On Thu, Jun 15, 2023 at 7:23 AM Christian Rohmann <christian.rohmann@xxxxxxxxx> wrote: > > Hello Ceph-Users, > > context or motivation of my question is S3 bucket policies and other > cases using the source IP address as condition. > > I was wondering if and how RadosGW is able to access the source IP > address of clients if receiving their connections via a loadbalancer / > reverse proxy like HAProxy. > So naturally that is where the connection originates from in that case, > rendering a policy based on IP addresses useless. > > Depending on whether the connection balanced as HTTP or TCP there are > two ways to carry information about the actual source: > > * In case of HTTP via headers like "X-Forwarded-For". This is > apparently supported only for logging the source in the "rgw ops log" ([1])? > Or is this info used also when evaluating the source IP condition within > a bucket policy? yes, the aws:SourceIp condition key does use the value from X-Forwarded-For when present > > * In case of TCP loadbalancing, there is the proxy protocol v2. This > unfortunately seems not even supposed by the BEAST library which RGW uses. > I opened feature requests ... > > ** https://tracker.ceph.com/issues/59422 > ** https://github.com/chriskohlhoff/asio/issues/1091 > ** https://github.com/boostorg/beast/issues/2484 > > but there is no outcome yet. > > > Regards > > > Christian > > > [1] > https://docs.ceph.com/en/quincy/radosgw/config-ref/#confval-rgw_remote_addr_param > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |