• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

reference-impl-py/H08-Nov-2020-244183

vendor/cmocka/H08-Nov-2020-

.gitignoreH A D08-Nov-202027 32

.gitmodulesH A D08-Nov-202094 43

.travis.ymlH A D08-Nov-2020681 4235

LICENSEH A D08-Nov-20201.3 KiB2319

MakefileH A D08-Nov-20201.3 KiB4227

README.mdH A D08-Nov-20204.6 KiB11586

VERSIONH A D08-Nov-2020244 149

aws_functions.hH A D08-Nov-202015.8 KiB443308

configH A D08-Nov-2020561 1714

crypto_helper.hH A D08-Nov-2020330 137

crypto_helper_openssl.cH A D08-Nov-20201.6 KiB5233

generate_signing_keyH A D08-Nov-20202.2 KiB5846

ngx_http_aws_auth.cH A D08-Nov-20207.4 KiB244184

test_suite.cH A D08-Nov-20209.7 KiB302239

README.md

1# AWS proxy module
2
3[![Build Status](https://travis-ci.com/anomalizer/ngx_aws_auth.svg?branch=master)](https://travis-ci.com/anomalizer/ngx_aws_auth)
4 [![Gitter chat](https://badges.gitter.im/anomalizer/ngx_aws_auth.png)](https://gitter.im/ngx_aws_auth/Lobby?utm_source=share-link&utm_medium=link&utm_campaign=share-link)
5
6This nginx module can proxy requests to authenticated S3 backends using Amazon's
7V4 authentication API. The first version of this module was written for the V2
8authentication protocol and can be found in the *AuthV2* branch.
9
10## License
11This project uses the same license as ngnix does i.e. the 2 clause BSD / simplified BSD / FreeBSD license
12
13## Usage example
14
15Implements proxying of authenticated requests to S3.
16
17```nginx
18  server {
19    listen     8000;
20
21    aws_access_key your_aws_access_key; # Example AKIDEXAMPLE
22    aws_key_scope scope_of_generated_signing_key; #Example 20150830/us-east-1/service/aws4_request
23    aws_signing_key signing_key_generated_using_script; #Example L4vRLWAO92X5L3Sqk5QydUSdB0nC9+1wfqLMOKLbRp4=
24    aws_s3_bucket your_s3_bucket;
25
26    location / {
27      aws_sign;
28      proxy_pass http://your_s3_bucket.s3.amazonaws.com;
29    }
30
31    # This is an example that does not use the server root for the proxy root
32    location /myfiles {
33
34      rewrite /myfiles/(.*) /$1 break;
35      proxy_pass http://your_s3_bucket.s3.amazonaws.com/$1;
36
37      aws_access_key your_aws_access_key;
38      aws_key_scope scope_of_generated_signing_key;
39      aws_signing_key signing_key_generated_using_script;
40    }
41
42    # This is an example that use specific s3 endpoint, default endpoint is s3.amazonaws.com
43    location /s3_beijing {
44
45      rewrite /s3_beijing/(.*) /$1 break;
46      proxy_pass http://your_s3_bucket.s3.cn-north-1.amazonaws.com.cn/$1;
47
48      aws_sign;
49      aws_endpoint "s3.cn-north-1.amazonaws.com.cn";
50      aws_access_key your_aws_access_key;
51      aws_key_scope scope_of_generated_signing_key;
52      aws_signing_key signing_key_generated_using_script;
53    }
54  }
55```
56
57## Security considerations
58The V4 protocol does not need access to the actual secret keys that one obtains
59from the IAM service. The correct way to use the IAM key is to actually generate
60a scoped signing key and use this signing key to access S3. This nginx module
61requires the signing key and not the actual secret key. It is an insecure practise
62to let the secret key reside on your nginx server.
63
64Note that signing keys have a validity of just one week. Hence, they need to
65be refreshed constantly. Please useyour favourite configuration management
66system such as saltstack, puppet, chef, etc. etc. to distribute the signing
67keys to your nginx clusters. Do not forget to HUP the server after placing the new
68signing key as nginx reads the configuration only at startup time.
69
70A standalone python script has been provided to generate the signing key
71```
72./generate_signing_key -h
73usage: generate_signing_key [-h] -k SECRET_KEY -r REGION [-s SERVICE]
74                            [-d DATE] [--no-base64] [-v]
75
76Generate AWS S3 signing key in it's base64 encoded form
77
78optional arguments:
79  -h, --help            show this help message and exit
80  -k SECRET_KEY, --secret-key SECRET_KEY
81                        The secret key generated using AWS IAM. Do not confuse
82                        this with the access key id
83  -r REGION, --region REGION
84                        The AWS region where this key would be used. Example:
85                        us-east-1
86  -s SERVICE, --service SERVICE
87                        The AWS service for which this key would be used.
88                        Example: s3
89  -d DATE, --date DATE  The date on which this key is generated in yyyymmdd
90                        format
91  --no-base64           Disable output as a base64 encoded string. This NOT
92                        recommended
93  -v, --verbose         Produce verbose output on stderr
94
95
96./generate_signing_key -k wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY -r us-east-1
97L4vRLWAO92X5L3Sqk5QydUSdB0nC9+1wfqLMOKLbRp4=
9820160902/us-east-1/s3/aws4_request
99
100```
101## Supported environments
102This plugin is tested against a variety of nginx versions, compilers, OS versions and hardware architectures. Take a look at the .travis.yml file or the latest travis build status to see the versions that the plugin has been tested against
103
104
105## Known limitations
106The 2.x version of the module currently only has support for GET and HEAD calls. This is because
107signing request body is complex and has not yet been implemented.
108
109
110
111## Credits
112Original idea based on http://nginx.org/pipermail/nginx/2010-February/018583.html and suggestion of moving to variables rather than patching the proxy module.
113
114Subsequent contributions can be found in the commit logs of the project.
115