Hey Casey, all,
On 16/06/2023 17:00, Casey Bodley wrote:
But when applying a bucket policy with aws:SourceIp it seems to only work if I set the internal IP of the HAProxy instance, not the public IP of the client.
So the actual remote address is NOT used in my case.
Did I miss any config setting anywhere?
your 'rgw remote addr param' config looks right. with that same
config, i was able to set a bucket policy that denied access based on
I found the issue. Embarrassingly it was simply a NAT-Hairpin which was
applied to the traffic from the server I was testing with.
In short: Even though I targeted the public IP from the HAProxy instance
the internal IP address of my test server was maintained as source since
both machines are on the same network segment.
That is why I first thought the LB IP was applied to the policy, but not
the actual public source IP of the client. In reality it was simply the
private, RFC1918, IP of the test machine that came in as source.
Sorry for the noise and thanks for your help.
Christian
P.S. With IPv6, this would not have happened.
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
