Signing Amazon SDB requests

[AndrewH]

I am looking for some advice on the recommended way of achieving the
following.

I need to sign Amazon Simple Database (SDB) queries with our Amazon Web
Services credentials before forwarding them to upstream Amazon's SDB
servers.  

The proxying behaviour will be taken care of by the proxy module but I'm
not sure how to implement the actual signing.

On first glance, it sounds similar to the module that performs this for
Amazon S3 requests.  Unfortunately this doesn't work for SDB requests as
the parameters in an SDB request are encoded in the arguments of the URI
(...site.com/?SDBArg1=val1&SDBArg2=val2)  whereas S3 parameters are
passed as separate HTTP headers.  

I have looked at the rewrite module but the URI can only be manipulated
using regular expressions and the processing I need to do is more
complex than what the rewrite module can achieve ie.

1 Parse and decode the URI args to an SDB args list
2 Add several args to the SDB args list
3 Sort SDB args list
4 Generate a SHA message digest of the SDB args list using a user
supplied variable as a key - the Base64 encoding of this is the
signature.
5 Append the signature to the SDB args list
6 Regenerate the URI args
7 Forward it to the upstream

I believe I might be able to do using imbedded Python and writing the
logic as script and integrating it via the rewrite module - but I don't
know Python (I'm a C/C++ dev) and I'm also not in a position to know
whether this solution would scale satisfactorily - so this is not my
preferred option.

What I need to know is what approach I should take to solving this with
minimal effort ie. is there a way of creating a filter that layers
before or after the proxy module which does this work.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,194135,194135#msg-194135