Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use this with S3 or ES? #13

Open
simonvanderveldt opened this issue Jun 27, 2016 · 3 comments
Open

How to use this with S3 or ES? #13

simonvanderveldt opened this issue Jun 27, 2016 · 3 comments

Comments

@simonvanderveldt
Copy link

I have a question regarding how to use this with S3 (or other services that don't really have an action).
I've been using the code as proposed in #12 with some changes and I've been able to requests plain text files from S3, but it doesn't really feel right, mainly because AwsService basically expects one to use performAction and because to make it work with other files I'd have to add all captured headers to the response, effectively creating something that somewhat resembles a proxy.

Wouldn't it make more sense to use this library only for the signing of the request and just proxy_pass the actual request? That would make the code simpler and fix the header issue as well.

Does anyone have any experience with this?
@ddragosd
Copy link
Member

@simonvanderveldt you're bringing a good point to use S3 with proxy_pass. Did you manage to get this working ? It would be great to document it once we integrate #12.

When NGINX is used only to proxy directly to an AWS service this is not a bad idea.

For other cases( i.e. sending logs to Kinesis on log_by_lua or calling KMS on access_by_lua )
performAction can be used instead of proxy_pass as the backend would be different.

@simonvanderveldt
Copy link
Author

simonvanderveldt commented Jul 7, 2016
edited
Loading

@ddragosd sorry for the delay, needed some time to checkout the options and see how to implement it, was my first time using openresty :)

Anyway, we currently use AWS ElasticSearch service as well as S3 and we needed a proxy to sign our requests to ElasticSearch using v4 auth based on IAM roles/instance profiles. So I worked on that, though the actual implementation is pretty much the same as it would be for S3.
It's basically:

  • set headers: done by EsService
  • proxy request: done by proxy_pass

I've commited what I have here https://github.com/simonvanderveldt/api-gateway-aws/tree/payjp/extend-get-authz-header based on the code that's in #12. I do think it would be relatively easy to implement this based on master as well, not sure the changes in #12 are actually needed.

I'd be interested to know what you think about it. I don't mind to make a PR to include it here, though I expect some things should be changed/enhanced.
There were a couple of issues I ran into, the main one within the current code is that the URI path has to be encoded but the nginx included urlencode functions also encode the slashes which is not what AWS expects. So I added a simple/ugly string replace :x

@simonvanderveldt simonvanderveldt changed the title How to use this with S3? How to use this with S3 or ES? Jul 7, 2016
@hectcastro
Copy link

I put together a working example of how to use the changes in #12 to proxy_pass inbound requests to Amazon S3 using the api-gateway.aws.AwsV4Signature module here:

https://github.com/azavea/docker-s3-proxy-cache

Docker is used to combine the Lua module dependencies with OpenResty into one package. From there, the majority of the heavy lifting is contained within the access_by_lua_block of the default Nginx virtual host configuration:

https://github.com/azavea/docker-s3-proxy-cache/blob/develop/usr/local/openresty/nginx/conf/conf.d/default.conf#L28-L62

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hectcastro @simonvanderveldt @ddragosd