Add new ENV config S3_SERVICE_REMOVE_X_AMZ_HEADERS #241
Conversation
…u want to have x-amz headers in nginx proxy
|
CLA Assistant Lite bot ✅ All required contributors have signed the F5 CLA for this PR. Thank you! |
|
I have hereby read the F5 CLA and agree to its terms |
|
I see that CI not passed because S3_SERVICE_REMOVE_X_AMZ_HEADERS was required env I have changed it. Now env S3_SERVICE_REMOVE_X_AMZ_HEADERS is not required |
|
Hi @gawsoftpl thank you for your contribution. Instead of adding a new configuration variable specific to AWS response headers, I think it would be best of all users of the gateway if we could introduce a configuration option that is the opposite of It could follow the same format (list of prefixes separated by We then have two implementation options:
Both achieve the same thing but That way we have a generic way to control both headers stripped and headers preserved. It also helps us take another step towards being more general purpose for non-AWS object stores in the JS code which is desirable. Would this approach also satisfy your needs? |
Ok, so the best solution will be number 2. add Header HEADER_PREFIXES_ALLOWED and remove x-amz- if is allowed. |
There was a problem hiding this comment.
This looks good! I just have two items I'd like to address before we merge:
- Adding some unit tests to confirm the new behaviour
- A few tweaks to the docs that I've noted in a comment
Please let me know if you need my assistance with either of these. In the meantime I'm going to make some time to test in the next day or two. I think we may be missing some areas where the new config var needs to be explicitly allowed (like in the nginx.conf file)
- Fix comments in s3_gateway_test - Add unit test testIsHeaderToBeAllowed
There was a problem hiding this comment.
Thank you so much for all of your work on this.
I tested this against a real S3 bucket and was able to verify that the config variables work together as expected.
I did discover one area where we could improve the messaging:
diff --git a/common/docker-entrypoint.d/00-check-for-required-env.sh b/common/docker-entrypoint.d/00-check-for-required-env.sh
index a09a76a..31b1947 100755
--- a/common/docker-entrypoint.d/00-check-for-required-env.sh
+++ b/common/docker-entrypoint.d/00-check-for-required-env.sh
@@ -134,4 +134,5 @@ echo "Directory Listing Path Prefix: ${DIRECTORY_LISTING_PATH_PREFIX}"
echo "Provide Index Pages Enabled: ${PROVIDE_INDEX_PAGE}"
echo "Append slash for directory enabled: ${APPEND_SLASH_FOR_POSSIBLE_DIRECTORY}"
echo "Stripping the following headers from responses: x-amz-;${HEADER_PREFIXES_TO_STRIP}"
+echo "Allow the following headers from responses (these take precendence over the above): ${HEADER_PREFIXES_ALLOWED}"
echo "CORS Enabled: ${CORS_ENABLED}"
Can you make that small change then I will go ahead and merge it!
I added line: to docker entrypoint |
|
Thanks again for your contribution, @gawsoftpl - the image with your changes is here https://github.com/nginxinc/nginx-s3-gateway/pkgs/container/nginx-s3-gateway%2Fnginx-oss-s3-gateway/211366123?tag=latest-20240502 |
Add S3_SERVICE_REMOVE_X_AMZ_HEADERS header flag for use case where you want to have x-amz headers in nginx proxy
Proposed changes
In my use case I need x-amz headers from s3 in proxy response. I know that this is a security issue. But my project save some metadata in s3 files and do not share it with public.
Checklist
Before creating a PR, run through this checklist and mark each as complete:
README.md).