diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf index 69d54e2274..10199063fa 100644 --- a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf +++ b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf @@ -16,6 +16,20 @@ location ~ ^/internal/s3/(?[^/]+)/(?.*) { # have been signed over, leading to signature mismatches. proxy_set_header x-amz-cf-id ""; + # Strip off any auth request headers which the Zulip client might + # have sent, as they will not work for S3, and will report an error due + # to the signed auth header we also provide. + proxy_set_header Authorization ""; + proxy_set_header x-amz-security-token ""; + + # These headers are only valid if there is a body, but better to + # strip them to be safe. + proxy_set_header Content-Length ""; + proxy_set_header Content-Type ""; + proxy_set_header Content-MD5 ""; + proxy_set_header x-amz-content-sha256 ""; + proxy_set_header Expect ""; + # Ensure that we only get _one_ of these response headers: the one # that Django added, not the one from S3. proxy_hide_header Cache-Control;