Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

Casey Bodley <cbodley@xxxxxxxxxx> · Fri, 16 Jun 2023 11:00:18 -0400

On Fri, Jun 16, 2023 at 2:55 AM Christian Rohmann
<christian.rohmann@xxxxxxxxx> wrote:
>
> On 15/06/2023 15:46, Casey Bodley wrote:
>
>   * In case of HTTP via headers like "X-Forwarded-For". This is
> apparently supported only for logging the source in the "rgw ops log" ([1])?
> Or is this info used also when evaluating the source IP condition within
> a bucket policy?
>
> yes, the aws:SourceIp condition key does use the value from
> X-Forwarded-For when present
>
> I have an HAProxy in front of the RGWs which has
>
> "option forwardfor" set  to add the "X-Forwarded-For" header.
>
> Then the RGWs have  "rgw remote addr param = http_x_forwarded_for" set,
> according to https://docs.ceph.com/en/quincy/radosgw/config-ref/#confval-rgw_remote_addr_param
>
> and I also see remote_addr properly logged within the rgw ops log.
>
>
>
> But when applying a bucket policy with aws:SourceIp it seems to only work if I set the internal IP of the HAProxy instance, not the public IP of the client.
> So the actual remote address is NOT used in my case.
>
>
> Did I miss any config setting anywhere?
>
>
>
>
> Regards and thanks for your help
>
>
> Christian
>
>

your 'rgw remote addr param' config looks right. with that same
config, i was able to set a bucket policy that denied access based on
that X-Forwarded-For header:

$ cat bucketpolicy.json
{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::testbucket",
                "arn:aws:s3:::testbucket/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "127.0.0.1"
                }
            }
        }
    ]
}
$ s3cmd mb s3://testbucket
$ s3cmd setpolicy bucketpolicy.json s3://testbucket
$ s3cmd --add-header=X-Forwarded-For:127.0.0.2 put bucketpolicy.json
s3://testbucket
upload: 'bucketpolicy.json' -> 's3://testbucket/bucketpolicy.json'  [1 of 1]
 489 of 489   100% in    0s    42.95 KB/s  done
$ s3cmd --add-header=X-Forwarded-For:127.0.0.1 put bucketpolicy.json
s3://testbucket
upload: 'bucketpolicy.json' -> 's3://testbucket/bucketpolicy.json'  [1 of 1]
 489 of 489   100% in    0s    11.08 KB/s  done
ERROR: S3 error: 403 (AccessDenied)
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx