Remove keyval / file based storage, replaced with ngx.shared. Additional x-amz-* headers were not signed#29
Remove keyval / file based storage, replaced with ngx.shared. Additional x-amz-* headers were not signed#29bgardner-noggin wants to merge 3 commits into
Conversation
…-suite using podman
…xpected-bucket-owner. Changed from keyval or filestore, to ngx.shared dictionary.
|
Hi @bgardner-noggin , Thank you for contributing your value on this repo. I have just read an email which is sent by @dekobon and am not sure why I can't find your pull request in my email. We planned to reuse this library into the nginx-s3-gateway after making NPM package using this repo. In the meantime, it would be good to change both repos. I was wondering if you could also update https://github.com/nginxinc/nginx-s3-gateway and test. Please let me know once you contribute https://github.com/nginxinc/nginx-s3-gateway the repo. Thanks! |
|
I'm not using the nginx-s3-gateway sorry. My use case is that I have nginx running as a proxy to limit customers whitelists for signed S3 urls. I am only using this library to send a signed HEAD request on a bucket, to verify that it is owned by my account, before allowing the signed url to proceed. |
|
Thanks for sharing your use case. I am sure that your contribution is valuable. As this repo is to provide a compatible solution for anyone who uses nginx-s3-gatewy, nginx-lambda-gateway, or the other nginx based Amazon Web Services such as your case, any PR needs to be verified with at least nginx-s3-gatewy or nginx-lambda-gateway until we do have better automation. So we can ensure that we do not block the existing customers who use not only NGINX OSS but also NGINX Plus. Let's see who can verify first among @shawnhankim , @4141done, @dekobon, @bgardner-noggin if you can't verify as you focus on your use case. 😃 @4141done: Feel free to review if you find anything that needs to be enhanced in the nginx-s3-gateway. |
Proposed changes
x-amz-* headers were not signed
Additional headers, eg x-amz-expected-bucket-owner for an S3 HEAD bucket request, were not being signed. All x-amz-* headers must be included in the signature
Removed keyval / file store for credentials, replaced with ngx.shared dictionary
The commercial keyval or falling back to a temporary file to store the credentials has been removed in favour of the ngx.shared model. This requires a dictionary aws to be configured as documented in the README.md changes
Checklist
Before creating a PR, run through this checklist and mark each as complete.
CONTRIBUTINGdocumentREADME.mdandCHANGELOG.md)