuration on HA+Proxy level. Haven't managed to make it ever work.
-----Original Message-----
From: Marc <Marc(a)f1-outsourcing.eu>
Sent: Monday, February 8, 2021 5:19 AM
To: ceph-users(a)ceph.io
Subject: [ceph-users] share haproxy config for radosgw
Email received from outside the company. If in doubt don't click links
nor open attachments!
________________________________
I was wondering if someone could post a config for haproxy. Is there
something specific to configure? Like binding clients to a specific
backend server, client timeouts, security specific to rgw etc.
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io To unsubscribe send an
email to ceph-users-leave(a)ceph.io
________________________________
This message is confidential and is for the sole use of the intended
recipient(s). It may also be privileged or otherwise protected by
copyright or other legal rules. If you have received it by mistake
please let us know by reply email and delete it from your system. It is
prohibited to copy this message or disclose its content to anyone. Any
confidentiality or privilege is not waived or lost by any mistaken
delivery or unauthorized disclosure of the message. All messages sent to
and from Agoda may be monitored to ensure compliance with company
policies, to protect the company's interests and to remove potential
malware. Electronic messages may be intercepted, amended, lost or
deleted, or contain viruses.
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io