search

Kriechi / aws-s3-reverse-proxy

reverse-proxy all incoming S3 API calls to the public AWS S3 backend
MIT License
51 stars 21 forks source link

Unable to use tool behind another Reverse Proxy #7

Open MaxRink opened 3 years ago

MaxRink commented 3 years ago

We wanted to use this proxy in Kubernetes, behind an Ingress Controller. This seems to cause some issues,as im unable to make a connection:

time="2021-09-01T20:12:57Z" level=debug msg="Incoming request: GET /netbox-test?list-type=2&prefix=&delimiter=%2F&encoding-type=url HTTP/1.1\r\nHost: netbox.hb.das-schiff.telekom.de\r\nAccept-Encoding: identity\r\nAuthorization: AWS4-HMAC-SHA256 Credential=OMKK45MUP3A21NUFBAMO/20210901/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=df917a72082c74b48178fb1aaf8d89662b7857855f66527a68101ea2905c11ab\r\nUser-Agent: aws-cli/1.20.21 Python/3.9.6 Linux/5.14.0-1-MANJARO botocore/1.21.21\r\nX-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\r\nX-Amz-Date: 20210901T201256Z\r\nX-Forwarded-For: 10.27.50.159\r\nX-Forwarded-Host: netbox.hb.das-schiff.telekom.de\r\nX-Forwarded-Port: 443\r\nX-Forwarded-Proto: https\r\nX-Real-Ip: 10.27.50.159\r\nX-Request-Id: bc05d3323e143d19a0340e9bfb9c0e84\r\nX-Scheme: https\r\n\r\n"
time="2021-09-01T20:12:57Z" level=error msg="unable to proxy request" error="invalid signature in Authorization header"
Kriechi commented 3 years ago

invalid signature in Authorization header indicates that the incoming request was not signed by a valid set of credential that is known to aws-s3-reverse-proxy.

Your requests shows OMKK45MUP3A21NUFBAMO as AWS_ACCESS_KEY_ID. Did you configure the correct AWS_SECRET_ACCESS_KEY for it, either as CLI args or config file?

I assume you are not proxying AWS S3 actual -- but some other S3 implementation backend? Because the OMK... prefix does not match any of the well known IAM uniq ID prefixes: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html (or you simply redacted it, which is totally fine of course!)

Kriechi commented 3 years ago

The other issue could be in the Ingress Controller (I assume nginx-ingress) which is rewriting some of the headers or query params. Please try and get a full request dump of goes into the nginx-ingress. Then we can compare it against what is sent to the aws-s3-reverse-proxy pod (you already posted this request dump).

MaxRink commented 3 years ago

Its an Netapp Appliance speaking S3, not direct AWS. I`ll dig into it next week

luisdavim commented 1 year ago

I'm getting the same error though I'm not using any additional proxies. To authenticate I also need to pass a AWS_SESSION_TOKEN, I've tried making some modifications to the code to support including it in the signer but I still get the same error.