Amazon S3 authentication patch and X-Accell-Redirect

I’ve been using the “Amazon S3 Auth Patch” (which was sent to the list
days ago) for a while, and it works nicely, helping on a lot of issues.
I would like to know is how to get it to work with X-Accel-Redirect, or
someway to accomplish such task, as I could not find a way to make it
as it does without the header. I’ll describe the scenario I have in
order to
make it clear:

  • Application (Rails, in the case) running with nginx + passenger.

  • The rails app controller uses X-Accel-Redirect as described in many
    in the internet. The code is something like:
    response.headers[‘X-Accel-Redirect’] = “/images/someImage.jpg”
    response.headers[‘Content-Type’] = “image/jpeg”

  • The nginx configuration is like this:
    location /images {
    proxy_s3_auth on;
    proxy_s3_bucket myBucketName;
    proxy_s3_user accessKey;
    proxy_s3_pass secretKey;

If I do not use Rails + X-Accel-Redirect (and without the “internal”
option, of course) this configuration does work pretty well. However,
when I
try to use it with X-Accel-Redirect, the patch builds the
header for the path “/images/someImage.jpg” correctly, but what Amazon
receives is the original URL (e.g, the URL we see in the browser is “/
http://localhost:3000/myRailsController/actionName”, and Amazon receives
from nginx the part “/myRailsController/actioName”, instead of
“/images/someImage.jpg”), and thus the hashes doesn’t match (I know that
because I added a lot of debug statements in nginx, and compared it with
results Amazon responded and with the results I got without the
X-Accel-Redirect header).

Is there a way to get it work? Am I missing something?

In time: I had to make a small fix on the original code, which was
when I started using the header. The original code is like

urlend=strchr(url, ’ ‘);
if (plcf->s3_secdown.len && ngx_strcmp(plcf->,“on”)==0) {

However, “urlend” may be null, so I fixed it changing to

if (urlend) {

That’s it.

I appreciate any hint on this.


Orignal Message


I’ve modified the proxy module to be able to authenticate with Amazon
S3. It
also supports the secure download patch by removing the trailing ticket
(MD5/timestamp) from the URL.

The rationale behind this is: we’re using S3 to offload all our app’s
files but need some of them to be public (images) and some private
(downloads for registered users). We’re using nginx as a proxy to S3 to
cache requests and minimize the per-GET cost of S3, so our first
was a security through obscurity one: as the final user only sees our
and not the real bucket’s URL, we could make the whole bucket public and
the secure download patch just on some locations, so that the user
download files from there. But this protection was only on our server,
some user guessed our S3 bucket he could download everything directly

With this patch we can make parts of the bucket private, and
with S3 so that only our servers are able to download them. And it plays
nice with the secure download patch, so the files are secure both on S3
through our proxy.

Please find the patch attached. This is my first attempt at hacking more
than a couple lines into nginx, so I’m sure some code cleanup might
apply. I
particularly don’t like using static char arrays (should move to
and such) and couldn’t get ngx_conf_set_flag_slot to work for config

Config syntax is as follows:

    location /private/ {
proxy_s3_auth on;
proxy_s3_secure_download on; # optional if you’re also
using secdownload
proxy_s3_bucket BUCKET;
proxy_s3_user S3_USER_ID;
proxy_s3_pass S3_PASSWORD;

Any comments, suggestions, and code corrections are welcome. :slight_smile:


This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs