IP access control
IBM COS supports Allowed IP in Vault Mode to control bucket access only to the trusted IP addresses
A client can access a bucket in various ways, through a direct connection or a proxy
connection. When a client connects to IBM COS Accesser® device directly, it is considered a direct
connection, such that the client IP address is retrieved from the client transport connection
information. There is a special case of the direct connection where the client connects the
Accesser® device through a proxy server, such as a load balancer, while the proxy server is
configured to preserve the client source IP address, the client IP address can then be retrieved
from the client transport connection information. The customer can whitelist the client public IP
addresses to be allowed to access the bucket when the connection is a direct connection. IBM COS
will enforce IP access control based on the client IP address. When the client connects to the
Accesser® device through a proxy server such that the client IP address cannot be retrieved from the
client transport connection information, the connection is considered as a proxy connection. To use
the IP access control capability for the proxy connection, the system application must set the
client originating public IP address at the rightmost proxy IP address in the X-Forwarded-For HTTP
header, and the system admin must choose the "proxy" connection in Manager Web Interface. Please
refer to IBM COS Manager Web interface -> Administration -> Network Transport Layer Configuration to
set proper connection type and public client originating IP address.