Openstack swift as a cache proxy for nginx, swift proxy report 401 error when authenticate

hello, everybody.

I am trying to find a way to use Openstack swift to cache static file
for a
web server such as nginx, the below are request step:

  1. nginx is configured as a load balance proxy server and web server.
  2. There are several swift , suppose there are 2, that is
    swift-A,swift-B
    ,swift-A is control node,and swift-B is storage node
  3. client send a request to nginx for url:
    http://domain.com/filename.txt
  4. nginx received the request and it is a cache miss, it need to fetch
    the
    content from SWIFT proxy server,
  5. nginx send a request to swift proxy server for authentication, the
    url
    looks like http://swift-proxy/auth-account, account information is set
    in
    header, the response from swift proxy server contains a auth-token for
    that
    account if authentication success.
  6. then nginx use this auth-token and put it in a new request header,
    and
    send the new request to the swift proxy server for the original request
    content, there could be a map between client request url to the swift
    proxy
    url, for example, /filename.txt → /account/container/filename.txt, so
    the
    new request url could be
    http://swift-proxy/account/container/filename.txt,plus the auth-token.
  7. swift proxy server response the content to nginx, then nginx cache
    the
    content and pass the response to the client.

I have search for the answer on the internet, and referent this
solution:

Then ,I change my nginx configuration like this:

server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
auth_request /auth/v1.0;
}
location /auth/v1.0 {
proxy_pass http://192.168.1.1:8080;
proxy_pass_request_body off;
proxy_set_header Content-Length “”;
proxy_set_header X-Original-URI $request_uri;
}
}

Port 80 is for nginx,port 8080 is for swift, both can work
independently,
but after I change the configuration ,use chrome browser enter:10.67.
247.21,it just not working like what I expect, swift proxy return 401
error,
swift proxy logs report like this :

Mar 1 20:43:48 localhost journal: proxy-logging 192.168.1.1 192.168.1.1
01/Mar/2016/20/43/48 GET /auth/v1.0 HTTP/1.0 401 -
Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome/28.0.1500.72%20Safari/537.36

    • 131 - txbfc24355780143568445c4ddf5d774e3 - 0.0003 -
      Mar 1 20:43:48 localhost journal: tempauth - 192.168.1.1
      01/Mar/2016/20/43/48 GET /auth/v1.0 HTTP/1.0 401 -
      Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome/28.0.1500.72%20Safari/537.36
        • txbfc24355780143568445c4ddf5d774e3 - 0.0007

I don’t know does it matter if I use a chrome browser to send request to
swift ,it looks like some unrecognized char are include in the request
header .while I use shell command to send request, it works fine, like
this
:

[root@localhost ~]# curl -v -H ‘X-Storage-User: service:swift’ -H
'X-Storage-Pass:swift ’ http://192.168.1.1:8080/auth/v1.0

  • Trying 192.168.1.1…
  • Connected to 192.168.1.1 (192.168.1.1) port 8080 (#0)

GET /auth/v1.0 HTTP/1.1
Host: 192.168.1.1:8080
User-Agent: curl/7.47.1
Accept: /
X-Storage-User: service:swift
X-Storage-Pass:swift

< HTTP/1.1 200 OK
< X-Storage-Url: http://192.168.1.1:8080/v1/AUTH_service
< X-Auth-Token: AUTH_tk4f2eaa45b35c47b4ab0b955710cce6da
< Content-Type: text/html; charset=UTF-8
< X-Storage-Token: AUTH_tk4f2eaa45b35c47b4ab0b955710cce6da
< Content-Length: 0
< X-Trans-Id: tx3b90f2a8a3284f52951cc80ca41f104a
< Date: Tue, 01 Mar 2016 21:10:50 GMT
<

  • Connection #0 to host 192.168.1.1 left intact

Below is my swift proxy-server.conf:

[DEFAULT]

bind_port = 8080
bind_ip = 192.168.1.1

workers = 1

user = swift

log_facility = LOG_LOCAL1

eventlet_debug = true

[pipeline:main]

pipeline = catch_errors healthcheck proxy-logging cache tempurl
ratelimit
tempauth staticweb proxy-logging proxy-server

[filter:catch_errors]

use = egg:swift#catch_errors
set log_name = cache_errors

[filter:healthcheck]

use = egg:swift#healthcheck
set log_name = healthcheck

[filter:proxy-logging]

use = egg:swift#proxy_logging
set log_name = proxy-logging

[filter:ratelimit]

use = egg:swift#ratelimit
set log_name = ratelimit

[filter:crossdomain]

use = egg:swift#crossdomain
set log_name = crossdomain

[filter:tempurl]

use = egg:swift#tempurl
set log_name = tempurl

[filter:tempauth]
use = egg:swift#tempauth
set log_name = tempauth
user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin
user_test2_tester2 = testing2 .admin
user_test_tester3 = testing3
user_service_swift = swift .admin

[filter:staticweb]

use = egg:swift#staticweb
set log_name = staticweb

[filter:cache]

use = egg:swift#memcache
set log_name = memcache

[app:proxy-server]

use = egg:swift#proxy
set log_name = proxy
allow_account_management = true

account_autocreate = true

I have no idea for the 401 error occurred and how to solve this
question.Are
there some configuration error in my swift or nginx configuration file?

Thanks for your time,
Amy

Posted at Nginx Forum:

Hi Amy,

On 02/03/16 03:19, AmyAmy wrote:

hello, everybody.

I have search for the answer on the internet, and referent this solution:
Re: Does nginx support openstack swift API?

Then ,I change my nginx configuration like this:

             proxy_pass_request_body off;
             proxy_set_header Content-Length "";
             proxy_set_header X-Original-URI $request_uri;
     }

}

[trimmed much of the email]

Have you tried looking at your swift logs when NGINX passes on the
request? I suspect this will give a good indication as to what is wrong.

In addition you probably need to set the following, although I’m
uncertain as to whether it will fix your problem:

proxy_http_version 1.1

Kind Regards

Andrew H. (LinuxJedi)
Technical Product Manager, NGINX Inc.

Hi Amy,

I suggest trying to talk to the Swift community. If you can’t get any
more information than that out of the Swift logs it is going to be
difficult for you to determine what it is actually looking for.

In general though you probably shouldn’t be using a web browser to talk
to an OpenStack API.

Kind Regards
Andrew

On 02/03/16 09:44, AmyAmy wrote:

Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome/28.0.1500.72%20Safari/537.36

txc35cdcf0cc6f4d938e57772da694352a - 0.0015 -
Best,
Amy

Posted at Nginx Forum:
Nginx Forum :: Nginx Mailing List - English


nginx mailing list
[email protected]
nginx Info Page


Andrew H. (LinuxJedi)
Technical Product Manager, NGINX Inc.

Thanks for answer.
As my swift server is serverd as a proxy server, I can look at swift
proxy-server’s log which I have mention on my post, it report like this
:

Mar 1 20:43:48 localhost journal: proxy-logging 192.168.1.1 192.168.1.1
01/Mar/2016/20/43/48 GET /auth/v1.0 HTTP/1.0 401 -
Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome/28.0.1500.72%20Safari/537.36

    • 131 - txbfc24355780143568445c4ddf5d774e3 - 0.0003 -
      Mar 1 20:43:48 localhost journal: tempauth - 192.168.1.1
      01/Mar/2016/20/43/48 GET /auth/v1.0 HTTP/1.0 401 -
      Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome/28.0.1500.72%20Safari/537.36
        • txbfc24355780143568445c4ddf5d774e3 - 0.0007

It seems there are some unrecognized char are contained in the request
which nginx send to swift server .while I use curl command to send
request,
it works fine, swift server log report like this :

Mar 1 18:38:44 localhost journal: proxy-server 192.168.1.1 192.168.1.1
01/Mar/2016/18/38/44 GET /auth/v1.0 HTTP/1.0 200 - curl/7.47.1 - - - -
txc35cdcf0cc6f4d938e57772da694352a - 0.0015 -
Mar 1 18:38:44 localhost journal: proxy-server - 192.168.1.1
01/Mar/2016/18/38/44 GET /auth/v1.0 HTTP/1.0 200 - curl/7.47.1 - - - -
txc35cdcf0cc6f4d938e57772da694352a - 0.0020

It seems swift cannot recognize the request from my nginx which has
configed
with an addictional module named ngx_http_auth_request_module. Maybe
nginx
was not passes right user and password to swift, but i have no idea
which
way to figure it out.

Best,
Amy

Posted at Nginx Forum: