Configuring server-side encryption

Edit online

You can set up server-side encryption to send requests to the Ceph Object Gateway using HTTP, in cases where it might not be possible to send encrypted requests over SSL.

This procedure uses HAProxy as proxy and load balancer.

Prerequisites

Edit online

  • A running IBM Storage Ceph cluster.

  • Root-level access to all nodes in the storage cluster.

  • Installation of the Ceph Object Gateway software.

  • Installation of the HAProxy software.

Procedure

Edit online

  1. Edit the haproxy.cfg file:

    Example 

    frontend http_web *:80
    mode http
    default_backend rgw

frontend rgw­-https
  bind *:443 ssl crt /etc/ssl/private/example.com.pem
  default_backend rgw

backend rgw
    balance roundrobin
    mode http
    server  rgw1 10.0.0.71:8080 check
    server  rgw2 10.0.0.80:8080 check

  2. Comment out the lines that allow access to the http front end and add instructions to direct HAProxy to use the https front end instead:

    Example 

    #     frontend http_web *:80
#     mode http
#     default_backend rgw

frontend rgw­-https
  bind *:443 ssl crt /etc/ssl/private/example.com.pem
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto https
# here we set the incoming HTTPS port on the load balancer (eg : 443)
  http-request set-header X-Forwarded-Port 443
  default_backend rgw

backend rgw
    balance roundrobin
    mode http
    server  rgw1 10.0.0.71:8080 check
    server  rgw2 10.0.0.80:8080 check

  3. Set the rgw_trust_forwarded_https option to true:

    Example 

    [ceph: root@host01 /]# ceph config set client.rgw rgw_trust_forwarded_https true

  4. Enable and start HAProxy:

    [root@host01 ~]# systemctl enable haproxy
[root@host01 ~]# systemctl start haproxy