ci: use Docker DinD version from variable

fix: hide proxy headers for CORS

See merge request unboundsoftware/nginx-s3-upload!6

.gitlab-ci.yml

@@ -5,12 +5,12 @@ stages:
 variables:
   DOCKER_HOST: tcp://docker:2375/
 
-image: registry.gitlab.com/sparetimecoders/build-tools:master
+image: buildtool/build-tools:${BUILDTOOLS_VERSION}
 
 build:
   stage: build
   services:
-    - docker:18.06-dind
+    - docker:${DOCKER_DIND_VERSION}
   script:
   - build
   - push

k8s/deploy.yaml

@@ -3,7 +3,7 @@ kind: Deployment
 metadata:
   labels:
     app: nginx-s3-upload
-  name: nginx-s3-upload-deployment
+  name: nginx-s3-upload
   annotations:
     kubernetes.io/change-cause: "${TIMESTAMP} Deployed commit id: ${COMMIT}"
 spec:
@@ -72,24 +72,30 @@ spec:
     targetPort: 80
   selector:
     app: nginx-s3-upload
-  type: ClusterIP
+  type: NodePort
 
 ---
 
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: nginx-s3-upload
   annotations:
-    kubernetes.io/ingress.class: "nginx"
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    kubernetes.io/ingress.class: "alb"
+    alb.ingress.kubernetes.io/group.name: "unbound"
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: instance
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
+    alb.ingress.kubernetes.io/ssl-redirect: "443"
 spec:
   rules:
   - host: 'upload.unbound.se'
     http:
       paths:
-      - backend:
-          serviceName: nginx-s3-upload
-          servicePort: 80
-        path: /
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: nginx-s3-upload
+            port:
+              number: 80

nginx.conf

@@ -28,7 +28,7 @@ http {
       access_log off;
     }
 
-    location ~* ^/upload {
+    location ~ ^/upload {
       if ($request_method = 'OPTIONS') {
         # Tell client that this pre-flight info is valid for 20 days
         add_header 'Access-Control-Allow-Origin' "*" ;
@@ -86,11 +86,95 @@ http {
       proxy_set_header Authorization $authorization;
       proxy_hide_header x-amz-id-2;
       proxy_hide_header x-amz-request-id;
+      proxy_hide_header 'Access-Control-Expose-Headers';
+      proxy_hide_header 'Access-Control-Allow-Origin';
+      proxy_hide_header 'Access-Control-Allow-Credentials';
+      proxy_hide_header 'Access-Control-Allow-Methods';
+      proxy_hide_header 'Access-Control-Allow-Headers';
+      proxy_hide_header 'Access-Control-Max-Age';
       add_header X-File-URL $returnurl;
 
       resolver 8.8.8.8 valid=300s;
       resolver_timeout 10s;
       add_header 'Access-Control-Expose-Headers' 'X-File-Url';
+      add_header 'Access-Control-Allow-Origin' "*" ;
+      add_header 'Access-Control-Allow-Credentials' 'true' ;
+      add_header 'Access-Control-Allow-Methods' 'GET, PUT, OPTIONS' ;
+      add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
+      add_header 'Access-Control-Max-Age' 1728000;
+
+      proxy_pass $url;
+    }
+
+    location ~ ^/put/(.+)$ {
+      if ($request_method = 'OPTIONS') {
+        # Tell client that this pre-flight info is valid for 20 days
+        add_header 'Access-Control-Allow-Origin' "*" ;
+        add_header 'Access-Control-Allow-Credentials' 'true' ;
+        add_header 'Access-Control-Allow-Methods' 'GET, PUT, OPTIONS' ;
+        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
+        add_header 'Access-Control-Max-Age' 1728000;
+        add_header 'Content-Type' 'text/plain charset=UTF-8';
+        add_header 'Content-Length' 0;
+        return 204;
+      }
+      if ($request_method != PUT) {
+        return 404;
+      }
+
+      set_by_lua $time "os.time()";
+      set_by_lua $timestamp "return os.date('%Y%m%dT%H%M%SZ', tonumber(ngx.var.time))";
+      set_by_lua $date "return os.date('%a, %d %b %Y %H:%M:%S GMT', tonumber(ngx.var.time))";
+      set_by_lua $bucket "return os.getenv('S3_BUCKET_NAME')";
+      set_by_lua $baseurl "return os.getenv('RETURN_URL')";
+      set_by_lua $region "return os.getenv('AWS_REGION')";
+      set $phost $bucket.s3-$region.amazonaws.com;
+      set $ppath /$1;
+      set $url https://$phost$ppath;
+      set $returnurl https://$baseurl$ppath;
+      set $acl public-read;
+      set $contentSha256 "UNSIGNED-PAYLOAD";
+      set $authorization "";
+      set $token "";
+
+      access_by_lua_block {
+        local sha2 = require("sha2")
+        local fetcher = require("fetcher")
+        local sign = require("sign")
+        local key, secret, token = fetcher.fetch()
+        local headers = {["x-amz-acl"] = ngx.var.acl, ["x-amz-date"] = ngx.var.timestamp, ["x-amz-content-sha256"] = ngx.var.contentSha256, ["date"] = ngx.var.date, ["host"] = ngx.var.phost }
+        if token then
+          ngx.var.token = token
+          headers["x-amz-security-token"] = token
+        end
+        ngx.var.authorization = sign.sign(key, secret, os.time(), ngx.var.ppath, headers, ngx.var.region)
+      }
+
+      proxy_set_header date $date;
+      proxy_set_header host $phost;
+      proxy_set_header x-amz-acl $acl;
+      proxy_set_header x-amz-date $timestamp;
+      proxy_set_header x-amz-security-token $token;
+      proxy_set_header x-amz-content-sha256 $contentSha256;
+      proxy_set_header Authorization $authorization;
+      proxy_hide_header x-amz-id-2;
+      proxy_hide_header x-amz-request-id;
+      proxy_hide_header 'Access-Control-Expose-Headers';
+      proxy_hide_header 'Access-Control-Allow-Origin';
+      proxy_hide_header 'Access-Control-Allow-Credentials';
+      proxy_hide_header 'Access-Control-Allow-Methods';
+      proxy_hide_header 'Access-Control-Allow-Headers';
+      proxy_hide_header 'Access-Control-Max-Age';
+      add_header X-File-URL $returnurl;
+
+      resolver 8.8.8.8 valid=300s;
+      resolver_timeout 10s;
+      add_header 'Access-Control-Expose-Headers' 'X-File-Url';
+      add_header 'Access-Control-Allow-Origin' "*" ;
+      add_header 'Access-Control-Allow-Credentials' 'true' ;
+      add_header 'Access-Control-Allow-Methods' 'GET, PUT, OPTIONS' ;
+      add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
+      add_header 'Access-Control-Max-Age' 1728000;
 
       proxy_pass $url;
     }