nginx: Do not forward X-amz-cf-id header to S3.

All `X-amz-*` headers must be included in the signed request to S3;
since Django did not take those headers into account (it constructed a
request from scratch, while nginx's request inherits them from the
end-user's request), the proxied request fails to be signed correctly.

Strip off the `X-amz-cf-id` header added by CloudFront.  While we
would ideally strip off all `X-amz-*` headers, this requires a
third-party module[^1].

[^1]: https://github.com/openresty/headers-more-nginx-module#more_clear_input_headers
This commit is contained in:
Alex Vandiver 2023-08-28 17:17:10 +00:00 committed by Tim Abbott
parent 4fc1bac473
commit e8c8544028
1 changed files with 6 additions and 2 deletions

View File

@ -12,8 +12,12 @@ location ~ ^/internal/s3/(?<s3_hostname>[^/]+)/(?<s3_path>.*) {
set $download_url https://$s3_hostname/$s3_path; set $download_url https://$s3_hostname/$s3_path;
proxy_set_header Host $s3_hostname; proxy_set_header Host $s3_hostname;
# Ensure that we only get _one_ of these headers: the one that # Strip off X-amz-cf-id header, which otherwise the request has to
# Django added, not the one from S3. # have been signed over, leading to signature mismatches.
proxy_set_header x-amz-cf-id "";
# Ensure that we only get _one_ of these response headers: the one
# that Django added, not the one from S3.
proxy_hide_header Cache-Control; proxy_hide_header Cache-Control;
proxy_hide_header Expires; proxy_hide_header Expires;
proxy_hide_header Set-Cookie; proxy_hide_header Set-Cookie;