anomalizer / ngx_aws_auth

nginx module to proxy to authenticated AWS services
BSD 2-Clause "Simplified" License
470 stars 144 forks source link

Signing error if behind CloudFront #6

Closed andrea-spoldi closed 10 years ago

andrea-spoldi commented 10 years ago

Hi, it seems there is a problem with request signing if it comes from behind Amazon CloudFront service.

What I notice is the following :

HTTP_Request > Nginx with ngx_aws_auth > S3 bucket works OK

HTTP_Request > Amazon CF (distribution set to nginx) > Nginx with ngx_aws_auth > S3 bucket goes KO

here is the error from browser :

SignatureDoesNotMatch The request signature we calculated does not match the signature you provided. Check your key and signing method. omissis 127A95CC3037ABFF omissis omissis GET x-amz-cf-id:5ZxaxPOoKEPPe3gLsvAMMMdZzcl7GjVYrPFL2Yn88VWbwGLVtiTJFw== x-amz-date:Fri, 22 Nov 2013 16:48:18 GMT /mybucket/mypath/myfile.ext omissis

it seems that being behind CF adds x-amz-cf-id: header which I think S3 uses for signing when ngx_aws_auth doesn't, hence the error.

It works OK also behind ELB, which does not add any header.

Thanks.

A

andrea-spoldi commented 10 years ago

Okay, I got through it setting adding :

proxy_set_header x-amz-cf-id "";

right before

proxy_set_header x-amz-date $aws_date;

which cleans up CloudFront Header before proxy-ing it to S3.

I think it worths to be added to config example.

A

anomalizer commented 10 years ago

Can you update the README.md with this finding and issue a pull request?