Using Original Client IPs in Access Checks and Logs

  • Published on Apr 12, 2026
  • 1 minute(s) read
Prev Next

For environments where S3 traffic runs through a proxy server, the VAST cluster can be configured to recognize and process the original client IP address that the proxy passes along in an HTTP header of an S3 request, such as True-Client-IP (or a custom header). With the configuration in place, the original client IP is used for IP-based access control, logging of client operations, and data flow reporting. If not configured (which is the default), the IP of the proxy is used.

The configuration for using original client IPs is applied cluster-wide.

The IPs from the specified header are used as client IPs in the following areas:

  • Host-based rules in view policies

  • Identity and bucket policies that contain aws:SourceIp conditions.

  • Bucket logging

  • Data Flows reporting

In S3 audit records, the original client IP is shown in a separate field, in addition to the proxy IP.

The following limitations apply:

  • The original client IPs cannot be used for the purpose of client IP-based tenant identification.

Configuring Use of Original Client IPs in Access Checks and Logs (VAST Web UI)

To configure use of original client IPs for access control and logging in VAST Web UI:

  1. In the left navigational menu, select Settings -> S3 True IP to open the S3 True IP settings page.

  2. In the True Client IP Header field, enter the name of the HTTP header used to pass the original client IP.
    The header name is case-insensitive and can be no more than 50 characters. It can include letters A-Z, a-z, digits (0-9) and the following special characters: ! # $ % & ' * + - . ^ _ | ~.

  3. Under Included Addresses, set one or more ranges of IPv4 addresses representing proxy IPs that can send the header containing the original client IP:

    1. Enter the starting IP of the range in the Start IP field.
      The value must be an IPv4 address. IPv6 is not supported for this field.

    2. Specify the total number of IPs in the range in the Range field.
      Valid values are 0 - 16.

    3. Click Add to add the range to the list of configured ranges.

    4. Repeat to add as many ranges as needed.

  4. When finished, click Save.

Related articles