You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our security officer requires us to run the swift gateway on a separate network as a kind of fuse between users and the rest of the oio cluster, and only encrypted traffic is allowed between the two networks.
We thus need to upgrade all plain text connections from http to https from the client.
(server setup is fairly straightforward, either a simple https reverse proxy for the oioproxy, or directly add https to the rawx apache config)
(semi-unrelated) give back https url for "public" object URLs
https to rawx
I'm not sure on that. My current understanding is that the meta-2 store the rawx url 'as is', and one might want to allow a mix of plain/crypted in which case changing the url on meta-2 isn't the best thing to do.
On the other hand, while the client could just rewrite all http links to https if the oioproxy connection is in https, if the ports involved aren't 80/443 I don't see how it could be guessed so that isn't straightforward either, so going full https might be the best way forward. It might be counter-intuitive though if that does not allow conversion for existing files easily?
public object URLs
When using e.g. s3cmd put --acl-public file s3://bucket/file I get this kind of url back: Public URL of the object is: http://swiftgateway:6010/bucket/file
where 6010 is the https port and I have use_https = true in my .s3cfg configuration; so I assume this http comes back from the oio code somewhere.
I haven't started looking, I cannot get the url to work using plain either anyway, it might be a moot point.
Thanks!
The text was updated successfully, but these errors were encountered:
ISSUE TYPE
COMPONENT NAME
common?
SUMMARY
Our security officer requires us to run the swift gateway on a separate network as a kind of fuse between users and the rest of the oio cluster, and only encrypted traffic is allowed between the two networks.
We thus need to upgrade all plain text connections from http to https from the client.
(server setup is fairly straightforward, either a simple https reverse proxy for the oioproxy, or directly add https to the rawx apache config)
Recap of the work so far:
ca_certsandcert_reqs#1977 and hashedcontainer: pass through sds_cert_reqs and sds_ca_certs oio-swift#208 Allow config to verify SSL certificates for https connectionshttps to rawx
I'm not sure on that. My current understanding is that the meta-2 store the rawx url 'as is', and one might want to allow a mix of plain/crypted in which case changing the url on meta-2 isn't the best thing to do.
On the other hand, while the client could just rewrite all http links to https if the oioproxy connection is in https, if the ports involved aren't 80/443 I don't see how it could be guessed so that isn't straightforward either, so going full https might be the best way forward. It might be counter-intuitive though if that does not allow conversion for existing files easily?
public object URLs
When using e.g.
s3cmd put --acl-public file s3://bucket/fileI get this kind of url back:Public URL of the object is: http://swiftgateway:6010/bucket/filewhere
6010is the https port and I haveuse_https = truein my .s3cfg configuration; so I assume this http comes back from the oio code somewhere.I haven't started looking, I cannot get the url to work using plain either anyway, it might be a moot point.
Thanks!
The text was updated successfully, but these errors were encountered: