For those that are interested, here is the current thing I came up with, which seems to work fine: * Redirect all HTTP to HTTPS traffic, because SSE requires encrypted traffic * Setting x-amz-server-side-encryption AES256 header on PUT and POST (multipart uploads require this on the initial POST) operations when the header is not existing (customer may use SSE-C or SSE-KMS).
It looks like everything is working, except server side copt/move operations (handled here and seems to get some tracktion now: https://tracker.ceph.com/issues/23264) frontend radosgw bind *:80,[::]:80 v6only bind *:443,[::]:443 v6only ssl crt /etc/haproxy/ssl strict-sni alpn h2,http/1.1 http-request redirect scheme https code 301 unless { ssl_fc } ... backend radosgw ... # Add sse-s3 header acl existing-x-amz-server-side-encryption req.hdr(x-amz-server-side-encryption) -m found http-request set-header x-amz-server-side-encryption AES256 if !existing-x-amz-server-side-encryption METH_PUT or !existing-x-amz-server-side-encryption METH_POST http-request add-header X-Forwarded-Proto https if { ssl_fc } Am Fr., 6. Juni 2025 um 12:51 Uhr schrieb Boris <b...@kervyn.de>: > So, I've tried to set the header in HAProxy, when the customer didn't set > it on their own and it seems to work fine. > Currently we don't set it on GET and HEAD request. > > # Add sse-s3 header > acl existing-x-amz-server-side-encryption > req.hdr(x-amz-server-side-encryption) -m found > http-request set-header x-amz-server-side-encryption AES256 unless > existing-x-amz-server-side-encryption or METH_GET > > Should I add the header only to PUT requests, or are there more requests > types that need this header? > > From my understanding sse-s3 only applies to uploading data, but not to > policies, multipart listings and so on. > > Cheers > Boris > > Am Do., 5. Juni 2025 um 13:18 Uhr schrieb Boris <b...@kervyn.de>: > >> This is a follow up question to the sse-kms thread, because the KMS team >> is now working on the transit engine and we will POC with openbao. >> >> Is there a way to enforce the bucket encryption for every bucket? >> As how I understand it, I need to enable the bucket encryption after >> creating. If we could enforce that, I could a header check in the haproxy >> to make it transparent for the user. >> >> cheers >> Boris >> >> -- >> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >> groüen Saal. >> > > > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. > -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal. _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
