rgw: add ssl support to beast frontend#20464
Conversation
d026397 to
b6caa29
Compare
b6caa29 to
1ddaee3
Compare
abf1d27 to
2ed8e76
Compare
2ed8e76 to
ea49882
Compare
| const bool have_cert = cert != config.end(); | ||
| if (have_cert) { | ||
| // only initialize the ssl context if it's going to be used | ||
| ssl_context = boost::in_place(ssl::context::tls); |
There was a problem hiding this comment.
use of ssl::context::tls here disables the ssl v2 and v3 protocols. our s3tests currently pin the python requests library at 0.14.0, which can only do up to ssl v3. this causes some of the s3tests to fail against beast with ssl handshake failed: wrong version number errors. fixed in ceph/s3-tests#217
remove ClientIO's dependency on a concrete socket type by moving it into a derived StreamIO class in rgw_asio_frontend.cc Signed-off-by: Casey Bodley <cbodley@redhat.com>
adds frontend options ssl_certificate, ssl_private_key, ssl_port, ssl_endpoint Fixes: http://tracker.ceph.com/issues/22832 Signed-off-by: Casey Bodley <cbodley@redhat.com>
instead of adding special frontend configs like civetweb_ssl.yaml and beast_ssl.yaml, added a new proto/ subdirectory for http.yaml and https.yaml Signed-off-by: Casey Bodley <cbodley@redhat.com>
Signed-off-by: Casey Bodley <cbodley@redhat.com>
ea49882 to
fe5fb47
Compare
|
jenkins test this please |
1 similar comment
|
jenkins test this please |
|
after ceph/s3-tests#217 merged, i cherry-picked to ceph-master but missed one of the commits. so the first teuthology run had some s3test failures before of that and fixing ceph-master, the rerun was clean. so this one is finally ready! |
|
@theanalyst thanks for help with review/testing! |
|
@cbodley is it possible to reload the |
|
no @Kriechi, the rgw_frontends config is only parsed once on startup when frontends are initialized |
|
@cbodley civetweb provides such functionality - my impression was that beast is the "new" frontend and civetweb will be phased out? If so, I think not having a cert reload without killing the process is a regression. I tried to look at the beast source code to find something in this area - but didn't find anything useful so far. |
|
can you explain how to accomplish that with civetweb in rgw? i hadn't seen any mechanism in radosgw to do it |
|
@Kriechi could you create a tracker ticket for this issue (as this is merged)? Matt |
|
@cbodley I'm currently using this flag in the rgw frontend config section of |
|
@mattbenjamin I made a ceph tracker issue here regarding reloading ssl certs: https://tracker.ceph.com/issues/65470 |
adds frontend options ssl_certificate, ssl_private_key, ssl_port, ssl_endpoint
Fixes: http://tracker.ceph.com/issues/22832
(depends on one refactoring commit from #20449)
TODO:
ssl_certificateis provided