mirror of https://github.com/zulip/zulip.git
nginx: Strip off request headers which might affect S3's behaviour.
Clients making requests to Zulip with a `Authorization: Basic ...` for an upload in S3 pass along all of their request headers to the S3 backend -- causing errors of the form: ```xml <?xml version="1.0" encoding="UTF-8"?> <Error> <Code>InvalidArgument</Code> <Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message> <ArgumentName>Authorization</ArgumentName> <ArgumentValue>Basic ...</ArgumentValue> <RequestId>...</RequestId> <HostId>...</HostId> </Error> ``` Strip off all request headers which AWS reports that S3 may read[^1]. Fixes: #30180. [^1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonRequestHeaders.html
This commit is contained in:
parent
842fdb55d3
commit
549f4fe00b
|
@ -16,6 +16,20 @@ location ~ ^/internal/s3/(?<s3_hostname>[^/]+)/(?<s3_path>.*) {
|
||||||
# have been signed over, leading to signature mismatches.
|
# have been signed over, leading to signature mismatches.
|
||||||
proxy_set_header x-amz-cf-id "";
|
proxy_set_header x-amz-cf-id "";
|
||||||
|
|
||||||
|
# Strip off any auth request headers which the Zulip client might
|
||||||
|
# have sent, as they will not work for S3, and will report an error due
|
||||||
|
# to the signed auth header we also provide.
|
||||||
|
proxy_set_header Authorization "";
|
||||||
|
proxy_set_header x-amz-security-token "";
|
||||||
|
|
||||||
|
# These headers are only valid if there is a body, but better to
|
||||||
|
# strip them to be safe.
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
proxy_set_header Content-Type "";
|
||||||
|
proxy_set_header Content-MD5 "";
|
||||||
|
proxy_set_header x-amz-content-sha256 "";
|
||||||
|
proxy_set_header Expect "";
|
||||||
|
|
||||||
# Ensure that we only get _one_ of these response headers: the one
|
# Ensure that we only get _one_ of these response headers: the one
|
||||||
# that Django added, not the one from S3.
|
# that Django added, not the one from S3.
|
||||||
proxy_hide_header Cache-Control;
|
proxy_hide_header Cache-Control;
|
||||||
|
|
Loading…
Reference in New Issue