Here's my use case:
I'm working with a S3 compatible storage provider which does not offer public-readable objects, only presigned links. I'm working with Dokku, nginx and the heroku-php-buildpack. My Application is based on the Slim PHP Framework.
I'm trying now to implement a function which is presigning the object and then sending the presigned assed to the browser via X-Accel-Redirect.
That means:
www.example.com/asset/1/1/Sonnenuntergang-im-Meer_1400.jpg
calls a script which returns the following header:
X-Accel-Redirect: /internal_redirect/storage.provider.ch/bucket/Sonnenuntergang-im-Meer_1400.jpg?AWSAccessKeyId=xx&Expires=xx&Signature=xx
The /internal_redirect location is defined here:
location ~ ^/internal_redirect/(.*?)/(.*) {
internal;
set $aws_access_key 'AWSAccessKeyId=$arg_AWSAccessKeyId';
set $url_expires 'Expires=$arg_Expires';
set $url_signature 'Signature=$arg_Signature';
set $args_full 'https://$1/$2?$aws_access_key&$url_expires&$url_signature';
proxy_set_header Host $1;
proxy_http_version 1.1;
proxy_set_header Authorization '';
proxy_hide_header x-amz-id-2;
proxy_hide_header x-amz-request-id;
proxy_hide_header Set-Cookie;
proxy_ignore_headers "Set-Cookie";
proxy_buffering off;
proxy_intercept_errors off;
resolver 8.8.8.8 valid=300s;
resolver_timeout 10s;
proxy_pass $args_full;
#proxy_ssl_session_reuse off;
}
If I'm disabling internal and calling the url directly from the browser, it works. For that, I need to add the nginx configuration snipped into the nginx.conf.d subdir of the app root.
If I'm calling the script internally (with the header above) I'm getting the following error in the logs:
2016-09-01T14:30:27.229716973Z app[web.1]: 2016/09/01 14:30:27 [error] 230#0:
*12 rewrite or internal redirection cycle while redirect to named
location "@heroku-fcgi", client: 172.17.0.1, server: localhost,
request: "GET /asset/1/1/Sonnenuntergang-im-Meer_1400.jpg HTTP/1.1",
upstream: "fastcgi://unix:/tmp/heroku.fcgi.5000.sock", host: "xxx.example.com"
My php script does basically not more than:
header('X-Accel-Redirect: /internal_redirect/'
. str_replace('https://', '', $this->db->presign_file($args['file']))
. ';');
exit(0);
Whereas presign_filereturns a string with the presigned file.
If I'm adding the nginx location snippet into the app specific configuration*, the behaviour is the same for internal and external calls. But it seems, that I can't use https for proxy_pass, which is necessary for my provider. Also options like proxy_ssl_session_reuse off, which look promising, are not allowed.
*) Defined in the Procfile with the option -C
Refs.:
- https://coderwall.com/p/rlguog/nginx-as-proxy-for-amazon-s3-public-private-files
- http://kovyrin.net/2010/07/24/nginx-fu-x-accel-redirect-remote
EDIT: More Infos about the nginx configuration
The main file is gernerated by the buildpack:
https://github.com/heroku/heroku-buildpack-php/blob/master/conf/nginx/heroku.conf.php
whereas the position include "<?=getenv('HEROKU_PHP_NGINX_CONFIG_INCLUDE')?>"; is substituded with this configuration file:
location ~ ^/internal_redirect/(.*?)/(.*) {
internal;
set $aws_access_key 'AWSAccessKeyId=$arg_AWSAccessKeyId';
set $url_expires 'Expires=$arg_Expires';
set $url_signature 'Signature=$arg_Signature';
set $args_full 'https://$1/$2?$aws_access_key&$url_expires&$url_signature';
proxy_set_header Host $1;
proxy_http_version 1.1;
proxy_set_header Authorization '';
proxy_hide_header x-amz-id-2;
proxy_hide_header x-amz-request-id;
proxy_hide_header Set-Cookie;
proxy_ignore_headers "Set-Cookie";
proxy_buffering off;
proxy_intercept_errors off;
resolver 8.8.8.8 valid=300s;
resolver_timeout 10s;
proxy_pass $args_full;
#proxy_ssl_session_reuse off;
}
location / {
# try to serve file directly, fallback to rewrite
try_files $uri @rewriteapp;
}
location @rewriteapp {
# rewrite all to index.php
rewrite ^(.*)$ /index.php/$1 last;
}
location ~ ^/index\.php(/|$) {
try_files @heroku-fcgi @heroku-fcgi;
internal;
}
