On Fri, Jun 16, 2023 at 2:55 AM Christian Rohmann
<christian.rohmann(a)inovex.de> wrote:
On 15/06/2023 15:46, Casey Bodley wrote:
* In case of HTTP via headers like "X-Forwarded-For". This is
apparently supported only for logging the source in the "rgw ops log" ([1])?
Or is this info used also when evaluating the source IP condition within
a bucket policy?
yes, the aws:SourceIp condition key does use the value from
X-Forwarded-For when present
I have an HAProxy in front of the RGWs which has
"option forwardfor" set to add the "X-Forwarded-For" header.
Then the RGWs have "rgw remote addr param = http_x_forwarded_for" set,
according to
https://docs.ceph.com/en/quincy/radosgw/config-ref/#confval-rgw_remote_addr…
and I also see remote_addr properly logged within the rgw ops log.
But when applying a bucket policy with aws:SourceIp it seems to only work if I set the
internal IP of the HAProxy instance, not the public IP of the client.
So the actual remote address is NOT used in my case.
Did I miss any config setting anywhere?
Regards and thanks for your help
Christian
your 'rgw remote addr param' config looks right. with that same
config, i was able to set a bucket policy that denied access based on
that X-Forwarded-For header:
$ cat bucketpolicy.json
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::testbucket",
"arn:aws:s3:::testbucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "127.0.0.1"
}
}
}
]
}
$ s3cmd mb s3://testbucket
$ s3cmd setpolicy bucketpolicy.json s3://testbucket
$ s3cmd --add-header=X-Forwarded-For:127.0.0.2 put bucketpolicy.json
s3://testbucket
upload: 'bucketpolicy.json' -> 's3://testbucket/bucketpolicy.json' [1
of 1]
489 of 489 100% in 0s 42.95 KB/s done
$ s3cmd --add-header=X-Forwarded-For:127.0.0.1 put bucketpolicy.json
s3://testbucket
upload: 'bucketpolicy.json' -> 's3://testbucket/bucketpolicy.json' [1
of 1]
489 of 489 100% in 0s 11.08 KB/s done
ERROR: S3 error: 403 (AccessDenied)