KB450270 – Configuring Ceph RGW to use SSL with HAProxy

Last modified: May 18, 2021
You are here:
Estimated reading time: 2 min

Configuring Ceph RGW to use SSL with HAProxy


This article will walk through the process of configuring Ceph RGW to use SSL with HAProxy Loadbalancer.


  • Ceph Cluster running either Nautilus(v14) or Octopus(v15)
  • RGW gateways configured and operating
  • ceph-ansible-45d version 1.4.2 or greater


Obtain SSL Certificate

Run these commands on the ansible master node.

When generating the Certificate Signing Request (CSR) you will need to answer the questions as they are relevant to your environment. Gathering this info before starting this process is a benefit. More info on what info is required can be found here, Genertating CSR with openssl.

In the below examples, mydomain is used as a placeholder, you should use your specific domain.

If you already have a ssl cert (in .crt format) skip to (4). If you already have a ssl cert in .pem format skip to (5)

  1. Generate a unique private key (KEY)
    1. [root@vosd1 ceph-ansible]# openssl genrsa -out mydomain.key 2048
  2. Generate a Certificate Signing Request (CSR)
    1. [root@vosd1 ceph-ansible]# openssl req -new -key mydomain.key -out mydomain.csr
      - At this point there are two options, using a self signed cert, or registering with a third party SSL authentication authority.
      This doc will continue with the self signed route. If registering with third party, once you recieve your .crt start the process again at step (4)
  3. Creating a Self-Signed Certificate (CRT)
    1. [root@vosd1 ceph-ansible]# openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt
  4. Concatenate KEY and CRT to create PEM file for haproxy
    1. [root@vosd1 ceph-ansible]# cat mydomain.key mydomain.crt >> mydomain.pem
  5. Copy PEM to each RGW
    1. [root@vosd1 ceph-ansible]# ssh rgw1 "mkdir -p /etc/ssl/private/" && scp mydomain.pem rgw1:/etc/ssl/private/

Configure Ansible Varibles

With the pem generated and placed on the rgws, we are going to configure the ansible varibles so we can run the loadbalacer playbook.

Run these below commands from the ansible master

  1. Create a [rgwloadbalancers] group in hosts file, and add your rgw gateways to it.
  2. [root@vosd1 ceph-ansible]# cp group_vars/rgwloadbalancers.yml.sample group_vars/rgwloadbalancers.yml
  3. Open the group_vars/rgwloadbalancers.yml for editing
  4. Uncomment all varibles, explanation on the ones which should be changed below:
    haproxy_frontend_port : When not using SSL this is the port the S3 service is accesable from
    haproxy_frontend_ssl_port: When using SSL this is the port the S3 service
    haproxy_frontend_ssl_certificate: The path to the SSL cert local to the RGW server. This is the path to the .pem file we created above
    virtual_ips: The IPs haproxy will use as the floating IPs. Multiple entires supported, recommended not to use more IPs than rgws.
    virtual_ip_netmask: The netmask for the virtual IPs above
    virtual_ip_interface: The interface that will host the VIP

Deploy HAProxy with Ansible

With the pem generated and placed on the rgws, ansible vairbles configured, we are now ready to deploy HAProxy

[root@vosd1 ceph-ansible]# ansible-playbook radosgw-lb.yml

If using ceph-ansible-45d version = 1.4.2, to run the load balancer playbook is:

[root@vosd1 ceph-ansible]# ansible-playbook radosgwloadbalancer.yml


  • Point your browser to one of the VIPs at the SSL port specified, if you are met with the following everything is working correctly. Note that if you used the self signed cert you will be met with warning page first.


  • The .pem format should look like the following, (the keys will obiviously be differnt for each person but the headings and format should look like below)
Was this article helpful?
Dislike 0
Views: 219
Unboxing Racking Storage Drives Cable Setup Power UPS Sizing Remote Access