radosgw/s3 ss3-c encryption
f.cuseo
66 Posts
October 26, 2023, 3:43 pmQuote from f.cuseo on October 26, 2023, 3:43 pmHello.
I am trying to use server side encryption with customers keys, but I always have "Invalid request", using rclone, using aws cli, using s3browser.
This is my bucket:
aws s3api get-bucket-encryption --bucket test --profile myprofile --endpoint-url https://s3storage.mydomain.it:8000
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
Anyone can help me ?
Thank you, Fabrizio
Hello.
I am trying to use server side encryption with customers keys, but I always have "Invalid request", using rclone, using aws cli, using s3browser.
This is my bucket:
aws s3api get-bucket-encryption --bucket test --profile myprofile --endpoint-url https://s3storage.mydomain.it:8000
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
Anyone can help me ?
Thank you, Fabrizio
f.cuseo
66 Posts
October 27, 2023, 8:52 amQuote from f.cuseo on October 27, 2023, 8:52 amSolved.
I have pfsense with haproxy in front of petasan/radosGW, so i had to put
rgw trust forwarded https = true
in ceph.conf (section client.rgw.nodename)
So my section now is:
[client.rgw.petasan-04]
host = petasan-04
rgw frontends = "beast port=7480"
rgw_zone = dc01
rgw_user_quota_sync_idle_users = true
rgw trust forwarded https = true
rgw enable usage log = true
rgw usage log tick interval = 30
rgw usage log flush threshold = 1024
rgw usage max shards = 32
rgw usage max user shards = 1
rgw_dns_name = s3storage.mydomain.it
(it could be nice to add some features to web interface... logging, virtualhost-style config, and proxy usage)
Solved.
I have pfsense with haproxy in front of petasan/radosGW, so i had to put
rgw trust forwarded https = true
in ceph.conf (section client.rgw.nodename)
So my section now is:
[client.rgw.petasan-04]
host = petasan-04
rgw frontends = "beast port=7480"
rgw_zone = dc01
rgw_user_quota_sync_idle_users = true
rgw trust forwarded https = true
rgw enable usage log = true
rgw usage log tick interval = 30
rgw usage log flush threshold = 1024
rgw usage max shards = 32
rgw usage max user shards = 1
rgw_dns_name = s3storage.mydomain.it
(it could be nice to add some features to web interface... logging, virtualhost-style config, and proxy usage)
admin
2,930 Posts
October 27, 2023, 2:05 pmQuote from admin on October 27, 2023, 2:05 pmGreat, thanks for the feedback.
My understanding you are using your own proxy talking directly to the radoswy on port 7480 or are you using the PetaSAN load balancer/proxy ?
Great, thanks for the feedback.
My understanding you are using your own proxy talking directly to the radoswy on port 7480 or are you using the PetaSAN load balancer/proxy ?
f.cuseo
66 Posts
October 27, 2023, 2:14 pmQuote from f.cuseo on October 27, 2023, 2:14 pmAll my petasan cluster is with private ip addressing; in front of petasan cluster (and of course, in front at s3 vlan/subnet), I have a pfSense istance, with haproxy on port 8000. So I use both petasan load balancer/proxy and pfsense haproxy; all s3 requestes goes to a single public ip address, and haproxy forwards to several private ip (that are configured on petasan).
I am only checking that, if a use aws s3 cli to encrypt an already present (and unencripted) bucket, small files are not encrypted (a 64Mbyte file is encrypted, a 64k file is not); I think is a rados configuration problem, but I can't find any solution.
PS. I use SSE-C
All my petasan cluster is with private ip addressing; in front of petasan cluster (and of course, in front at s3 vlan/subnet), I have a pfSense istance, with haproxy on port 8000. So I use both petasan load balancer/proxy and pfsense haproxy; all s3 requestes goes to a single public ip address, and haproxy forwards to several private ip (that are configured on petasan).
I am only checking that, if a use aws s3 cli to encrypt an already present (and unencripted) bucket, small files are not encrypted (a 64Mbyte file is encrypted, a 64k file is not); I think is a rados configuration problem, but I can't find any solution.
PS. I use SSE-C
radosgw/s3 ss3-c encryption
f.cuseo
66 Posts
Quote from f.cuseo on October 26, 2023, 3:43 pmHello.
I am trying to use server side encryption with customers keys, but I always have "Invalid request", using rclone, using aws cli, using s3browser.
This is my bucket:
aws s3api get-bucket-encryption --bucket test --profile myprofile --endpoint-url https://s3storage.mydomain.it:8000
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}Anyone can help me ?
Thank you, Fabrizio
Hello.
I am trying to use server side encryption with customers keys, but I always have "Invalid request", using rclone, using aws cli, using s3browser.
This is my bucket:
aws s3api get-bucket-encryption --bucket test --profile myprofile --endpoint-url https://s3storage.mydomain.it:8000
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
Anyone can help me ?
Thank you, Fabrizio
f.cuseo
66 Posts
Quote from f.cuseo on October 27, 2023, 8:52 amSolved.
I have pfsense with haproxy in front of petasan/radosGW, so i had to put
rgw trust forwarded https = truein ceph.conf (section client.rgw.nodename)
So my section now is:
[client.rgw.petasan-04]
host = petasan-04
rgw frontends = "beast port=7480"
rgw_zone = dc01
rgw_user_quota_sync_idle_users = true
rgw trust forwarded https = true
rgw enable usage log = true
rgw usage log tick interval = 30
rgw usage log flush threshold = 1024
rgw usage max shards = 32
rgw usage max user shards = 1
rgw_dns_name = s3storage.mydomain.it(it could be nice to add some features to web interface... logging, virtualhost-style config, and proxy usage)
Solved.
I have pfsense with haproxy in front of petasan/radosGW, so i had to put
rgw trust forwarded https = true
in ceph.conf (section client.rgw.nodename)
So my section now is:
[client.rgw.petasan-04]
host = petasan-04
rgw frontends = "beast port=7480"
rgw_zone = dc01
rgw_user_quota_sync_idle_users = true
rgw trust forwarded https = true
rgw enable usage log = true
rgw usage log tick interval = 30
rgw usage log flush threshold = 1024
rgw usage max shards = 32
rgw usage max user shards = 1
rgw_dns_name = s3storage.mydomain.it
(it could be nice to add some features to web interface... logging, virtualhost-style config, and proxy usage)
admin
2,930 Posts
Quote from admin on October 27, 2023, 2:05 pmGreat, thanks for the feedback.
My understanding you are using your own proxy talking directly to the radoswy on port 7480 or are you using the PetaSAN load balancer/proxy ?
Great, thanks for the feedback.
My understanding you are using your own proxy talking directly to the radoswy on port 7480 or are you using the PetaSAN load balancer/proxy ?
f.cuseo
66 Posts
Quote from f.cuseo on October 27, 2023, 2:14 pmAll my petasan cluster is with private ip addressing; in front of petasan cluster (and of course, in front at s3 vlan/subnet), I have a pfSense istance, with haproxy on port 8000. So I use both petasan load balancer/proxy and pfsense haproxy; all s3 requestes goes to a single public ip address, and haproxy forwards to several private ip (that are configured on petasan).
I am only checking that, if a use aws s3 cli to encrypt an already present (and unencripted) bucket, small files are not encrypted (a 64Mbyte file is encrypted, a 64k file is not); I think is a rados configuration problem, but I can't find any solution.
PS. I use SSE-C
All my petasan cluster is with private ip addressing; in front of petasan cluster (and of course, in front at s3 vlan/subnet), I have a pfSense istance, with haproxy on port 8000. So I use both petasan load balancer/proxy and pfsense haproxy; all s3 requestes goes to a single public ip address, and haproxy forwards to several private ip (that are configured on petasan).
I am only checking that, if a use aws s3 cli to encrypt an already present (and unencripted) bucket, small files are not encrypted (a 64Mbyte file is encrypted, a 64k file is not); I think is a rados configuration problem, but I can't find any solution.
PS. I use SSE-C