On Wed, Feb 08, 2023 at 03:07:20PM -0000, Aggelos Toumasis wrote:
Hi there,
We noticed after creating a signurl that the bucket resources were
accessible from IPs that were originally restricted from accessing
them (using a bucket policy). Using the s3cmd utility we confirmed
that the Policy is correctly applied and you can access it only for
the allowed IPs.
Is this an expected behavior or do we miss something?
Can you share the bucket
policy?
Also, are you using some reverse proxy in front of RGW, and if so:
are both the proxy & RGW configured for the correct headers to agree on
the actual source IP.
IIRC depending how the policy is written, you have have either of:
- presigned URL || IP-check
- presigned URL && IP-check
--
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail : robbat2(a)gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136