subject:"\[ceph\-users\] Re\: RGW accessing real source IP address of a client \(e.g. in S3 bucket policies\)"

[ceph-users] Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

2023-07-06 Thread Christian Rohmann


Hey Casey, all,

On 16/06/2023 17:00, Casey Bodley wrote:



But when applying a bucket policy with aws:SourceIp it seems to only work if I 
set the internal IP of the HAProxy instance, not the public IP of the client.
So the actual remote address is NOT used in my case.


Did I miss any config setting anywhere?


your 'rgw remote addr param' config looks right. with that same
config, i was able to set a bucket policy that denied access based on


I found the issue. Embarrassingly it was simply a NAT-Hairpin which was 
applied to the traffic from the server I was testing with.
In short: Even though I targeted the public IP from the HAProxy instance 
the internal IP address of my test server was maintained as source since 
both machines are on the same network segment.
That is why I first thought the LB IP was applied to the policy, but not 
the actual public source IP of the client. In reality it was simply the 
private, RFC1918, IP of the test machine that came in as source.




Sorry for the noise and thanks for your help.

Christian


P.S. With IPv6, this would not have happened.



___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io

[ceph-users] Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

2023-06-16 Thread Casey Bodley

On Fri, Jun 16, 2023 at 2:55 AM Christian Rohmann
 wrote:
>
> On 15/06/2023 15:46, Casey Bodley wrote:
>
>   * In case of HTTP via headers like "X-Forwarded-For". This is
> apparently supported only for logging the source in the "rgw ops log" ([1])?
> Or is this info used also when evaluating the source IP condition within
> a bucket policy?
>
> yes, the aws:SourceIp condition key does use the value from
> X-Forwarded-For when present
>
> I have an HAProxy in front of the RGWs which has
>
> "option forwardfor" set  to add the "X-Forwarded-For" header.
>
> Then the RGWs have  "rgw remote addr param = http_x_forwarded_for" set,
> according to 
> https://docs.ceph.com/en/quincy/radosgw/config-ref/#confval-rgw_remote_addr_param
>
> and I also see remote_addr properly logged within the rgw ops log.
>
>
>
> But when applying a bucket policy with aws:SourceIp it seems to only work if 
> I set the internal IP of the HAProxy instance, not the public IP of the 
> client.
> So the actual remote address is NOT used in my case.
>
>
> Did I miss any config setting anywhere?
>
>
>
>
> Regards and thanks for your help
>
>
> Christian
>
>

your 'rgw remote addr param' config looks right. with that same
config, i was able to set a bucket policy that denied access based on
that X-Forwarded-For header:

$ cat bucketpolicy.json
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::testbucket",
"arn:aws:s3:::testbucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "127.0.0.1"
}
}
}
]
}
$ s3cmd mb s3://testbucket
$ s3cmd setpolicy bucketpolicy.json s3://testbucket
$ s3cmd --add-header=X-Forwarded-For:127.0.0.2 put bucketpolicy.json
s3://testbucket
upload: 'bucketpolicy.json' -> 's3://testbucket/bucketpolicy.json'  [1 of 1]
 489 of 489   100% in0s42.95 KB/s  done
$ s3cmd --add-header=X-Forwarded-For:127.0.0.1 put bucketpolicy.json
s3://testbucket
upload: 'bucketpolicy.json' -> 's3://testbucket/bucketpolicy.json'  [1 of 1]
 489 of 489   100% in0s11.08 KB/s  done
ERROR: S3 error: 403 (AccessDenied)
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io

[ceph-users] Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

2023-06-15 Thread Christian Rohmann


On 15/06/2023 15:46, Casey Bodley wrote:

   * In case of HTTP via headers like "X-Forwarded-For". This is
apparently supported only for logging the source in the "rgw ops log" ([1])?
Or is this info used also when evaluating the source IP condition within
a bucket policy?

yes, the aws:SourceIp condition key does use the value from
X-Forwarded-For when present


I have an HAProxy in front of the RGWs which has

"option forwardfor" set  to add the "X-Forwarded-For" header.

Then the RGWs have  "rgw remote addr param = http_x_forwarded_for" set,
according to 
https://docs.ceph.com/en/quincy/radosgw/config-ref/#confval-rgw_remote_addr_param


and I also see remote_addr properly logged within the rgw ops log.



But when applying a bucket policy with aws:SourceIp it seems to only 
work if I set the internal IP of the HAProxy instance, not the public IP 
of the client.

So the actual remote address is NOT used in my case.


Did I miss any config setting anywhere?




Regards and thanks for your help


Christian

___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io

[ceph-users] Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

2023-06-15 Thread Yuval Lifshitz

On Thu, Jun 15, 2023 at 4:48 PM Casey Bodley  wrote:

> On Thu, Jun 15, 2023 at 7:23 AM Christian Rohmann
>  wrote:
> >
> > Hello Ceph-Users,
> >
> > context or motivation of my question is S3 bucket policies and other
> > cases using the source IP address as condition.
> >
> > I was wondering if and how RadosGW is able to access the source IP
> > address of clients if receiving their connections via a loadbalancer /
> > reverse proxy like HAProxy.
> > So naturally that is where the connection originates from in that case,
> > rendering a policy based on IP addresses useless.
> >
> > Depending on whether the connection balanced as HTTP or TCP there are
> > two ways to carry information about the actual source:
> >
> >   * In case of HTTP via headers like "X-Forwarded-For". This is
> > apparently supported only for logging the source in the "rgw ops log"
> ([1])?
> > Or is this info used also when evaluating the source IP condition within
> > a bucket policy?
>
> yes, the aws:SourceIp condition key does use the value from
> X-Forwarded-For when present
>
>
maybe use lua scripting to implement your policy based on this HTTP header?
(won't help in the TCP balancer case, as lua only see HTTP/S3 level stuff)



> >
> >   * In case of TCP loadbalancing, there is the proxy protocol v2. This
> > unfortunately seems not even supposed by the BEAST library which RGW
> uses.
> >  I opened feature requests ...
> >
> >   ** https://tracker.ceph.com/issues/59422
> >   ** https://github.com/chriskohlhoff/asio/issues/1091
> >   ** https://github.com/boostorg/beast/issues/2484
> >
> > but there is no outcome yet.
> >
> >
> > Regards
> >
> >
> > Christian
> >
> >
> > [1]
> >
> https://docs.ceph.com/en/quincy/radosgw/config-ref/#confval-rgw_remote_addr_param
> > ___
> > ceph-users mailing list -- ceph-users@ceph.io
> > To unsubscribe send an email to ceph-users-le...@ceph.io
> ___
> ceph-users mailing list -- ceph-users@ceph.io
> To unsubscribe send an email to ceph-users-le...@ceph.io
>
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io

[ceph-users] Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

2023-06-15 Thread Casey Bodley

On Thu, Jun 15, 2023 at 7:23 AM Christian Rohmann
 wrote:
>
> Hello Ceph-Users,
>
> context or motivation of my question is S3 bucket policies and other
> cases using the source IP address as condition.
>
> I was wondering if and how RadosGW is able to access the source IP
> address of clients if receiving their connections via a loadbalancer /
> reverse proxy like HAProxy.
> So naturally that is where the connection originates from in that case,
> rendering a policy based on IP addresses useless.
>
> Depending on whether the connection balanced as HTTP or TCP there are
> two ways to carry information about the actual source:
>
>   * In case of HTTP via headers like "X-Forwarded-For". This is
> apparently supported only for logging the source in the "rgw ops log" ([1])?
> Or is this info used also when evaluating the source IP condition within
> a bucket policy?

yes, the aws:SourceIp condition key does use the value from
X-Forwarded-For when present

>
>   * In case of TCP loadbalancing, there is the proxy protocol v2. This
> unfortunately seems not even supposed by the BEAST library which RGW uses.
>  I opened feature requests ...
>
>   ** https://tracker.ceph.com/issues/59422
>   ** https://github.com/chriskohlhoff/asio/issues/1091
>   ** https://github.com/boostorg/beast/issues/2484
>
> but there is no outcome yet.
>
>
> Regards
>
>
> Christian
>
>
> [1]
> https://docs.ceph.com/en/quincy/radosgw/config-ref/#confval-rgw_remote_addr_param
> ___
> ceph-users mailing list -- ceph-users@ceph.io
> To unsubscribe send an email to ceph-users-le...@ceph.io
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io

[ceph-users] Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

[ceph-users] Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

[ceph-users] Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

[ceph-users] Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

[ceph-users] Re: RGW accessing real source IP address of a client (e.g. in S3 bucket policies)

5 matches

Site Navigation

Mail list logo

Footer information