s0 Is Not A SysadminNov 16

This is a cry for help.

Has anybody on Fedi put OpenStack Swift behind an nginx reverse proxy successfully before?

All the docs seem to suggest it should “just work” but I get 401s on preflight checks to upload media through the reverse proxy, and it works fine direct. I’m forwarding the X-Real-IP etc and swift is recognising that.

My next step is to just futz around with the proxy forward headers in the hope that something will help, but I can’t find any docs to actually address this situation. It’s weird.

Also this is a legacy system running an old version from 2014, so that might contribute. The goal is to have the up-to-date nginx RP doing SSL termination so as to change as little as possible of the config in this legacy mess.

Show threadatsukoNov 17

@s0 i did (back in 2015). do you have full openstack setup (keystone + swith) or standalone one? is it s3 or switf API?

if it is swift api and full openstack setup, could it be that `X-Auth-Token:` is not passed because of `proxy_pass_request_headers off` or something along those lines (like token wasn't received at all)?

Show threads0 Is Not A Sysadmin
@yottatsa the successful ones don’t seem to have a token header at all? They have an X-Trans-Id (lol) and a temp URL and temp url sig. maybe I need to look at an even more pre-pre-flight request that gets a token for upload or something?
Nov 17 at 3:33amWeb
Show threads0 Is Not A SysadminNov 17
@yottatsa oh yeah it’s Swift API, hence the specific undocumented hell. I have no idea about keystone. Maybe? Clients get a JWT for the backend from an LDAP auth flow, I don’t know exactly how the rails backend issues the token for swift upload.
Show threadatsukoNov 17

@s0 do you have access to the swift configs? would really like to take a look at `pipeline` (chain of middlewares) https://github.com/openstack/swift/blob/mitaka-eol/etc/proxy-server.conf-sample#L82 as this will explain the configuration.

my dogscience theory is: keystone (authentication/token generation/service discovery) solicites the swift endpoint which doesn't match the new swift-proxy endpoint behind, so the token is not passed by whatever client..

swift/etc/proxy-server.conf-sample at mitaka-eol · openstack/swift

OpenStack Storage (Swift). Mirror of code maintained at opendev.org. - openstack/swift

GitHub
Show threads0 Is Not A SysadminNov 17
@yottatsa yeah ok, that’s a great tip to follow up. I’ll collect some more info
Show threadatsukoNov 17
@s0 also, do you proxy the URL without modification, or is there any URL rewriting/filtering in nginx (non `/` location, trailing url after `proxy_pass`, etc)?
Show threads0 Is Not A SysadminNov 17
@yottatsa nope, IRL preserved exactly