-
Notifications
You must be signed in to change notification settings - Fork 135
/
Copy pathdefault.conf.template
319 lines (250 loc) · 13.1 KB
/
default.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
js_import /etc/nginx/include/awscredentials.js;
js_import /etc/nginx/include/s3gateway.js;
# We include only the variables needed for the authentication signatures that
# we plan to use.
include /etc/nginx/conf.d/gateway/v${AWS_SIGS_VERSION}_js_vars.conf;
# Extracts only the path from the requested URI. This strips out all query
# parameters and anchors in order to prevent extraneous data from being sent
# to S3.
map $request_uri $uri_full_path {
"~^(?P<path>.*?)(\?.*)*$" $path;
}
# Remove/replace a portion of request URL (if configured)
map $uri_full_path $uri_path {
"~^$STRIP_LEADING_DIRECTORY_PATH(.*)" $PREFIX_LEADING_DIRECTORY_PATH$1;
default $PREFIX_LEADING_DIRECTORY_PATH$uri_full_path;
}
map $S3_STYLE $s3_host_hdr {
virtual "${S3_BUCKET_NAME}.${S3_SERVER}";
path "${S3_SERVER}:${S3_SERVER_PORT}";
default "${S3_BUCKET_NAME}.${S3_SERVER}";
}
js_var $indexIsEmpty true;
js_var $forIndexPage true;
# This creates the HTTP authentication header to be sent to S3
js_set $s3auth s3gateway.s3auth;
js_set $awsSessionToken awscredentials.sessionToken;
js_set $s3uri s3gateway.s3uri;
server {
include /etc/nginx/conf.d/gateway/server_variables.conf;
# Don't display the NGINX version number because we don't want to reveal
# information that could be used to find an exploit.
server_tokens off;
# Uncomment this for a HTTP header that will let you know the cache status
# of an object.
# add_header X-Cache-Status $upstream_cache_status;
# Proxy caching configuration. Customize this for your needs.
proxy_cache s3_cache;
proxy_cache_valid 200 302 ${PROXY_CACHE_VALID_OK};
proxy_cache_valid 404 ${PROXY_CACHE_VALID_NOTFOUND};
proxy_cache_valid 403 ${PROXY_CACHE_VALID_FORBIDDEN};
proxy_cache_methods GET HEAD;
# When this is enabled a HEAD request to NGINX will result in a GET
# request upstream. Unfortunately, proxy_cache_convert_head has to be
# disabled because there is no way for the signatures generation code to
# get access to the metadata in the GET request that is sent upstream.
proxy_cache_convert_head off;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
proxy_cache_key "$request_method$host$uri";
# If you need to support proxying range request, refer to this article:
# https://www.nginx.com/blog/smart-efficient-byte-range-caching-nginx/
# Do not proxy the S3 SOAP API. The S3 API has a less-documented feature
# where the object name "soap" is used for the SOAP API. We don't allow
# access to it.
location /soap {
return 404;
}
location /health {
return 200;
}
location / {
# This value is templated in based on the value of $CORS_ENABLED. When
# CORS is enabled, acceptable methods are GET, HEAD, and OPTIONS.
# Otherwise, they are GET and HEAD.
limit_except ${LIMIT_METHODS_TO} {}
# CORS is implemented by returning the appropriate headers as part of
# the response to an OPTIONS request. If you want to customize the
# CORS response, the cors.conf.template file can be overwritten and
# extended to meet your needs.
include /etc/nginx/conf.d/gateway/cors.conf;
auth_request /aws/credentials/retrieve;
# Redirect to the proper location based on the client request - either
# @s3, @s3PreListing or @error405.
js_content s3gateway.redirectToS3;
}
location /aws/credentials/retrieve {
internal;
js_content awscredentials.fetchCredentials;
include /etc/nginx/conf.d/gateway/js_fetch_trusted_certificate.conf;
}
# This is the primary location that proxies the request to s3
# See the included s3_location_common.conf file for all logic
location @s3 {
include /etc/nginx/conf.d/gateway/s3_location_common.conf;
}
# Same as the primary location above but handling and caching
# byte range requests efficiently
location @s3_sliced {
proxy_cache s3_cache_slices;
proxy_cache_valid 200 302 206 ${PROXY_CACHE_VALID_OK};
proxy_cache_key "$request_method$host$uri$slice_range";
slice ${PROXY_CACHE_SLICE_SIZE};
proxy_set_header Range $slice_range;
include /etc/nginx/conf.d/gateway/s3_location_common.conf;
}
location @s3PreListing {
# We include only the headers needed for the authentication signatures that
# we plan to use.
include /etc/nginx/conf.d/gateway/v${AWS_SIGS_VERSION}_headers.conf;
# The CORS configuration needs to be imported in several places in order for
# it to be applied within different contexts.
include /etc/nginx/conf.d/gateway/cors.conf;
# Don't allow any headers from the client - we don't want them messing
# with S3 at all.
proxy_pass_request_headers off;
# Enable passing of the server name through TLS Server Name Indication extension.
proxy_ssl_server_name on;
proxy_ssl_name ${S3_SERVER};
# Set the Authorization header to the AWS Signatures credentials
proxy_set_header Authorization $s3auth;
proxy_set_header X-Amz-Security-Token $awsSessionToken;
# We set the host as the bucket name to inform the S3 API of the bucket
proxy_set_header Host $s3_host_hdr;
# Use keep alive connections in order to improve performance
proxy_http_version 1.1;
proxy_set_header Connection '';
# We strip off all of the AWS specific headers from the server so that
# there is nothing identifying the object as having originated in an
# object store.
js_header_filter s3gateway.editHeaders;
# Apply XSL transformation to the XML returned from S3 directory listing
# results such that we can output an HTML directory contents list.
xslt_stylesheet /etc/nginx/include/listing.xsl;
xslt_string_param rootPath '${DIRECTORY_LISTING_PATH_PREFIX}';
xslt_types application/xml;
# We apply an output filter to the XML input received from S3 before it
# is passed to XSLT in order to determine if the resource is not a valid
# S3 directory. If it isn't a valid directory, we do a dirty hack to
# corrupt the contents of the XML causing the XSLT to fail and thus
# nginx to return a 404 to the client. If you don't care about empty
# directory listings for invalid directories, remove this.
js_body_filter s3gateway.filterListResponse;
# Catch all errors from S3 and sanitize them so that the user can't
# gain intelligence about the S3 bucket being proxied.
proxy_intercept_errors on;
# Comment out this line to receive the error messages returned by S3
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 =404 @error404;
js_content s3gateway.loadContent;
include /etc/nginx/conf.d/gateway/s3listing_location.conf;
}
location @s3Directory {
# We include only the headers needed for the authentication signatures that
# we plan to use.
include /etc/nginx/conf.d/gateway/v${AWS_SIGS_VERSION}_headers.conf;
# Necessary for determining the correct URI to construct.
set $forIndexPage false;
# The CORS configuration needs to be imported in several places in order for
# it to be applied within different contexts.
include /etc/nginx/conf.d/gateway/cors.conf;
# Don't allow any headers from the client - we don't want them messing
# with S3 at all.
proxy_pass_request_headers off;
# Enable passing of the server name through TLS Server Name Indication extension.
proxy_ssl_server_name on;
proxy_ssl_name ${S3_SERVER};
# Set the Authorization header to the AWS Signatures credentials
proxy_set_header Authorization $s3auth;
proxy_set_header X-Amz-Security-Token $awsSessionToken;
# We set the host as the bucket name to inform the S3 API of the bucket
proxy_set_header Host $s3_host_hdr;
# Use keep alive connections in order to improve performance
proxy_http_version 1.1;
proxy_set_header Connection '';
# We strip off all of the AWS specific headers from the server so that
# there is nothing identifying the object as having originated in an
# object store.
js_header_filter s3gateway.editHeaders;
# Apply XSL transformation to the XML returned from S3 directory listing
# results such that we can output an HTML directory contents list.
xslt_stylesheet /etc/nginx/include/listing.xsl;
xslt_string_param rootPath '${DIRECTORY_LISTING_PATH_PREFIX}';
xslt_types application/xml;
# We apply an output filter to the XML input received from S3 before it
# is passed to XSLT in order to determine if the resource is not a valid
# S3 directory. If it isn't a valid directory, we do a dirty hack to
# corrupt the contents of the XML causing the XSLT to fail and thus
# nginx to return a 404 to the client. If you don't care about empty
# directory listings for invalid directories, remove this.
js_body_filter s3gateway.filterListResponse;
# Catch all errors from S3 and sanitize them so that the user can't
# gain intelligence about the S3 bucket being proxied.
proxy_intercept_errors on;
# Comment out this line to receive the error messages returned by S3
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 =404 @error404;
proxy_pass ${S3_SERVER_PROTO}://storage_urls$s3Uri;
include /etc/nginx/conf.d/gateway/s3listing_location.conf;
}
location ~ /index.html$ {
# Configuration for handling locations ending with /index.html
# Necessary for determining the correct URI to construct.
set $forIndexPage true;
# We include only the headers needed for the authentication signatures that
# we plan to use.
include /etc/nginx/conf.d/gateway/v${AWS_SIGS_VERSION}_headers.conf;
# The CORS configuration needs to be imported in several places in order for
# it to be applied within different contexts.
include /etc/nginx/conf.d/gateway/cors.conf;
# Don't allow any headers from the client - we don't want them messing
# with S3 at all.
proxy_pass_request_headers off;
# Enable passing of the server name through TLS Server Name Indication extension.
proxy_ssl_server_name on;
proxy_ssl_name ${S3_SERVER};
# Set the Authorization header to the AWS Signatures credentials
proxy_set_header Authorization $s3auth;
proxy_set_header X-Amz-Security-Token $awsSessionToken;
# We set the host as the bucket name to inform the S3 API of the bucket
proxy_set_header Host $s3_host_hdr;
# Use keep alive connections in order to improve performance
proxy_http_version 1.1;
proxy_set_header Connection '';
# We strip off all of the AWS specific headers from the server so that
# there is nothing identifying the object as having originated in an
# object store.
js_header_filter s3gateway.editHeaders;
# Catch all errors from S3 and sanitize them so that the user can't
# gain intelligence about the S3 bucket being proxied.
proxy_intercept_errors on;
# Comment out this line to receive the error messages returned by S3
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 =404 @error404;
proxy_pass ${S3_SERVER_PROTO}://storage_urls$s3uri;
include /etc/nginx/conf.d/gateway/s3listing_location.conf;
}
location @error404 {
# The CORS configuration needs to be imported in several places in order for
# it to be applied within different contexts.
include /etc/nginx/conf.d/gateway/cors.conf;
return 404;
}
location @trailslashControl {
# Checks if requesting a folder without trailing slash, and return 302
# appending a slash to it when using for static site hosting.
js_content s3gateway.trailslashControl;
}
location @trailslash {
# 302 to request without slashes
# Adding a ? to the end of the replacement param in `rewrite` prevents it from
# appending the query string.
rewrite ^ $scheme://$http_host$uri/$is_args$query_string? redirect;
}
# Provide a hint to the client on 405 errors of the acceptable request methods
error_page 405 @error405;
location @error405 {
add_header Allow "${LIMIT_METHODS_TO_CSV}" always;
return 405;
}
include /etc/nginx/conf.d/gateway/s3_server.conf;
}