<div>Hello, </div><div>I've been using the "Amazon S3 Auth Patch" (which was sent to the list some days ago) for a while, and it works nicely, helping on a lot of issues. What I would like to know is how to get it to work with X-Accel-Redirect, or someway to accomplish such task, as I could not find a way to make it work as it does without the header. I'll describe the scenario I have in order to make it clear:</div>
<div><br></div><div>- Application (Rails, in the case) running with nginx + passenger. </div><div>- The rails app controller uses X-Accel-Redirect as described in many places in the internet. The code is something like:</div>
<div>[....]</div><div>response.headers['X-Accel-Redirect'] = "/images/someImage.jpg"</div><div>response.headers['Content-Type'] = "image/jpeg"</div><div>[...]</div><div><br></div><div>
- The nginx configuration is like this:</div>
<div><div>location /images {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>internal;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>proxy_pass <a href="http://myBucketName.s3.amazonaws.com">http://myBucketName.s3.amazonaws.com</a>;</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>proxy_s3_auth on;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>proxy_s3_bucket myBucketName;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>proxy_s3_user accessKey;</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>proxy_s3_pass secretKey;</div><div>}</div><div><br></div><div>If I do not use Rails + X-Accel-Redirect (and without the "internal" config option, of course) this configuration does work pretty well. However, when I try to use it with X-Accel-Redirect, the patch builds the "Authorization" header for the path "/images/someImage.jpg" correctly, but what Amazon receives is the original URL (e.g, the URL we see in the browser is "/<a href="http://localhost:3000/myRailsController/actionName">http://localhost:3000/myRailsController/actionName</a>", and Amazon receives from nginx the part "/myRailsController/actioName", instead of "/images/someImage.jpg"), and thus the hashes doesn't match (I know that because I added a lot of debug statements in nginx, and compared it with the results Amazon responded and with the results I got without the X-Accel-Redirect header).</div>
<div><br></div><div>Is there a way to get it work? Am I missing something?</div><div><br></div><div>In time: I had to make a small fix on the original code, which was crashing when I started using the header. The original code is like</div>
<div><br></div><div><div>urlend=strchr(url, ' ');</div><div>*urlend='\0'; </div><div>if (plcf->s3_secdown.len && ngx_strcmp(plcf->s3_secdown.data,"on")==0) {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>url[strlen(url)-42]='\0';</div>
</div><div><br></div><div>However, "urlend" may be null, so I fixed it changing to</div><div><br></div><div>if (urlend) {</div><div><span class="Apple-tab-span" style="white-space: pre; "> </span>*urlend='\0'; </div>
<div>}</div><div><br></div><div><br></div><div>That's it. </div><div><br></div><div>I appreciate any hint on this. </div><div><br></div><div>Cheers,</div><div>Rafael</div></div><div><br></div><div>--------------------------</div>
<div>Orignal Message</div><div>--------------------------</div><div>Hi</div><div><br></div><div>I've modified the proxy module to be able to authenticate with Amazon S3. It also supports the secure download patch by removing the trailing ticket (MD5/timestamp) from the URL.</div>
<div><br></div><div>The rationale behind this is: we're using S3 to offload all our app's static files but need some of them to be public (images) and some private (downloads for registered users). We're using nginx as a proxy to S3 to cache requests and minimize the per-GET cost of S3, so our first approach was a security through obscurity one: as the final user only sees our URL and not the real bucket's URL, we could make the whole bucket public and use the secure download patch just on some locations, so that the user couldn't download files from there. But this protection was only on our server, if some user guessed our S3 bucket he could download everything directly from S3.</div>
<div><br></div><div>With this patch we can make parts of the bucket private, and authenticate with S3 so that only our servers are able to download them. And it plays nice with the secure download patch, so the files are secure both on S3 and through our proxy.</div>
<div><br></div><div>Please find the patch attached. This is my first attempt at hacking more than a couple lines into nginx, so I'm sure some code cleanup might apply. I particularly don't like using static char arrays (should move to ngx_copy and such) and couldn't get ngx_conf_set_flag_slot to work for config options.</div>
<div><br></div><div>Config syntax is as follows:</div><div><br></div><div> location /private/ {</div><div> proxy_pass <a href="http://BUCKET.s3.amazonaws.com/private/">http://BUCKET.s3.amazonaws.com/private/</a>;</div>
<div> proxy_s3_auth on;</div><div> proxy_s3_secure_download on; # optional if you're also using secdownload</div><div> proxy_s3_bucket BUCKET; </div><div> proxy_s3_user S3_USER_ID;</div>
<div> proxy_s3_pass S3_PASSWORD;</div><div> }</div><div><br></div><div>Any comments, suggestions, and code corrections are welcome. :-)</div><div><br></div><div>Regards</div>