Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

Yuval Lifshitz <ylifshit@xxxxxxxxxx> · Thu, 15 Jun 2023 17:21:27 +0300

On Thu, Jun 15, 2023 at 4:48 PM Casey Bodley <cbodley@xxxxxxxxxx> wrote:

> On Thu, Jun 15, 2023 at 7:23 AM Christian Rohmann
> <christian.rohmann@xxxxxxxxx> wrote:
> >
> > Hello Ceph-Users,
> >
> > context or motivation of my question is S3 bucket policies and other
> > cases using the source IP address as condition.
> >
> > I was wondering if and how RadosGW is able to access the source IP
> > address of clients if receiving their connections via a loadbalancer /
> > reverse proxy like HAProxy.
> > So naturally that is where the connection originates from in that case,
> > rendering a policy based on IP addresses useless.
> >
> > Depending on whether the connection balanced as HTTP or TCP there are
> > two ways to carry information about the actual source:
> >
> >   * In case of HTTP via headers like "X-Forwarded-For". This is
> > apparently supported only for logging the source in the "rgw ops log"
> ([1])?
> > Or is this info used also when evaluating the source IP condition within
> > a bucket policy?
>
> yes, the aws:SourceIp condition key does use the value from
> X-Forwarded-For when present
>
>
maybe use lua scripting to implement your policy based on this HTTP header?
(won't help in the TCP balancer case, as lua only see HTTP/S3 level stuff)

> >
> >   * In case of TCP loadbalancing, there is the proxy protocol v2. This
> > unfortunately seems not even supposed by the BEAST library which RGW
> uses.
> >      I opened feature requests ...
> >
> >       ** https://tracker.ceph.com/issues/59422
> >       ** https://github.com/chriskohlhoff/asio/issues/1091
> >       ** https://github.com/boostorg/beast/issues/2484
> >
> >     but there is no outcome yet.
> >
> >
> > Regards
> >
> >
> > Christian
> >
> >
> > [1]
> >
> https://docs.ceph.com/en/quincy/radosgw/config-ref/#confval-rgw_remote_addr_param
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@xxxxxxx
> > To unsubscribe send an email to ceph-users-leave@xxxxxxx
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx