[ceph-users] Re: Public RGW access without any LB in front?
hi Boris, it looks like your other questions have been covered but i'll snipe this one: On Fri, Sep 16, 2022 at 7:55 AM Boris Behrens wrote: > > How good is it handling bad HTTP request, sent by an attacker?) rgw relies on the boost.beast library to parse these http requests. that library has had ongoing security reviews: https://www.boost.org/doc/libs/1_79_0/libs/beast/doc/html/beast/quick_start/security_review_bishop_fox.html a strict http parser can protect against a lot of known attacks. that doesn't mean rgw won't do bad things interpreting valid requests, but i don't think proxies help with those kinds of bugs either ___ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
[ceph-users] Re: Public RGW access without any LB in front?
I was assuming it had to do with scaling, ofcourse there is multiple ways to do it. Personally I don’t find scaling that way is reasonable but that’s design decision, that way you would still have some control to do traffic engineering On 19 Sept 2022, at 10:23, Konstantin Shalygin mailto:k0...@k0ste.ru>> wrote: Hi, On 19 Sep 2022, at 10:38, Tobias Urdin mailto:tobias.ur...@binero.com>> wrote: Why not scaleout HAproxy by adding multiple ones and use a TCP load balancer in front of multiple HAproxy instances or use BGP ECMP routing directly to split load between multiple HAproxy? Because you can do this without "TCP load balancer in front of multiple HAproxy" and without HAproxy? k ___ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
[ceph-users] Re: Public RGW access without any LB in front?
Hi, > On 19 Sep 2022, at 10:38, Tobias Urdin wrote: > > Why not scaleout HAproxy by adding multiple ones and use a TCP load balancer > in front of multiple HAproxy instances or use BGP ECMP routing directly to > split > load between multiple HAproxy? Because you can do this without "TCP load balancer in front of multiple HAproxy" and without HAproxy? k ___ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
[ceph-users] Re: Public RGW access without any LB in front?
Hi, Actually rgw can handle SSL traffic, and updates of certs is just a restarting of service. For client it will be reset of connection, client will make a new one We use keeaplived DR method for RGW's for a years The only bottleneck in this setup is input traffic limited by LB. This also can be scaled via another LB, e.g. you need more public IP or change LB ports from 10G to 25/40G k Sent from my iPhone > On 16 Sep 2022, at 14:56, Boris Behrens wrote: > > Hi, > does someone got experience with having the RGW daemons directly handling > the public traffic, without any LB or so in front? > > We are thinking to ditch the HAproxy. It handles SSL termination, load > balancing (only RR) and stuff like this, but because of the nature of the > setup we only get 6-8 GBit traffic through it. > > Then we thought to put the HAProxy directly on RGW hosts (which are also > mon, mgr and OSD hosts) and hope to get more bandwidth through it (remove > one network hop, more power than some virtualized VM). > > And now we are discussing just to remove the haproxy, and have the RGW > processes handle it directly. > I am a bit scared this might be a bad idea (can it handle SSL updates well, > without killing active connections? Does nonlocal bind work and we move IP > adresses between the three hosts via keepalived? How good is it handling > bad HTTP request, sent by an attacker?) > > Does someone got experience with it and can share some insights? > > Cheers > Boris > > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. > ___ > ceph-users mailing list -- ceph-users@ceph.io > To unsubscribe send an email to ceph-users-le...@ceph.io ___ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
