Amazon S3 authentication patch

Vicente Aguilar bisente at bisente.com
Thu Feb 4 11:33:21 MSK 2010


Hi

I've modified the proxy module to be able to authenticate with Amazon S3. It also supports the secure download patch by removing the trailing ticket (MD5/timestamp) from the URL.

The rationale behind this is: we're using S3 to offload all our app's static files but need some of them to be public (images) and some private (downloads for registered users). We're using nginx as a proxy to S3 to cache requests and minimize the per-GET cost of S3, so our first approach was a security through obscurity one: as the final user only sees our URL and not the real bucket's URL, we could make the whole bucket public and use the secure download patch just on some locations, so that the user couldn't download files from there. But this protection was only on our server, if some user guessed our S3 bucket he could download everything directly from S3.

With this patch we can make parts of the bucket private, and authenticate with S3 so that only our servers are able to download them. And it plays nice with the secure download patch, so the files are secure both on S3 and through our proxy.

Please find the patch attached. This is my first attempt at hacking more than a couple lines into nginx, so I'm sure some code cleanup might apply. I particularly don't like using static char arrays (should move to ngx_copy and such) and couldn't get ngx_conf_set_flag_slot to work for config options.

Config syntax is as follows:

        location /private/ {
                proxy_pass         http://BUCKET.s3.amazonaws.com/private/;
                proxy_s3_auth on;
                proxy_s3_secure_download on;   # optional if you're also using secdownload
                proxy_s3_bucket BUCKET;  
                proxy_s3_user S3_USER_ID;
                proxy_s3_pass S3_PASSWORD;
        }

Any comments, suggestions, and code corrections are welcome. :-)

Regards

-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx_proxy_s3-0.1.diff.bz2
Type: application/x-bzip2
Size: 1682 bytes
Desc: not available
URL: <http://nginx.org/pipermail/nginx/attachments/20100204/59793aa6/attachment-0001.bin>


More information about the nginx mailing list