[openstack-dev] openstack swift as a cache proxy for nginx, swift proxy report 401 error when authenticate

Linpeimin linpeimin at hisilicon.com
Thu Mar 3 01:16:52 UTC 2016

I am trying to find a way to use Openstack swift to cache static file for a web server such as nginx, the below are request step:

1.        nginx is configured as a load balance proxy server and web server.

2.        There are several swift , suppose there are 2, that is swift-A,swift-B ,swift-A is control node,and swift-B is storage node

3.        client send a request to nginx for url: http://domain.com/filename.txt

4.        nginx received the request and it is a cache miss, it need to fetch the content from SWIFT proxy server,

5.        nginx send a request to swift proxy server for authentication, the url looks like http://swift-proxy/auth-account, account information is set in header, the response from swift proxy server contains a auth-token for that account if authentication success.

6.        then nginx use this auth-token and put it in a new request header, and send the new request to the swift proxy server for the original request content, there could be a map between client request url to the swift proxy url, for example, /filename.txt --> /account/container/filename.txt, so the new request url could be http://swift-proxy/account/container/filename.txt,plus the auth-token.

7.        swift proxy server response the content to nginx, then nginx cache the content and pass the response to the client.

I have search for the answer on the internet, and referent this solution: https://forum.nginx.org/read.php?2,250458,250463#msg-250463

Then ,I change my nginx configuration like this:

server {
        listen       80;
        server_name  localhost;
        location / {
            root   html;
            index  index.html index.htm;
            auth_request /auth/v1.0;
        location /auth/v1.0 {
                proxy_pass_request_body off;
                proxy_set_header Content-Length "";
                proxy_set_header X-Original-URI $request_uri;

Port 80 is for nginx,port 8080 is for swift, both can work independently, but after I change the configuration ,use chrome browser enter:10.67. 247.21,it just not working like what I expect, swift proxy return 401 error, swift proxy logs report like this :

Mar  1 20:43:48 localhost journal: proxy-logging 01/Mar/2016/20/43/48 GET /auth/v1.0 HTTP/1.0 401 - Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome/28.0.1500.72%20Safari/537.36 - - 131 - txbfc24355780143568445c4ddf5d774e3 - 0.0003 -
Mar  1 20:43:48 localhost journal: tempauth - 01/Mar/2016/20/43/48 GET /auth/v1.0 HTTP/1.0 401 - Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome/28.0.1500.72%20Safari/537.36 - - - - txbfc24355780143568445c4ddf5d774e3 - 0.0007

I don't know does it matter if I use a chrome browser to send request to swift ,it looks like some unrecognized char are include in the request which is nginx send to swift. while I use curl command to send request, it works fine, like this :

[root at localhost ~]# curl -v -H 'X-Storage-User: service:swift' -H 'X-Storage-Pass:swift '
*   Trying
* Connected to ( port 8080 (#0)
> GET /auth/v1.0 HTTP/1.1
> Host:
> User-Agent: curl/7.47.1
> Accept: */*
> X-Storage-User: service:swift
> X-Storage-Pass:swift
< HTTP/1.1 200 OK
< X-Storage-Url:
< X-Auth-Token: AUTH_tk4f2eaa45b35c47b4ab0b955710cce6da
< Content-Type: text/html; charset=UTF-8
< X-Storage-Token: AUTH_tk4f2eaa45b35c47b4ab0b955710cce6da
< Content-Length: 0
< X-Trans-Id: tx3b90f2a8a3284f52951cc80ca41f104a
< Date: Tue, 01 Mar 2016 21:10:50 GMT
* Connection #0 to host left intact

It seems swift cannot recognize the request from my nginx which has configed with an addictional module named ngx_http_auth_request_module. Maybe nginx was not passes right user and password to swift. Or shouldn't I use the chrome browser to visit swift through nginx proxy.

Below is my swift proxy-server.conf:


bind_port = 8080
bind_ip =

workers = 1

user = swift

log_facility = LOG_LOCAL1

eventlet_debug = true


pipeline = catch_errors healthcheck proxy-logging cache tempurl ratelimit tempauth staticweb  proxy-logging proxy-server


use = egg:swift#catch_errors
set log_name = cache_errors


use = egg:swift#healthcheck
set log_name = healthcheck


use = egg:swift#proxy_logging
set log_name = proxy-logging


use = egg:swift#ratelimit
set log_name = ratelimit


use = egg:swift#crossdomain
set log_name = crossdomain


use = egg:swift#tempurl
set log_name = tempurl

use = egg:swift#tempauth
set log_name = tempauth
user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin
user_test2_tester2 = testing2 .admin
user_test_tester3 = testing3
user_service_swift = swift .admin


use = egg:swift#staticweb
set log_name = staticweb


use = egg:swift#memcache
set log_name = memcache


use = egg:swift#proxy
set log_name = proxy
allow_account_management = true

account_autocreate = true

I have no idea for the 401 error occurred and how to solve this question.Are there some configuration error in my swift or nginx configuration file?

Thanks for your time,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160303/7b3d93df/attachment.html>

More information about the OpenStack-dev mailing list