s0 Is Not A SysadminNov 16

This is a cry for help.

Has anybody on Fedi put OpenStack Swift behind an nginx reverse proxy successfully before?

All the docs seem to suggest it should “just work” but I get 401s on preflight checks to upload media through the reverse proxy, and it works fine direct. I’m forwarding the X-Real-IP etc and swift is recognising that.

My next step is to just futz around with the proxy forward headers in the hope that something will help, but I can’t find any docs to actually address this situation. It’s weird.

Also this is a legacy system running an old version from 2014, so that might contribute. The goal is to have the up-to-date nginx RP doing SSL termination so as to change as little as possible of the config in this legacy mess.

Show threadÖlbaumNov 18
@s0 I had a problem with preflight requests for the S3-“””compatible””” mode of Swift a while ago and I tracked it down to a bug in Swift, but then it turned out our provider uses Ceph for the S3 API, so it was another bug, in Ceph. One of the bugs was that the middleware in charge of verifying the signature for pre-signed URLs was trying to verify it for the preflight request, which it shouldn’t, and will always fail because the request headers are not all the same.
Show threadÖlbaumNov 18
@s0 I think this bug was the one in Swift, but I need to double check once I’m at the computer. I remember it was a bug affecting older versions of Swift, so it tracks.
Show threadÖlbaum
@s0 I found the commit in our Slack. It’s specifically for S3 mode, though, so it might not be the issue you’re experiencing.
https://github.com/openstack/swift/commit/460dcf7562b7fa6d3244c28097ddd77287782274
s3api: Allow CORS preflights for pre-signed URLs · openstack/swift@460dcf7

Looks like browsers *do* send the query string in the OPTIONS request. Change-Id: Id10e6e32890f1c9a09c91990e5a6ee729bf4d973 Related-Change: I985143bf03125a05792e79bc5e5f83722d6431b3

GitHub
Nov 18 at 2:35pmWeb