Proxy cache passes GET instead of HEAD to upstream... so we have a 403.
This version include these fixes.
- Remove $request_method from $string_to_sign and pass static string "GET" instead
- Remove proxy_buffering directive for allowing the nginx cache
-
-
Save misostack/a814db131db42f16d6335074e2889d9d to your computer and use it in GitHub Desktop.
Nginx proxy to S3 with caching
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| location ~* ^/s3/(.*) { | |
| proxy_cache static; | |
| proxy_cache_valid 200 24h; | |
| proxy_hide_header x-amz-id-2; | |
| proxy_hide_header x-amz-request-id; | |
| proxy_hide_header Set-Cookie; | |
| proxy_ignore_headers Set-Cookie; | |
| set $bucket '<REPLACE WITH YOUR S3 BUCKET NAME>'; | |
| set $aws_access '<REPLACE WITH YOUR AWS ACCESS KEY>'; | |
| set $aws_secret '<REPLACE WITH YOUR AWS SECRET KEY>'; | |
| set $url_full "$1"; | |
| set_by_lua $now "return ngx.cookie_time(ngx.time())"; | |
| set $string_to_sign "GET\n\n\n\nx-amz-date:${now}\n/$bucket/$url_full"; | |
| set_hmac_sha1 $aws_signature $aws_secret $string_to_sign; | |
| set_encode_base64 $aws_signature $aws_signature; | |
| proxy_http_version 1.1; | |
| proxy_set_header Host $bucket.s3.amazonaws.com; | |
| proxy_set_header x-amz-date $now; | |
| proxy_set_header Authorization "AWS $aws_access:$aws_signature"; | |
| # proxy_buffering off; | |
| proxy_intercept_errors on; | |
| rewrite .* /$url_full break; | |
| proxy_pass http://s3.amazonaws.com; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment