unboundsoftware/nginx-s3-upload
Archived
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Fetch access key, secret and token from metadata service using resty-http if not provided as ENV-props

Browse Source
This commit is contained in:
Joakim Olsson
2019-08-02 11:46:00 +02:00
parent 8200f46985
commit a6c6363c9f
7 changed files with 1781 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nginx.conf
+13 -18
View File
@@ -12,22 +12,15 @@ events {
http {
lua_load_resty_core off;
lua_package_path "/tmp/lua-resty-core/lib/?.lua;/tmp/lua/?.lua;;";
lua_package_path "/tmp/lua-resty-core/lib/?.lua;/tmp/lua-resty-http/lib/?.lua;/tmp/lua/?.lua;;";
lua_package_cpath '/usr/lib/x86_64-linux-gnu/lua/5.1/?.so;;';
proxy_max_temp_file_size 0;
proxy_buffering off;
server_names_hash_bucket_size 256;
client_body_buffer_size 128k;
proxy_buffer_size 32k;
proxy_buffers 4 32k;
lua_need_request_body on;
lua_socket_buffer_size 128k;
client_max_body_size 10m;
client_body_buffer_size 10m;
server {
listen 80;
client_max_body_size 0;
location /healthcheck {
add_header Content-Type text/plain;
@@ -67,24 +60,28 @@ http {
set $url https://$phost$ppath;
set $returnurl https://$baseurl$ppath;
set $acl public-read;
set $contentSha256 "";
set $contentSha256 "UNSIGNED-PAYLOAD";
set $authorization "";
set $token "";
access_by_lua_block {
local sha2 = require("sha2")
ngx.req.read_body()
local body = ngx.req.get_body_data()
local contentSha256 = sha2.hash256(body)
ngx.var.contentSha256 = contentSha256
local fetcher = require("fetcher")
local sign = require("sign")
local key, secret, token = fetcher.fetch()
local headers = {["x-amz-acl"] = ngx.var.acl, ["x-amz-date"] = ngx.var.timestamp, ["x-amz-content-sha256"] = ngx.var.contentSha256, ["date"] = ngx.var.date, ["host"] = ngx.var.phost }
ngx.var.authorization = sign.sign(os.getenv("AWS_ACCESS_KEY_ID"), os.getenv("AWS_SECRET_ACCESS_KEY"), os.time(), ngx.var.ppath, headers, ngx.var.region)
if token then
ngx.var.token = token
headers["x-amz-security-token"] = token
end
ngx.var.authorization = sign.sign(key, secret, os.time(), ngx.var.ppath, headers, ngx.var.region)
}
proxy_set_header date $date;
proxy_set_header host $phost;
proxy_set_header x-amz-acl $acl;
proxy_set_header x-amz-date $timestamp;
proxy_set_header x-amz-security-token $token;
proxy_set_header x-amz-content-sha256 $contentSha256;
proxy_set_header Authorization $authorization;
proxy_hide_header x-amz-id-2;
@@ -95,8 +92,6 @@ http {
resolver_timeout 10s;
add_header 'Access-Control-Expose-Headers' 'X-File-Url';
add_header X-debug-message $authorization always;
proxy_pass $url;
}
}