From: Marcus Watts Date: Wed, 23 Mar 2016 21:32:14 +0000 (-0400) Subject: rgw: Document that radosgw now supports SSL. X-Git-Tag: v12.0.0~269^2~3 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=d4e72dfed30274b3cfbad4ac58c0746a98c0148b;p=ceph.git rgw: Document that radosgw now supports SSL. This includes information on file format and configuration file syntax. Signed-off-by: Marcus Watts --- diff --git a/doc/install/install-ceph-gateway.rst b/doc/install/install-ceph-gateway.rst index 17cebc9c9398..91252207dc65 100644 --- a/doc/install/install-ceph-gateway.rst +++ b/doc/install/install-ceph-gateway.rst @@ -83,9 +83,8 @@ your administration server. Add a section entitled ``[client.rgw.]``, replacing ```` with the short node name of your Ceph Object Gateway node (i.e., ``hostname -s``). -.. note:: In version 0.94, the Ceph Object Gateway does not support SSL. You - may setup a reverse proxy web server with SSL to dispatch HTTPS - requests as HTTP requests to CivetWeb. +.. note:: As of version 11.0.1, the Ceph Object Gateway **does** support SSL. + See `Using SSL with Civetweb`_ for information on how to set that up. For example, if your node name is ``gateway-node1``, add a section like this after the ``[global]`` section:: @@ -145,6 +144,28 @@ execute the following as the ``root`` user:: iptables-save > /etc/iptables/rules.v4 +Using SSL with Civetweb +----------------------- +.. _Using SSL with Civetweb: + +Before using SSL with civetweb, you will need a certificate that will match +the host name that that will be used to access the Ceph Object Gateway. +You may wish to obtain one that has `subject alternate name` fields for +more flexibility. If you intend to use S3-style subdomains +(`Add Wildcard to DNS`_), you will need a `wildcard` certificate. + +Civetweb requires that the server key, server certificate, and any other +CA or intermediate certificates be supplied in one file. Each of these +items must be in `pem` form. Because the combined file contains the +secret key, it should be protected from unauthorized access. + +To configure ssl operation, append ``s`` to the port number. Currently +it is not possible to configure the radosgw to listen on both +http and https, you must pick only one. So:: + + [client.rgw.gateway-node1] + rgw_frontends = civetweb port=443s ssl_certificate=/etc/ceph/private/keyandcert.pem + Migrating from Apache to Civetweb --------------------------------- @@ -267,6 +288,7 @@ Where ``client.rgw.ceph-client`` is the name of the gateway user. Add Wildcard to DNS ------------------- +.. _Add Wildcard to DNS: To use Ceph with S3-style subdomains (e.g., bucket-name.domain-name.com), you need to add a wildcard to the DNS record of the DNS server you use with the