ARTIFACTORY: How to Manipulate S3 Redirection Based on Source IPs

ARTIFACTORY: How to Manipulate S3 Redirection Based on Source IPs

AuthorFullName__c
David Shin
articleNumber
000006198
ft:sourceType
Salesforce
FirstPublishedDate
2024-10-10T12:00:58Z
lastModifiedDate
2024-10-10
VersionNumber
2
Introduction 
The S3 direct download feature in Artifactory is a valuable benefit, allowing faster downloads by redirecting requests directly to S3. You may already have a repository configured to use this feature. However, there are scenarios where you may want to prevent certain source IPs from using S3 direct downloads and ensure that they download files through Artifactory instead.
In such cases, you can control this behavior by using the X-JFrog-Download-Redirect-To header:
  • X-JFrog-Download-Redirect-To: S3: 
  • This indicates an S3 redirect and will result in Artifactory generating a signed URL with a 302 Found status code, redirecting the client to S3.
  • X-JFrog-Download-Redirect-To: None: 
  • This forces the download to go through Artifactory, returning a 200 OK response.

Resolution
You can implement this header manipulation in your reverse proxy, such as Nginx, based on the client's source IP address.

Example Configuration in Nginx:
In Nginx, you can inject the X-JFrog-Download-Redirect-To header dynamically based on IP ranges or specific IP addresses.

Below is an example configuration:
map $remote_addr $download_redirect {
  default ""; 
  # Define IP ranges or exact IPs that should bypass S3 redirection
  "XX.XX.XXX.XX" "None";    # Example: specific IP
  "192.168.1.0/24" "None";  # Example: CIDR range for an internal network
}
# Conditionally add the X-JFrog-Download-Redirect-To header based on the client IP
proxy_set_header X-JFrog-Download-Redirect-To $download_redirect;

Conclusion 
By using the X-JFrog-Download-Redirect-To header, you can flexibly decide whether a client should be redirected to S3 for direct downloads or have the file downloaded via Artifactory.
This configuration allows you to manage redirection based on IP ranges or specific client addresses.