mirror of https://github.com/zulip/zulip.git
nginx: Do not forward X-amz-cf-id header to S3.
All `X-amz-*` headers must be included in the signed request to S3; since Django did not take those headers into account (it constructed a request from scratch, while nginx's request inherits them from the end-user's request), the proxied request fails to be signed correctly. Strip off the `X-amz-cf-id` header added by CloudFront. While we would ideally strip off all `X-amz-*` headers, this requires a third-party module[^1]. [^1]: https://github.com/openresty/headers-more-nginx-module#more_clear_input_headers
This commit is contained in:
parent
4fc1bac473
commit
e8c8544028
|
@ -12,8 +12,12 @@ location ~ ^/internal/s3/(?<s3_hostname>[^/]+)/(?<s3_path>.*) {
|
||||||
set $download_url https://$s3_hostname/$s3_path;
|
set $download_url https://$s3_hostname/$s3_path;
|
||||||
proxy_set_header Host $s3_hostname;
|
proxy_set_header Host $s3_hostname;
|
||||||
|
|
||||||
# Ensure that we only get _one_ of these headers: the one that
|
# Strip off X-amz-cf-id header, which otherwise the request has to
|
||||||
# Django added, not the one from S3.
|
# have been signed over, leading to signature mismatches.
|
||||||
|
proxy_set_header x-amz-cf-id "";
|
||||||
|
|
||||||
|
# Ensure that we only get _one_ of these response headers: the one
|
||||||
|
# that Django added, not the one from S3.
|
||||||
proxy_hide_header Cache-Control;
|
proxy_hide_header Cache-Control;
|
||||||
proxy_hide_header Expires;
|
proxy_hide_header Expires;
|
||||||
proxy_hide_header Set-Cookie;
|
proxy_hide_header Set-Cookie;
|
||||||
|
|
Loading…
Reference in New Issue