Use S3 as a backend about oauth2_proxy HOT 21 CLOSED

@willejs I have something in mind =)

from oauth2_proxy.

@willejs It's a little rough around the edges, but does jehiah/private_s3_httpd work for you?

from oauth2_proxy.

or go oauth_proxy -> nginx - > s3 (as an nginx upstream)

from oauth2_proxy.

Plain nginx upstream won't work for a private s3 bucket, which is the request here. I did think that for a second, but realized that there's not much cause to use oauth2_proxy (just) for a public s3 bucket.

from oauth2_proxy.

well let's just have a code review reunion in here...

paging @jlintz @jphines @mccutchen @dlotterman

from oauth2_proxy.

@ploxiln yes it would, you can use a s3 auth token. to request the file from the upstream and then serve it via nginx

from oauth2_proxy.

@sricola oh? point me to some docs for that as that would sort of obsolete the code i just wrote =)

from oauth2_proxy.

did someone call a top 2% python coder?

steps in

Yea @sricola is correct, you can actually proxy to s3 and set your tokens in the headers , here's a good example https://coderwall.com/p/rlguog/nginx-as-proxy-for-amazon-s3-public-private-files , assuming I understood things correctly

from oauth2_proxy.

nice, that's good to know.

from oauth2_proxy.

It looks like every access to S3 still requires a signature. That blog post suggests including the signature (and expires timestamp) as a parameter in all the public URLs (and then adding other needed headers/parameters in nginx).

from oauth2_proxy.

You can modify the request before passing it though the upstream within
Nginx - thereby adding the signature et al without having the original
request need it.

On Tuesday, July 7, 2015, Pierce Lopez [email protected] wrote:

It looks like every access to S3 still requires a signature. That blog
post suggests including the signature (and expires timestamp) as a
parameter in all the public URLs (and then adding other needed
headers/parameters in nginx).

—
Reply to this email directly or view it on GitHub
#121 (comment).

srivatsa // [email protected]

from oauth2_proxy.

... but then nginx needs to know or calculate the signature needed for each file (it'll be different). So you'd need a location clause for each file, or an nginx plugin which can do that...

from oauth2_proxy.

😂

from oauth2_proxy.

Well. The signature is actually pretty trivial if you have the access
key/secret. Or you can use IAM roles and fetch credentials in realtime from
the instance meta data.

On Tuesday, July 7, 2015, Matt Reiferson [email protected] wrote:

[image: 😂]

—
Reply to this email directly or view it on GitHub
#121 (comment).

srivatsa // [email protected]

from oauth2_proxy.

http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html

On Tuesday, July 7, 2015, Srivatsa Ray [email protected] wrote:

Well. The signature is actually pretty trivial if you have the access
key/secret. Or you can use IAM roles and fetch credentials in realtime from
the instance meta data.

On Tuesday, July 7, 2015, Matt Reiferson <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');> wrote:

[image: 😂]

—
Reply to this email directly or view it on GitHub
#121 (comment)
.

srivatsa // [email protected]

srivatsa // [email protected]

from oauth2_proxy.

ok yes it's not particularly hard, if you've installed the out-of-tree ngx_set_misc module to get set_hmac_sha1 and set_encode_base64, and composed the string to sign correctly.

jlintz' "good example" link does not do these things. so I guess my point is that it's probably an equivalent amount of effort and config/deploy management to use something like private_s3_httpd

from oauth2_proxy.

LOL. I'd rather recompile a widely used open source package - with some extra options than write custom code to re-invent the wheel. Thats just me, and you don't have to agree with that viewpoint.

from oauth2_proxy.

It's ok @sricola private_s3_httpd now counts as a widely used open source package, so you can use that. No extra options or recompile needed. 😉

from oauth2_proxy.

I want to frame this thread and hang it on my wall.

💯 💯 💯

from oauth2_proxy.

@jehiah That code looks like it would work, for me, but...
It would be nicer if oauth2_proxy would support it as a backend too? is it out of scope for the project?

from oauth2_proxy.

@willejs Yeah, I've been pondering that. I think i'm landing on the side of "out of scope" in preference of keeping this focused on authentication not file serving.

from oauth2_proxy.