search

lindenlab / caddy-s3-proxy

s3 proxy plugin for caddy
Apache License 2.0
72 stars 22 forks source link

Add support to add additional response headers based on custom metadata #33

Open christoph-kluge opened 3 years ago

christoph-kluge commented 3 years ago

In some use cases you would like to add custom headers. I think Cache-Control would be very beneficial in many scenarios. Additionally there might be some even more headers for custom use-cases.

In the first place I support more common headers (hardcoded) which are potentially frequently used in combination with s3:

And in a second iteration I would like to add configuration for custom headers.

s3proxy {
    allow_headers {
        x-custom-header-1
        x-custom-header-2
        x-custom-header-3
    }
}

What do you think?

rayjlinden commented 3 years ago

So allow-headers would just be a "safety" thing to key any random headers someone put on an S3 object from being sent along as well?

christoph-kluge commented 3 years ago

My implementation in the PR went from "only selected headers from the object" to "all custom headers on the object".

According to the new situation I think that a deny_headersor skip_headers would be more suitable.

A little bit more sophisticated solution could be very close to what was implemented in the logging module. Specify filters on fields: https://caddyserver.com/docs/caddyfile/directives/log#examples

I could think that we could re-use this and apply such filters to the headers for full customization to support all needs one could have.

s3proxy {
    headers {
        # remove headers on the S3Client request (dunno if this example makes sense)
        request>Authorization delete
        request>headers>Pragma delete

        # remove/deny custom headers on the response
        response>Cache-Control delete
        response>X-Debug-Header-123 delete

        # add a custom-header "hit" to the response
        response>X-Cache-S3-Proxy "hit"
    }
}
rayjlinden commented 3 years ago

I like this idea. In fact, one could (and should) implement auth in caddy if s3 proxy is exposed to the internet and they have enable_put on.

This feature would enable the to remove auth related headers before passing them on to AWS. In fact, now that all headers are passed though this might be quite important.