Overview

I investigated how to implement IP address restrictions for MDX.jp’s object storage. The following article was written by AI after verifying the implementation.

Introduction

This article explains how to configure access restrictions by specific IP addresses for the DDN EXAScaler S3-compatible object storage service provided by MDX.jp.

Object Storage Security Layers

DDN EXAScaler S3-compatible storage has three main security layers:

  1. Access Key and Secret Key: Basic authentication credentials
  2. Bucket Policy: Bucket-level access control
  3. Access Control List (ACL): Object-level access control

To implement IP address restrictions, “Bucket Policy” is used.

Steps for Setting Up IP Address Restrictions with Bucket Policy

1. Creating a Policy JSON File

First, create a JSON file (e.g., mdx.json) like the following:

{
    "Version": "2008-10-17",
    "Statement": [
      {
            "Sid": "BucketName",
            "Effect": "Allow",
            "Principal": {
                   "DDN": ["*"]
            },
            "Action": [
                    "s3:ListBucket",
                    "s3:GetObject"
            ],
            "Resource": "BucketName",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "192.168.1.1/32",
                        "203.0.113.0/24"
                    ]
                }
            }
      }
    ]
}

Main elements of the policy:

  • Version: Policy syntax version
  • Sid: Policy statement identifier (arbitrary name)
  • Effect: Allow or Deny (“Allow” or “Deny”)
  • Principal: Users to whom this policy applies (use “DDN” for DDN EXAScaler)
  • Action: Actions to allow or deny
  • Resource: Resource to which the policy applies (bucket name)
  • Condition: Conditions (where IP address restrictions are set)

2. Applying the Policy

Use the s3cmd tool to apply the created policy to the bucket:

s3cmd --no-check-certificate setpolicy mdx.json s3://BucketName

On success, the following message will be displayed:

s3://BucketName/: Policy updated

3. Verifying the Policy

To check the currently applied policy:

s3cmd --no-check-certificate info s3://BucketName

The following result was obtained.

   Location:  us-east-1
   Payer:     none
   Ownership: none
   Versioning:none
   Expiration rule: none
   Block Public Access: none
   Policy:    {"Version":"2008-10-17","Statement":[{"Sid":"BucketName","Effect":"Allow","Principal":{"DDN":["*"]},"Action":["s3:GetObject","s3:ListBucket"],"Resource":"BucketName","Condition":{"IpAddress":{"aws:SourceIp":["192.168.1.1/32","203.0.113.0/24"]}}}]}
   CORS:      none

Key Points for IP Address Specification

About CIDR Notation

IP addresses can be specified in CIDR notation:

  • Single IP address: 192.168.1.1/32 (/32 means a single address)
  • IP address range: 203.0.113.0/24 (/24 means a range of 256 addresses)

Specifying Multiple IP Addresses

When allowing access from multiple IP addresses or address ranges, specify them in array format:

"aws:SourceIp": [
    "192.168.1.1/32",
    "203.0.113.0/24",
    "2001:db8::/32"  // IPv6アドレスも指定可能
]

Summary

The following article introduced how to integrate Omeka S with MDX.jp’s object storage.

By combining it with the content of this article, it should be possible to create a digital archive system where images (data) can only be viewed from specified IP addresses.

There may be some inaccuracies, but I hope you find this helpful.