nginx: Strip off request headers which might affect S3's behaviour.

Clients making requests to Zulip with a `Authorization: Basic ...` for
an upload in S3 pass along all of their request headers to the S3
backend -- causing errors of the form:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>InvalidArgument</Code>
  <Message>Only one auth mechanism allowed; only the X-Amz-Algorithm
  query parameter, Signature query string parameter or the
  Authorization header should be specified</Message>
  <ArgumentName>Authorization</ArgumentName>
  <ArgumentValue>Basic ...</ArgumentValue>
  <RequestId>...</RequestId>
  <HostId>...</HostId>
</Error>
```

Strip off all request headers which AWS reports that S3 may read[^1].

Fixes: #30180.

[^1]: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonRequestHeaders.html
This commit is contained in:
Alex Vandiver 2024-05-28 11:51:35 -04:00 committed by Tim Abbott
parent 842fdb55d3
commit 549f4fe00b
1 changed files with 14 additions and 0 deletions

View File

@ -16,6 +16,20 @@ location ~ ^/internal/s3/(?<s3_hostname>[^/]+)/(?<s3_path>.*) {
# have been signed over, leading to signature mismatches. # have been signed over, leading to signature mismatches.
proxy_set_header x-amz-cf-id ""; proxy_set_header x-amz-cf-id "";
# Strip off any auth request headers which the Zulip client might
# have sent, as they will not work for S3, and will report an error due
# to the signed auth header we also provide.
proxy_set_header Authorization "";
proxy_set_header x-amz-security-token "";
# These headers are only valid if there is a body, but better to
# strip them to be safe.
proxy_set_header Content-Length "";
proxy_set_header Content-Type "";
proxy_set_header Content-MD5 "";
proxy_set_header x-amz-content-sha256 "";
proxy_set_header Expect "";
# Ensure that we only get _one_ of these response headers: the one # Ensure that we only get _one_ of these response headers: the one
# that Django added, not the one from S3. # that Django added, not the one from S3.
proxy_hide_header Cache-Control; proxy_hide_header Cache-Control;