Overview

I investigated how to implement IP address restrictions for MDX.jp’s object storage. The following article was written by AI after verifying the implementation.

Introduction

This article explains how to configure access restrictions by specific IP addresses for the DDN EXAScaler S3-compatible object storage service provided by MDX.jp.

Object Storage Security Layers

DDN EXAScaler S3-compatible storage has three main security layers:

  1. Access Key and Secret Key: Basic authentication credentials
  2. Bucket Policy: Bucket-level access control
  3. Access Control List (ACL): Object-level access control

To implement IP address restrictions, “Bucket Policy” is used.

Steps for Setting Up IP Address Restrictions with Bucket Policy

1. Creating a Policy JSON File

First, create a JSON file (e.g., mdx.json) like the following:

{}""]VSet{}rastieomne"n"""}"]""}:tSEP,A,RC"ifrceo":dfitsn2"eniod"}0[:ccouiI0tinrtp8""p""ciA-B:aD:""eod"]1ulDss"nda0c""N[33:"rw-kA:":::es1el:LG"s:""7tl{ieB{sS12"No[stu"o90,aw"tOc:u23m"*Bbkr..e,"uje{c10"]cete6.,kcNI81etap.1t"m"13"e:..,"10,[//3224"",

Main elements of the policy:

  • Version: Policy syntax version
  • Sid: Policy statement identifier (arbitrary name)
  • Effect: Allow or Deny (“Allow” or “Deny”)
  • Principal: Users to whom this policy applies (use “DDN” for DDN EXAScaler)
  • Action: Actions to allow or deny
  • Resource: Resource to which the policy applies (bucket name)
  • Condition: Conditions (where IP address restrictions are set)

2. Applying the Policy

Use the s3cmd tool to apply the created policy to the bucket:

s3cmd-no-check-certificatesetpolicymdx.jsons3://BucketName

On success, the following message will be displayed:

s3://BucketName/:Policyupdated

3. Verifying the Policy

To check the currently applied policy:

s3cmd-no-check-certificateinfos3://BucketName

The following result was obtained.

LPOVEBPCoawexloOcynrpolRaeesiciStrrirkc:i:soayohntP:niiiu:pnob:gnl:iunnnrc{nsooou"o-nnnlAVneeeeeceea:crsestnsi-oso1n:ne"n:o"n2e008-10-17","Statement":[{"Sid":"BucketName","Effect":"Allow","Principal":{"DDN":["*"]},"Action":["s3:GetObject","s3:ListBucket"],"Resource":"BucketName","Condition":{"IpAddress":{"aws:SourceIp":["192.168.1.1/32","203.0.113.0/24"]}}}]}

Key Points for IP Address Specification

About CIDR Notation

IP addresses can be specified in CIDR notation:

  • Single IP address: 192.168.1.1/32 (/32 means a single address)
  • IP address range: 203.0.113.0/24 (/24 means a range of 256 addresses)

Specifying Multiple IP Addresses

When allowing access from multiple IP addresses or address ranges, specify them in array format:

"]aws:"""S122o900u230r..1c10:e6.dI81bp.18"13::..:10[/332224""",,IPv6

Summary

The following article introduced how to integrate Omeka S with MDX.jp’s object storage.

By combining it with the content of this article, it should be possible to create a digital archive system where images (data) can only be viewed from specified IP addresses.

There may be some inaccuracies, but I hope you find this helpful.