Use https for everything between oio-swift and the rest #1982
Description
ISSUE TYPE
- Feature Idea
COMPONENT NAME
common?
SUMMARY
Our security officer requires us to run the swift gateway on a separate network as a kind of fuse between users and the rest of the oio cluster, and only encrypted traffic is allowed between the two networks.
We thus need to upgrade all plain text connections from http to https from the client.
(server setup is fairly straightforward, either a simple https reverse proxy for the oioproxy, or directly add https to the rawx apache config)
Recap of the work so far:
- client: allow https for proxy url #1948 Allow https in client url (OK for oioproxy connection)
- Pass options for
ca_certsandcert_reqs#1977 and hashedcontainer: pass through sds_cert_reqs and sds_ca_certs oio-swift#208 Allow config to verify SSL certificates for https connections - Force? https for rawx data connections?
- (semi-unrelated) give back https url for "public" object URLs
https to rawx
I'm not sure on that. My current understanding is that the meta-2 store the rawx url 'as is', and one might want to allow a mix of plain/crypted in which case changing the url on meta-2 isn't the best thing to do.
On the other hand, while the client could just rewrite all http links to https if the oioproxy connection is in https, if the ports involved aren't 80/443 I don't see how it could be guessed so that isn't straightforward either, so going full https might be the best way forward. It might be counter-intuitive though if that does not allow conversion for existing files easily?
public object URLs
When using e.g. s3cmd put --acl-public file s3://bucket/file I get this kind of url back:
Public URL of the object is: http://swiftgateway:6010/bucket/file
where 6010 is the https port and I have use_https = true in my .s3cfg configuration; so I assume this http comes back from the oio code somewhere.
I haven't started looking, I cannot get the url to work using plain either anyway, it might be a moot point.
Thanks!