How to configure StorageGRID to work with IP based for third-party Layer 7 load balancers

Applies to

• StorageGRID Appliances
• StorageGRID 11.4 or later
• IP based

Description

• This article applies to StorageGRID 11.4.0 or later if you are using one or more external Layer 7 load balancers, such as NGINX or HAProxy, and an S3 bucket or group policies that are IP-based, StorageGRID must determine the real sender's IP address.

In an S3 bucket or group policy, the policy condition key aws:SourceIp and the policy variable ${aws:SourceIp} are compared to the IP address of the sender of the S3 request.

• If an external (third party) Layer 7 load balancer is used to route requests to the Storage Nodes, StorageGRID needs to determine the real sender’s IP address. It does this by looking at the X-Forwarded-For (XFF) header, which is inserted into the request by the load balancer.
• As the X-Forwarded-For header can be easily spoofed in requests sent directly to the Storage Nodes, StorageGRID needs to ensure that each request is being routed by a trusted Layer 7 load balancer. If StorageGRID cannot trust the source of the request, it will ignore the X-Forwarded-For header.
• In StorageGRID 11.4 or later, a new Grid Management API has been added to allow a list of trusted external Layer 7 load balancers to be configured. This new API is private and is subject to change in future StorageGRID releases.