Merge pull request ceph#63080 from bluikko/doc-caching-improvements-radosgw

zdover23 · web-flow · commit a05c9d71edbd · 2025-07-14T19:50:42.000+10:00
doc/radosgw: Improve rgw-cache.rst

Reviewed-by: Anthony D'Atri &lt;anthony.datri@gmail.com&gt;
Reviewed-by: Zac Dover &lt;zac.dover@proton.me&gt;
diff --git a/doc/radosgw/rgw-cache.rst b/doc/radosgw/rgw-cache.rst
@@ -1,6 +1,6 @@
-==========================
-RGW Data caching and CDN
-==========================
+========================
+RGW Data Caching and CDN
+========================
 
 .. versionadded:: Octopus
 
@@ -9,148 +9,142 @@ RGW Data caching and CDN
 This feature adds to RGW the ability to securely cache objects and offload the workload from the cluster, using Nginx.
 After an object is accessed the first time it will be stored in the Nginx cache directory.
 When data is already cached, it need not be fetched from RGW. A permission check will be made against RGW to ensure the requesting user has access.
-This feature is based on some Nginx modules, ngx_http_auth_request_module, https://github.com/kaltura/nginx-aws-auth-module, Openresty for Lua capabilities.
+This feature is based on the Nginx modules ``ngx_http_auth_request_module`` and `nginx-aws-auth-module <https://github.com/kaltura/nginx-aws-auth-module>`_, and OpenResty for Lua capabilities.
 
-Currently, this feature will cache only AWSv4 requests (only s3 requests), caching-in the output of the 1st GET request
-and caching-out on subsequent GET requests, passing thru transparently PUT,POST,HEAD,DELETE and COPY requests.
+Currently this feature will cache only AWSv4 requests (only S3 requests), caching-in the output of the first GET request
+and caching-out on subsequent GET requests, passing through transparently PUT,POST,HEAD,DELETE and COPY requests.
 
 
 The feature introduces 2 new APIs: Auth and Cache.
 
-    NOTE: The `D3N RGW Data Cache`_ is an alternative data caching mechanism implemented natively in the RADOS Gateway.
+.. note:: The `D3N RGW Data Cache`_ is an alternative data caching mechanism implemented natively in the RADOS Gateway.
 
 New APIs
--------------------------
+--------
 
 There are 2 new APIs for this feature:
 
-Auth API - The cache uses this to validate that a user can access the cached data
-
-Cache API - Adds the ability to override securely Range header, that way Nginx can use it is own smart cache on top of S3:
-https://www.nginx.com/blog/smart-efficient-byte-range-caching-nginx/
-Using this API gives the ability to read ahead objects when clients asking a specific range from the object.
-On subsequent accesses to the cached object, Nginx will satisfy requests for already-cached ranges from the cache. Uncached ranges will be read from RGW (and cached).
+- **Auth API:** The cache uses this to validate that a user can access the cached data.
+- **Cache API:** Adds the ability to override securely ``Range`` header so that Nginx can use its own `smart cache <https://www.nginx.com/blog/smart-efficient-byte-range-caching-nginx/>`_ on top of S3.
+  Using this API gives the ability to read ahead objects when client is asking a specific range from the object.
+  On subsequent accesses to the cached object, Nginx will satisfy requests for already-cached ranges from the cache. Uncached ranges will be read from RGW (and cached).
 
 Auth API
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~
 
-This API Validates a specific authenticated access being made to the cache, using RGW's knowledge of the client credentials and stored access policy.
+This API validates a specific authenticated access being made to the cache, using RGW's knowledge of the client credentials and stored access policy.
 Returns success if the encapsulated request would be granted.
 
 Cache API
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~
 
-This API is meant to allow changing signed Range headers using a privileged user, cache user.
+This API is meant to allow changing signed ``Range`` headers using a privileged cache user.
 
-Creating cache user
+Creating the cache user:
 
-::
+.. prompt:: bash #
+
+   radosgw-admin user create --uid=<uid for cache user> --display-name="cache user" --caps="amz-cache=read"
+
+This user can send to the RGW the Cache API header ``X-Amz-Cache``. This header contains the headers from the original request (before changing the ``Range`` header):
 
-$ radosgw-admin user create --uid=<uid for cache user> --display-name="cache user" --caps="amz-cache=read"
+- Original headers are separated from each other by a character with ASCII code 177 decimal.
+- Each original header and its value are separated by a character with ASCII code 178 decimal.
 
-This user can send to the RGW the Cache API header ``X-Amz-Cache``, this header contains the headers from the original request(before changing the Range header).
-It means that ``X-Amz-Cache`` built from several headers.
-The headers that are building the ``X-Amz-Cache`` header are separated by char with ASCII code 177 and the header name and value are separated by char ASCII code 178.
-The RGW will check that the cache user is an authorized user and if it is a cache user,
-if yes it will use the ``X-Amz-Cache`` to revalidate that the user has permissions, using the headers from the X-Amz-Cache.
-During this flow, the RGW will override the Range header.
+The RGW will check that the user is an authorized user and that the value is a cache user.
+If both checks succeed it will use the ``X-Amz-Cache`` to revalidate that the user has permissions, using the original headers stored in the ``X-Amz-Cache`` header.
+During this flow the RGW will override the ``Range`` header.
 
 
 Using Nginx with RGW
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------
 
-Download the source of Openresty:
+Download the source of OpenResty:
 
-::
+.. prompt:: bash $
 
-$ wget https://openresty.org/download/openresty-1.15.8.3.tar.gz
+   wget https://openresty.org/download/openresty-1.15.8.3.tar.gz
 
-git clone the AWS auth Nginx module:
+Use git to clone the Nginx AWS authentication module:
 
-::
+.. prompt:: bash $
 
-$ git clone https://github.com/kaltura/nginx-aws-auth-module
+   git clone https://github.com/kaltura/nginx-aws-auth-module
 
-untar the openresty package:
+Untar the OpenResty package:
 
-::
+.. prompt:: bash $
 
-$ tar xvzf openresty-1.15.8.3.tar.gz
-$ cd openresty-1.15.8.3
+   tar xvzf openresty-1.15.8.3.tar.gz
+   cd openresty-1.15.8.3
 
-Compile openresty, Make sure that you have pcre lib and openssl lib:
+Compile OpenResty, make sure that you have ``pcre`` library and ``openssl`` library:
 
-::
+.. prompt:: bash $
 
-$ sudo yum install pcre-devel openssl-devel gcc curl zlib-devel nginx
-$ ./configure --add-module=<the nginx-aws-auth-module dir> --with-http_auth_request_module --with-http_slice_module --conf-path=/etc/nginx/nginx.conf
-$ gmake -j $(nproc)
-$ sudo gmake install
-$ sudo ln -sf /usr/local/openresty/bin/openresty /usr/bin/nginx
+   sudo yum install pcre-devel openssl-devel gcc curl zlib-devel nginx
+   ./configure --add-module=<the nginx-aws-auth-module dir> --with-http_auth_request_module --with-http_slice_module --conf-path=/etc/nginx/nginx.conf
+   gmake -j $(nproc)
+   sudo gmake install
+   sudo ln -sf /usr/local/openresty/bin/openresty /usr/bin/nginx
 
 Put in-place your Nginx configuration files and edit them according to your environment:
 
-All Nginx conf files are under:
+Example Nginx configuration files are available at
 https://github.com/ceph/ceph/tree/main/examples/rgw/rgw-cache
 
-`nginx.conf` should go to `/etc/nginx/nginx.conf`
+- ``nginx.conf`` should go to ``/etc/nginx/nginx.conf``.
+- ``nginx-lua-file.lua`` should go to ``/etc/nginx/nginx-lua-file.lua``.
+- ``nginx-default.conf`` should go to ``/etc/nginx/conf.d/nginx-default.conf``.
 
-`nginx-lua-file.lua` should go to `/etc/nginx/nginx-lua-file.lua`
+The parameters that are most likely to require adjustment according to the environment are located in the file ``nginx-default.conf``.
 
-`nginx-default.conf` should go to `/etc/nginx/conf.d/nginx-default.conf`
-
-The parameters that are most likely to require adjustment according to the environment are located in the file `nginx-default.conf`
-
-Modify the example values of *proxy_cache_path* and *max_size* at:
+Modify the example values of ``proxy_cache_path`` and ``max_size`` at:
 
 ::
 
  proxy_cache_path /data/cache levels=2:2:2 keys_zone=mycache:999m max_size=20G inactive=1d use_temp_path=off;
 
 
-And modify the example *server* values to point to the RGWs URIs:
+And modify the example ``server`` values to point to the RGWs URIs:
 
 ::
 
  server rgw1:8000 max_fails=2 fail_timeout=5s;
  server rgw2:8000 max_fails=2 fail_timeout=5s;
  server rgw3:8000 max_fails=2 fail_timeout=5s;
 
-| It is important to substitute the *access key* and *secret key* located in the `nginx.conf` with those belong to the user with the `amz-cache` caps
-| for example, create the `cache` user as following:
-
-::
-
- radosgw-admin user create --uid=cacheuser --display-name="cache user" --caps="amz-cache=read" --access-key <access> --secret <secret>
+| It is important to substitute the *access key* and *secret key* located in the ``nginx.conf`` file with those belonging to the user with the ``amz-cache`` caps.
+| For example, create the cache user as follows:
 
-It is possible to use Nginx slicing which is a better method for streaming purposes.
+.. prompt:: bash #
 
-For using slice you should use `nginx-slicing.conf` and not `nginx-default.conf`
+   radosgw-admin user create --uid=cacheuser --display-name="cache user" --caps="amz-cache=read" --access-key <access> --secret <secret>
 
-Further information about Nginx slicing:
+It is possible to use `Nginx slicing <https://docs.nginx.com/nginx/admin-guide/content-cache/content-caching/#byte-range-caching>`_ which is suitable for streaming purposes.
 
-https://docs.nginx.com/nginx/admin-guide/content-cache/content-caching/#byte-range-caching
+To enable slicing you should use ``nginx-slicing.conf`` instead of ``nginx-default.conf``.
 
 
-If you do not want to use the prefetch caching, It is possible to replace `nginx-default.conf` with `nginx-noprefetch.conf`
-Using `noprefetch` means that if the client is sending range request of 0-4095 and then 0-4096 Nginx will cache those requests separately, So it will need to fetch those requests twice.
+If you do not want to use prefetch caching, it is possible to replace ``nginx-default.conf`` with ``nginx-noprefetch.conf``.
+If prefetch caching is disabled Nginx will cache each range request separately and possible overlap in the range requests will be fetched more than once. For example, if a client is sending a range request of 0-4095 and then 0-4096 both requests are fetched completely from RGW.
 
 
-Run Nginx(openresty):
+Run Nginx (OpenResty):
 
-::
+.. prompt:: bash #
 
-$ sudo systemctl restart nginx
+   systemctl restart nginx
 
 Appendix
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-**A note about performance:** In certain instances like development environment, disabling the authentication by commenting the following line in `nginx-default.conf`:
+--------
+
+**A note about performance:** In certain instances such as a development environment, disabling authentication may (depending on the hardware) increase performance significantly as it forgoes auth API calls to RADOS Gateway.
+This can be done by commenting the following line in ``nginx-default.conf``:
 
 ::
 
  #auth_request /authentication;
 
-may (depending on the hardware) increases the performance significantly as it forgoes the auth API calls to radosgw.
-
 
 .. _D3N RGW Data Cache: ../d3n_datacache/
