How to configure StorageGRID to work with IP based for third-party Layer 7 load balancers
Applies to
- StorageGRID Appliances
- StorageGRID 11.4 or later
- IP based
Description
- This article applies to StorageGRID 11.4.0 or later if you are using one or more external Layer 7 load balancers, such as NGINX or HAProxy, and an S3 bucket or group policies that are IP-based, StorageGRID must determine the real sender's IP address.
In an S3 bucket or group policy, the policy condition key aws:SourceIp
and the policy variable ${aws:SourceIp}
are compared to the IP address of the sender of the S3 request.
- If an external (third party) Layer 7 load balancer is used to route requests to the Storage Nodes, StorageGRID needs to determine the real sender’s IP address. It does this by looking at the X-Forwarded-For (XFF) header, which is inserted into the request by the load balancer.
- As the X-Forwarded-For header can be easily spoofed in requests sent directly to the Storage Nodes, StorageGRID needs to ensure that each request is being routed by a trusted Layer 7 load balancer. If StorageGRID cannot trust the source of the request, it will ignore the X-Forwarded-For header.
- In StorageGRID 11.4 or later, a new Grid Management API has been added to allow a list of trusted external Layer 7 load balancers to be configured. This new API is private and is subject to change in future StorageGRID releases.