Skip to content

Instantly share code, notes, and snippets.

@rjdp
Forked from rezan/s3.vcl
Created October 27, 2017 10:35
Show Gist options
  • Save rjdp/faaf49eb2039ab22f28014afaf9f41d3 to your computer and use it in GitHub Desktop.
Save rjdp/faaf49eb2039ab22f28014afaf9f41d3 to your computer and use it in GitHub Desktop.
Varnish AWS S3 Gateway VCL
#
# Varnish AWS S3 Gateway VCL
#
# Allows global read (GET, HEAD) and ACL protected writes (POST, PUT, DELETE).
# When writing, pass in Content-Type and Content-MD5, both are optional.
#
# Params:
#
# %BUCKET% - S3 bucket name, S3 host may be regional
# %ACCESS_ID% - IAM access ID for bucket
# %SECRET_KEY% - IAM secret key for access ID
#
vcl 4.0;
import digest;
backend default
{
.host = "%BUCKET%.s3.amazonaws.com";
.port = "80";
}
acl s3_write
{
"127.0.0.1";
}
sub vcl_recv
{
if(req.method != "GET" && req.method != "HEAD" &&
client.ip !~ s3_write)
{
return(synth(403, "Access denied"));
}
}
sub vcl_backend_fetch
{
set bereq.http.Host = "%BUCKET%.s3.amazonaws.com";
set bereq.http.Date = now;
set bereq.http.NL = {"
"};
set bereq.http.Authorization = "AWS " + "%ACCESS_ID%" + ":" +
digest.base64_hex(digest.hmac_sha1("%SECRET_KEY%",
bereq.method + bereq.http.NL + bereq.http.Content-MD5 + bereq.http.NL +
bereq.http.Content-Type + bereq.http.NL + bereq.http.Date + bereq.http.NL +
"/" + "%BUCKET%" + bereq.url
));
unset bereq.http.NL;
}
sub vcl_deliver
{
set resp.http.Server = "Varnish AWS S3 Gateway";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment