Signing Amazon SDB requests

I am looking for some advice on the recommended way of achieving the
following.

I need to sign Amazon Simple Database (SDB) queries with our Amazon Web
Services credentials before forwarding them to upstream Amazon’s SDB
servers.

The proxying behaviour will be taken care of by the proxy module but I’m
not sure how to implement the actual signing.

On first glance, it sounds similar to the module that performs this for
Amazon S3 requests. Unfortunately this doesn’t work for SDB requests as
the parameters in an SDB request are encoded in the arguments of the URI
(…site.com/?SDBArg1=val1&SDBArg2=val2) whereas S3 parameters are
passed as separate HTTP headers.

I have looked at the rewrite module but the URI can only be manipulated
using regular expressions and the processing I need to do is more
complex than what the rewrite module can achieve ie.

1 Parse and decode the URI args to an SDB args list
2 Add several args to the SDB args list
3 Sort SDB args list
4 Generate a SHA message digest of the SDB args list using a user
supplied variable as a key - the Base64 encoding of this is the
signature.
5 Append the signature to the SDB args list
6 Regenerate the URI args
7 Forward it to the upstream

I believe I might be able to do using imbedded Python and writing the
logic as script and integrating it via the rewrite module - but I don’t
know Python (I’m a C/C++ dev) and I’m also not in a position to know
whether this solution would scale satisfactorily - so this is not my
preferred option.

What I need to know is what approach I should take to solving this with
minimal effort ie. is there a way of creating a filter that layers
before or after the proxy module which does this work.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,194135,194135#msg-194135

On Wed, 2011-04-27 at 18:28 -0400, AndrewH wrote:

On first glance, it sounds similar to the module that performs this for
2 Add several args to the SDB args list
3 Sort SDB args list
4 Generate a SHA message digest of the SDB args list using a user
supplied variable as a key - the Base64 encoding of this is the
signature.
5 Append the signature to the SDB args list
6 Regenerate the URI args
7 Forward it to the upstream

I recommend using the Lua nginx module to do this. Even doing the S3
stuff is painful without it (I think I needed it for one thing anyway).

Lua is pretty easy, I think the hard thing is deciding which libraries
to use (when I did the S3 I alas picked a buggy one). I recently started
using the Luajit ffi interface and as a C programmer find it easier.

Will give it a go if I get time…

Justin

On Wed, 2011-04-27 at 18:28 -0400, AndrewH wrote:

I am looking for some advice on the recommended way of achieving the
following.

I need to sign Amazon Simple Database (SDB) queries with our Amazon Web
Services credentials before forwarding them to upstream Amazon’s SDB
servers.

The proxying behaviour will be taken care of by the proxy module but I’m
not sure how to implement the actual signing.

I have done a gist showing how to do this with the Lua nginx module.

https://gist.github.com/948423

It is a bit longer than the S3 code (also in the gist)… should also
work for SQS and the other services that use that signing method with
some small modifications.

Obviously you might want to restrict access to this or make it an
internal method, not an open proxy!

Justin

take a look at this example, sdb should not be that different

https://github.com/lovelysystems/nginx-examples/tree/master/s3

cheers, bernd

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs