To secure the object storage:
Use a private (V)LAN network segment for your storage nodes in the data domain.
Configure each Object Storage service to run under a non-root service
account, for example use a username swift
with the primary group
swift
.
Object storage architecture implies using whether an individual proxy node or multiple proxy nodes with a possibility to use a load balancer. Every proxy node should have at least two interfaces: public and private. Set up a firewall to protect the public interface on a proxy node. The public facing service on a the proxy node is an HTTP web server that handles endpoint client requests, authenticates them, and performs the appropriate action. The private interface establishes outgoing connections to storage nodes on the private storage network.
See also