SUSE Support

Here When You Need Us

IpAddress condition of an RGW bucket policy doesn't work for access via ha-proxy

This document (000019874) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Enterprise Storage 6
SUSE Enterprise Storage 7

Situation

An IpAddress access condition of an RGW bucket policy, for example configured as

"Condition" : {
  "IpAddress" : {
    "aws:SourceIp": [ "
192.0.2.0/24" ]
  }
}


does not match for access via an HTTP load balancing proxy.

Resolution

As the RGW receives the request from the proxy, aws:SourceIp by default is that of the proxy. If all requests are handled by the proxy (i.e., no direct requests to RGW), adding
  rgw remote addr param = HTTP_X_FORWARDED_FOR
to the [client.rgw.INSTANCE] section in ceph.conf, followed by a restart of the RGW, changes the semantics of aws:SourceIp to contain the value of the specified HTTP header, in this case HTTP_X_FORWARDED_FOR.

As an alternative, access control can also be implemented by proxy configuration.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000019874
  • Creation Date: 11-Feb-2021
  • Modified Date:16-Feb-2021
    • SUSE Enterprise Storage

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.