anomalizer / ngx_aws_auth

nginx module to proxy to authenticated AWS services
BSD 2-Clause "Simplified" License
470 stars 144 forks source link

HEAD request does not work #15

Open limbo127 opened 9 years ago

limbo127 commented 9 years ago

hello, I do a GET request on file without problem, the same with HEAD request does not work, with 403 forbidden error , permission is good on this file, and with same key and standard s3 client, no problem.

127.0.0.1 - - [29/Jan/2015:21:09:46 +0000] "HEAD http://s3.amazonaws.com/nhc.c1/test HTTP/1.1" 403 394 (472) "-" "-" "-"[MISS] [0 / -] - AWS4-HMAC-SHA256 Credential=AKIAJG6NCXFPQGBUZ3YA/20150129/US/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=85369c88cbedbadcc5f8457b39b9683b69b861928c884b55e739a76d3905cca7

127.0.0.1 - - [29/Jan/2015:21:10:19 +0000] "GET http://s3.amazonaws.com/nhc.c1/test HTTP/1.1" 200 41799 (452) "-" "-" "-"[MISS] [41029 / -] - AWS4-HMAC-SHA256 Credential=AKIAJG6NCXFPQGBUZ3YA/20150129/US/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=34cbbfb2d48cb8ea516bd2bbb82bd894ee62ab854ceb448365ef4f1863513cde

andrea-spoldi commented 9 years ago

+1 noticed the same, the module builds hash always with a GET, and passes it to S3 API for authentication; APIs receives the hash AND the original request, which instead is an HEAD...they mismatch and the authentication fails

anomalizer commented 9 years ago

adf0177 was supposed to fix this. Could you confirm if your build has this commit? Also, which region is your S3 in?

benjaminbarbe commented 9 years ago

+1 I use the latest version (1.1.1) with Ireland region.

benjaminbarbe commented 9 years ago

@anomalizer Do you have an idea for a quick fix?

andrea-spoldi commented 9 years ago

@benjaminbarbe I actually managed to "quick fix" it without touching the (great btw) ngx_aws_auth module.

Following this post: http://serverfault.com/questions/347663/nginx-convert-head-to-get-requests

I simply perform an internal redirection converting the HEAD request to GET, it just works like a charm to me .

anomalizer commented 9 years ago

@benjaminbarbe no quick fix at this point. Let me try to reproduce the issue specifically for HEAD

benjaminbarbe commented 9 years ago

@andrea-spoldi Yes thank you but the body is still sent. Unfortunately, I can not.

I will give a try to https://gist.github.com/skddc/c7a982226d08acd4e041 or https://gist.github.com/justincormack/948423

@anomalizer Cool, Keep us in touch :smile:

benjaminbarbe commented 9 years ago

@andrea-spoldi @anomalizer I think it's not the fault of the ngx_aws_auth module. I found this post Proxy cache passes GET instead of HEAD to upstream

The problem came of the combinaison of proxy_cache and proxying to s3. I've updated skddc's gist to make it work : https://gist.github.com/benjaminbarbe/1961db5ffbaad57eff12

andrea-spoldi commented 9 years ago

@benjaminbarbe have to check but I'm 99,9% sure that proxy_cache module is not used in my config.

nivlaaa commented 8 years ago

I ran into this issue using proxy_cache as well. However, I fixed it rather cleanly using http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_convert_head to just turn the conversion of HEADs to GETs off.