From 549f4fe00ba8a19a843986d628c5f4bb8c106dc2 Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@zulip.com>
Date: Tue, 28 May 2024 11:51:35 -0400
Subject: [PATCH] nginx: Strip off request headers which might affect S3's
 behaviour.

Clients making requests to Zulip with a `Authorization: Basic ...` for
an upload in S3 pass along all of their request headers to the S3
backend -- causing errors of the form:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>InvalidArgument</Code>
  <Message>Only one auth mechanism allowed; only the X-Amz-Algorithm
  query parameter, Signature query string parameter or the
  Authorization header should be specified</Message>
  <ArgumentName>Authorization</ArgumentName>
  <ArgumentValue>Basic ...</ArgumentValue>
  <RequestId>...</RequestId>
  <HostId>...</HostId>
</Error>
```

Strip off all request headers which AWS reports that S3 may read[^1].

Fixes: #30180.

[^1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonRequestHeaders.html
---
 .../zulip-include-frontend/uploads-internal.conf   | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf
index 69d54e2274..10199063fa 100644
--- a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf
+++ b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf
@@ -16,6 +16,20 @@ location ~ ^/internal/s3/(?<s3_hostname>[^/]+)/(?<s3_path>.*) {
     # have been signed over, leading to signature mismatches.
     proxy_set_header x-amz-cf-id "";
 
+    # Strip off any auth request headers which the Zulip client might
+    # have sent, as they will not work for S3, and will report an error due
+    # to the signed auth header we also provide.
+    proxy_set_header Authorization "";
+    proxy_set_header x-amz-security-token "";
+
+    # These headers are only valid if there is a body, but better to
+    # strip them to be safe.
+    proxy_set_header Content-Length "";
+    proxy_set_header Content-Type "";
+    proxy_set_header Content-MD5 "";
+    proxy_set_header x-amz-content-sha256 "";
+    proxy_set_header Expect "";
+
     # Ensure that we only get _one_ of these response headers: the one
     # that Django added, not the one from S3.
     proxy_hide_header Cache-Control;