2019-06-20 13:07:42 +02:00
|
|
|
env AWS_ACCESS_KEY_ID;
|
|
|
|
|
env AWS_SECRET_ACCESS_KEY;
|
|
|
|
|
env S3_BUCKET_NAME;
|
2019-08-02 10:27:54 +02:00
|
|
|
env AWS_REGION;
|
|
|
|
|
env RETURN_URL;
|
2019-06-20 13:07:42 +02:00
|
|
|
|
|
|
|
|
worker_processes 1;
|
|
|
|
|
|
|
|
|
|
events {
|
|
|
|
|
worker_connections 1024;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
http {
|
2019-06-20 15:38:17 +02:00
|
|
|
lua_load_resty_core off;
|
2019-08-02 11:46:00 +02:00
|
|
|
lua_package_path "/tmp/lua-resty-core/lib/?.lua;/tmp/lua-resty-http/lib/?.lua;/tmp/lua/?.lua;;";
|
2019-08-02 10:27:54 +02:00
|
|
|
lua_package_cpath '/usr/lib/x86_64-linux-gnu/lua/5.1/?.so;;';
|
|
|
|
|
|
2019-06-28 16:07:04 +02:00
|
|
|
lua_socket_buffer_size 128k;
|
2019-08-02 11:46:00 +02:00
|
|
|
client_max_body_size 10m;
|
|
|
|
|
client_body_buffer_size 10m;
|
2019-06-20 15:38:17 +02:00
|
|
|
|
2019-06-20 13:07:42 +02:00
|
|
|
server {
|
|
|
|
|
listen 80;
|
|
|
|
|
|
|
|
|
|
location /healthcheck {
|
|
|
|
|
add_header Content-Type text/plain;
|
|
|
|
|
return 200 'Ok';
|
|
|
|
|
access_log off;
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-02 09:38:11 +02:00
|
|
|
location ~ ^/upload {
|
2019-06-20 13:07:42 +02:00
|
|
|
if ($request_method = 'OPTIONS') {
|
|
|
|
|
# Tell client that this pre-flight info is valid for 20 days
|
|
|
|
|
add_header 'Access-Control-Allow-Origin' "*" ;
|
|
|
|
|
add_header 'Access-Control-Allow-Credentials' 'true' ;
|
|
|
|
|
add_header 'Access-Control-Allow-Methods' 'GET, PUT, OPTIONS' ;
|
|
|
|
|
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
|
|
|
|
|
add_header 'Access-Control-Max-Age' 1728000;
|
|
|
|
|
add_header 'Content-Type' 'text/plain charset=UTF-8';
|
|
|
|
|
add_header 'Content-Length' 0;
|
|
|
|
|
return 204;
|
|
|
|
|
}
|
|
|
|
|
if ($request_method != PUT) {
|
|
|
|
|
return 404;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
set_secure_random_alphanum $prefix 64;
|
|
|
|
|
set_sha1 $prefixsha $prefix;
|
2019-06-28 16:07:04 +02:00
|
|
|
set_by_lua $time "os.time()";
|
2019-08-02 10:27:54 +02:00
|
|
|
set_by_lua $timestamp "return os.date('%Y%m%dT%H%M%SZ', tonumber(ngx.var.time))";
|
2019-06-28 16:07:04 +02:00
|
|
|
set_by_lua $date "return os.date('%a, %d %b %Y %H:%M:%S GMT', tonumber(ngx.var.time))";
|
|
|
|
|
set_by_lua $day "return os.date('%Y%m%d', tonumber(ngx.var.time))";
|
2019-06-20 13:07:42 +02:00
|
|
|
set_sha1 $datesha $date;
|
|
|
|
|
set $key $prefixsha$datesha;
|
|
|
|
|
set_by_lua $bucket "return os.getenv('S3_BUCKET_NAME')";
|
2019-08-02 10:27:54 +02:00
|
|
|
set_by_lua $baseurl "return os.getenv('RETURN_URL')";
|
|
|
|
|
set_by_lua $region "return os.getenv('AWS_REGION')";
|
|
|
|
|
set $phost $bucket.s3-$region.amazonaws.com;
|
|
|
|
|
set $ppath /$day/$key;
|
|
|
|
|
set $url https://$phost$ppath;
|
|
|
|
|
set $returnurl https://$baseurl$ppath;
|
2019-06-20 13:07:42 +02:00
|
|
|
set $acl public-read;
|
2019-08-02 11:46:00 +02:00
|
|
|
set $contentSha256 "UNSIGNED-PAYLOAD";
|
2019-08-02 10:27:54 +02:00
|
|
|
set $authorization "";
|
2019-08-02 11:46:00 +02:00
|
|
|
set $token "";
|
2019-06-20 13:07:42 +02:00
|
|
|
|
2019-06-28 16:07:04 +02:00
|
|
|
access_by_lua_block {
|
2019-08-02 10:27:54 +02:00
|
|
|
local sha2 = require("sha2")
|
2019-08-02 11:46:00 +02:00
|
|
|
local fetcher = require("fetcher")
|
2019-06-28 16:07:04 +02:00
|
|
|
local sign = require("sign")
|
2019-08-02 11:46:00 +02:00
|
|
|
local key, secret, token = fetcher.fetch()
|
2019-08-02 10:27:54 +02:00
|
|
|
local headers = {["x-amz-acl"] = ngx.var.acl, ["x-amz-date"] = ngx.var.timestamp, ["x-amz-content-sha256"] = ngx.var.contentSha256, ["date"] = ngx.var.date, ["host"] = ngx.var.phost }
|
2020-10-02 09:38:11 +02:00
|
|
|
if token then
|
|
|
|
|
ngx.var.token = token
|
|
|
|
|
headers["x-amz-security-token"] = token
|
|
|
|
|
end
|
|
|
|
|
ngx.var.authorization = sign.sign(key, secret, os.time(), ngx.var.ppath, headers, ngx.var.region)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
proxy_set_header date $date;
|
|
|
|
|
proxy_set_header host $phost;
|
|
|
|
|
proxy_set_header x-amz-acl $acl;
|
|
|
|
|
proxy_set_header x-amz-date $timestamp;
|
|
|
|
|
proxy_set_header x-amz-security-token $token;
|
|
|
|
|
proxy_set_header x-amz-content-sha256 $contentSha256;
|
|
|
|
|
proxy_set_header Authorization $authorization;
|
|
|
|
|
proxy_hide_header x-amz-id-2;
|
|
|
|
|
proxy_hide_header x-amz-request-id;
|
|
|
|
|
add_header X-File-URL $returnurl;
|
|
|
|
|
|
|
|
|
|
resolver 8.8.8.8 valid=300s;
|
|
|
|
|
resolver_timeout 10s;
|
|
|
|
|
add_header 'Access-Control-Expose-Headers' 'X-File-Url';
|
|
|
|
|
|
|
|
|
|
proxy_pass $url;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
location ~ ^/put/(.+)$ {
|
|
|
|
|
if ($request_method = 'OPTIONS') {
|
|
|
|
|
# Tell client that this pre-flight info is valid for 20 days
|
|
|
|
|
add_header 'Access-Control-Allow-Origin' "*" ;
|
|
|
|
|
add_header 'Access-Control-Allow-Credentials' 'true' ;
|
|
|
|
|
add_header 'Access-Control-Allow-Methods' 'GET, PUT, OPTIONS' ;
|
|
|
|
|
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
|
|
|
|
|
add_header 'Access-Control-Max-Age' 1728000;
|
|
|
|
|
add_header 'Content-Type' 'text/plain charset=UTF-8';
|
|
|
|
|
add_header 'Content-Length' 0;
|
|
|
|
|
return 204;
|
|
|
|
|
}
|
|
|
|
|
if ($request_method != PUT) {
|
|
|
|
|
return 404;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
set_by_lua $time "os.time()";
|
|
|
|
|
set_by_lua $timestamp "return os.date('%Y%m%dT%H%M%SZ', tonumber(ngx.var.time))";
|
|
|
|
|
set_by_lua $date "return os.date('%a, %d %b %Y %H:%M:%S GMT', tonumber(ngx.var.time))";
|
|
|
|
|
set_by_lua $bucket "return os.getenv('S3_BUCKET_NAME')";
|
|
|
|
|
set_by_lua $baseurl "return os.getenv('RETURN_URL')";
|
|
|
|
|
set_by_lua $region "return os.getenv('AWS_REGION')";
|
|
|
|
|
set $phost $bucket.s3-$region.amazonaws.com;
|
|
|
|
|
set $ppath /$1;
|
|
|
|
|
set $url https://$phost$ppath;
|
|
|
|
|
set $returnurl https://$baseurl$ppath;
|
|
|
|
|
set $acl public-read;
|
|
|
|
|
set $contentSha256 "UNSIGNED-PAYLOAD";
|
|
|
|
|
set $authorization "";
|
|
|
|
|
set $token "";
|
|
|
|
|
|
|
|
|
|
access_by_lua_block {
|
|
|
|
|
local sha2 = require("sha2")
|
|
|
|
|
local fetcher = require("fetcher")
|
|
|
|
|
local sign = require("sign")
|
|
|
|
|
local key, secret, token = fetcher.fetch()
|
|
|
|
|
local headers = {["x-amz-acl"] = ngx.var.acl, ["x-amz-date"] = ngx.var.timestamp, ["x-amz-content-sha256"] = ngx.var.contentSha256, ["date"] = ngx.var.date, ["host"] = ngx.var.phost }
|
2019-08-02 11:46:00 +02:00
|
|
|
if token then
|
|
|
|
|
ngx.var.token = token
|
|
|
|
|
headers["x-amz-security-token"] = token
|
|
|
|
|
end
|
|
|
|
|
ngx.var.authorization = sign.sign(key, secret, os.time(), ngx.var.ppath, headers, ngx.var.region)
|
2019-06-28 16:07:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
proxy_set_header date $date;
|
2019-08-02 10:27:54 +02:00
|
|
|
proxy_set_header host $phost;
|
2019-06-20 13:07:42 +02:00
|
|
|
proxy_set_header x-amz-acl $acl;
|
2019-08-02 10:27:54 +02:00
|
|
|
proxy_set_header x-amz-date $timestamp;
|
2019-08-02 11:46:00 +02:00
|
|
|
proxy_set_header x-amz-security-token $token;
|
2019-06-28 16:07:04 +02:00
|
|
|
proxy_set_header x-amz-content-sha256 $contentSha256;
|
|
|
|
|
proxy_set_header Authorization $authorization;
|
2019-06-20 13:07:42 +02:00
|
|
|
proxy_hide_header x-amz-id-2;
|
|
|
|
|
proxy_hide_header x-amz-request-id;
|
|
|
|
|
add_header X-File-URL $returnurl;
|
|
|
|
|
|
|
|
|
|
resolver 8.8.8.8 valid=300s;
|
|
|
|
|
resolver_timeout 10s;
|
|
|
|
|
add_header 'Access-Control-Expose-Headers' 'X-File-Url';
|
|
|
|
|
|
|
|
|
|
proxy_pass $url;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
