С помощью nginx/angie и встроенного модуля perl можно проксировать запросы напрямую к S3. Ниже приведён пример для реализации S3 от DigitalOcean (Spaces). Для Amazon AWS S3 пример тоже подходит. Для авторизации доступа можно использовать пример совместно с модулем [[http://nginx.org/ru/docs/http/ngx_http_secure_link_module.html secure_link]].
http {
...
perl_set $date
'sub {
use POSIX qw(strftime);
return strftime("%Y%m%d", gmtime());
}';
perl_set $datetime
'sub {
use POSIX qw(strftime);
return strftime("%Y%m%dT%H%M%SZ", gmtime());
}';
### yum install perl-Digest-SHA
perl_set $signed_digest
'sub {
use Digest::SHA qw(hmac_sha256 hmac_sha256_hex sha256_hex);
my $r = shift;
my $data_key = hmac_sha256($r->variable(date), "AWS4" . $r->variable(aws_access_secret));
my $region_key = hmac_sha256($r->variable(aws_region), $data_key);
my $service_key = hmac_sha256($r->variable(aws_service), $region_key);
my $signing_key = hmac_sha256("aws4_request", $service_key);
my $hash = sha256_hex($r->variable(canonical_request));
my $str =
"AWS4-HMAC-SHA256" . "\n" .
$r->variable(datetime) . "\n" .
$r->variable(date) . "/" .
$r->variable(aws_region) . "/" .
$r->variable(aws_service) .
"/aws4_request" . "\n" .
$hash;
return hmac_sha256_hex($str, $signing_key);
}';
...
server {
...
location @s3 {
set $provider 'digitaloceanspaces.com';
set $bucket 'my-bycket-name';
set $aws_access_key 'my-key';
set $aws_access_secret 'my-secret';
set $aws_region 'ams3';
set $aws_service 's3';
### perl -e 'use Digest::SHA qw(sha256_hex); my $s = sha256_hex(""); print $s, "\n"'
set $empty_hash 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';
set $canonical_request 'GET\n$uri\n\nhost:$bucket.$aws_region.$provider\nx-amz-content-sha256:$empty_hash\nx-amz-date:$datetime\n\nhost;x-amz-content-sha256;x-amz-date\n$empty_hash';
proxy_buffering off;
proxy_buffer_size 1m;
proxy_buffers 64 64k;
proxy_connect_timeout 11s;
proxy_send_timeout 14s;
proxy_read_timeout 17s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_403 http_404;
proxy_next_upstream_timeout 30s;
proxy_next_upstream_tries 3;
proxy_hide_header Strict-Transport-Security;
proxy_hide_header x-amz-request-id;
proxy_hide_header x-amz-meta-s3cmd-attrs;
proxy_http_version 1.1;
proxy_set_header Host '$bucket.$aws_region.$provider';
proxy_set_header x-amz-date '$datetime';
proxy_set_header Authorization 'AWS4-HMAC-SHA256 Credential=$aws_access_key/$date/$aws_region/$aws_service/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=$signed_digest';
proxy_set_header x-amz-content-sha256 '$empty_hash';
proxy_set_header Range '$http_range';
proxy_pass_request_headers off;
proxy_pass_request_body off;
proxy_pass https://$bucket.$aws_region.$provider;
}
...
}
...
}
URL:
Обсуждается: http://www.opennet.dev/tips/info/3237.shtml
Вариант для распечатки
