s0 Is Not A SysadminNov 16

This is a cry for help.

Has anybody on Fedi put OpenStack Swift behind an nginx reverse proxy successfully before?

All the docs seem to suggest it should “just work” but I get 401s on preflight checks to upload media through the reverse proxy, and it works fine direct. I’m forwarding the X-Real-IP etc and swift is recognising that.

My next step is to just futz around with the proxy forward headers in the hope that something will help, but I can’t find any docs to actually address this situation. It’s weird.

Also this is a legacy system running an old version from 2014, so that might contribute. The goal is to have the up-to-date nginx RP doing SSL termination so as to change as little as possible of the config in this legacy mess.

Show threadatsukoNov 17

@s0 i did (back in 2015). do you have full openstack setup (keystone + swith) or standalone one? is it s3 or switf API?

if it is swift api and full openstack setup, could it be that `X-Auth-Token:` is not passed because of `proxy_pass_request_headers off` or something along those lines (like token wasn't received at all)?

Show threads0 Is Not A SysadminNov 17
@yottatsa the successful ones don’t seem to have a token header at all? They have an X-Trans-Id (lol) and a temp URL and temp url sig. maybe I need to look at an even more pre-pre-flight request that gets a token for upload or something?
Show threads0 Is Not A SysadminNov 17
@yottatsa oh yeah it’s Swift API, hence the specific undocumented hell. I have no idea about keystone. Maybe? Clients get a JWT for the backend from an LDAP auth flow, I don’t know exactly how the rails backend issues the token for swift upload.
Show threadatsuko
@s0 also, do you proxy the URL without modification, or is there any URL rewriting/filtering in nginx (non `/` location, trailing url after `proxy_pass`, etc)?
Nov 17 at 2:16pmWeb
Show threads0 Is Not A SysadminNov 17
@yottatsa nope, IRL preserved exactly