0

I've got a slightly strange situation where I need to proxy s3 (yes, I know, I know, not ideal, performance, etc).

The issue is the buckets need to be restricted to a select number of client ips, and the list of IP's is already going to be in the bucket's profile.

When proxying however S3 doesn't seem to take an X-Forwarded-For or X-Real-IP header.

Can this even be done? Alternatively, is there a way for Nginx to read either the policy, or maybe a text file containing the ip's inside the bucket before allowing access?

Sk446
  • 103
  • 3
  • 3
    Proxying through EC2 to S3 has perfectly valid use cases, so disregard the naysayers. S3 will ignore `X-Forwarded-For` or any other similar header, by design, because it's examining the IP address of the connecting TCP peer. Anybody can set any value for a header, making a test of headers useless. Why would you not just configure the bucket to allow access from the proxy's IP, then [configure nginx](https://www.nginx.com/resources/admin-guide/restricting-access/) with the necessary ACLs? Reading the bucket policy or a file from the bucket seems messy. Perhaps you can clarify your motivation? – Michael - sqlbot Sep 03 '16 at 05:08
  • Thanks for the reply. The motivation was admittedly to avoid having to store the ip's on nginx configs as they're already on s3's policy list. What you said makes perfect sense though. Looks like I've got some IP's to move :) – Sk446 Sep 03 '16 at 08:26
  • LOL, well, sorry... Nginx [does support](https://www.nginx.com/resources/wiki/start/topics/examples/full/) an `include` directive, so you could put this specific configuration in a file, store it in the bucket, and update it with curl in the initscript whenever you reload the server config... or you could *probably* even use [Lua](https://github.com/openresty/lua-nginx-module#readme) to do on-demand lookups, from S3, or a database, or wherever... I'm not saying "don't try it," just that you don't want it to come up with a solution whose fragility-to-coolness ratio is too high. – Michael - sqlbot Sep 03 '16 at 23:32

0 Answers0