Hello Robin, Thanks a lot for the response! This is my first time posting, I did not get a notification that it was accepted to be posted and missed your email. Coming back to your question, the solution was to set up the policies of the buckets as described here<https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html>. From: Robin H. Johnson <robbat2@xxxxxxxxxx> Date: Friday, 10 February 2023 at 06:57 To: ceph-users@xxxxxxx <ceph-users@xxxxxxx> Subject: Re: Generated signurl is accessible from restricted IPs in bucket policy On Wed, Feb 08, 2023 at 03:07:20PM -0000, Aggelos Toumasis wrote: > Hi there, > > We noticed after creating a signurl that the bucket resources were > accessible from IPs that were originally restricted from accessing > them (using a bucket policy). Using the s3cmd utility we confirmed > that the Policy is correctly applied and you can access it only for > the allowed IPs. > > Is this an expected behavior or do we miss something? Can you share the bucket policy? Also, are you using some reverse proxy in front of RGW, and if so: are both the proxy & RGW configured for the correct headers to agree on the actual source IP. IIRC depending how the policy is written, you have have either of: - presigned URL || IP-check - presigned URL && IP-check -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robbat2@xxxxxxxxxx GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |