Hello Ceph-Users,
context or motivation of my question is S3 bucket policies and other
cases using the source IP address as condition.
I was wondering if and how RadosGW is able to access the source IP
address of clients if receiving their connections via a loadbalancer /
reverse proxy like HAProxy.
So naturally that is where the connection originates from in that case,
rendering a policy based on IP addresses useless.
Depending on whether the connection balanced as HTTP or TCP there are
two ways to carry information about the actual source:
* In case of HTTP via headers like "X-Forwarded-For". This is
apparently supported only for logging the source in the "rgw ops log" ([1])?
Or is this info used also when evaluating the source IP condition within
a bucket policy?
* In case of TCP loadbalancing, there is the proxy protocol v2. This
unfortunately seems not even supposed by the BEAST library which RGW uses.
I opened feature requests ...
** https://tracker.ceph.com/issues/59422
** https://github.com/chriskohlhoff/asio/issues/1091
** https://github.com/boostorg/beast/issues/2484
but there is no outcome yet.
Regards
Christian
[1]
https://docs.ceph.com/en/quincy/radosgw/config-ref/#confval-rgw_remote_addr_param
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
