Motivation

This image was created modified for use with shinyproxy (and now, oauth proxy). This was for use as part of an auth solution for content hosted in (http://minio.io/)[Minio], which implements the AWS S3 API.

Use

Setting up Minio Creds

These steps setup a Minio user to be used by the auth proxy below,

NB User scoped creds are a relatively new feature in Minio, so emptor cave.

1. Adding user with read only privileges: mc admin user add <Minio config name, e.g. edge> <Minio Access Key> <Minio Secret Key>
2. Adding policy for the relevant bucket (see (this config for an example)[./config/get-covid-only.json]): mc admin policy add <Minio config name> <policy name, e.g. get-covid-only> <path to policy file, e.g. config/get-covid-only.json>
3. Bind policy to user: mc admin policy set edge <Policy name> user=<Minio Access Key>

That's it - use the ACCESS KEY and SECRET KEY from step up in your nginx config.

Proxy Use

Running

To start the container in interactive mode, on port 8000:

docker run -it --rm \
           -p 8000:8000 \
           --name minio-proxy-test \
           --env ACCESS_KEY="<ACCESS NAME goes here>" \
           --env SECRET_KEY="<SECRET NAME goes here>" \
           --env BUCKET_NAME="<BUCKET NAME goes here>" \
           cityofcapetown/nginx-s3-proxy

Additionally, the following env variables can be overwritten:

• PROXY_PASS_HOST - the host (including protocol) to pass the request to
• PROXY_HEADER_HOST - the hostname (NB not including protocol) to pass in the S3 request

Reverse Proxy

If you're serving up your content on a path which you don't want passed along to S3/Minio, there is a parameter PROXY_PATH_PREFIX which allows you to set the prefix which will be stripped before passing along the resource path to the server.

NB include trailing slash in the path prefix value (e.g. my-path/)

Auth

Basic Auth

This image allows for automatic configuration of http basic_auth. To enable http basic_auth, pass an HTPASSWD environmental variable in the docker run command.

The HTPASSWD variable must be of the format 'user:$1$xxxxxxxx$i7i9OZMOHPzwIC5/ehhFM/' where foo is the username and $1$xxxxxxxx$i7i9OZMOHPzwIC5/ehhFM/ is the hashed password of the user foo.

Cleartext passwords will not work. Hint to create a hashed password - openssl passwd -1 -salt xxxxxxxx Encapsulate your user:password string in single quotes!

Here is a sample docker run command, which sets up basic auth with the user user and password donald_duck:

docker run -it --rm \
           -p 8000:8000 \
           --name minio-proxy-test \
           --env ACCESS_KEY="<ACCESS NAME goes here>" \
           --env SECRET_KEY="<SECRET NAME goes here>" \
           --env BUCKET_NAME="<BUCKET NAME goes here>" \
           --env HTPASSWD='user:$1$xxxxxxxx$i7i9OZMOHPzwIC5/ehhFM/' \
           --env BACKDOOR="yes" \
           s3nginx

Backdoor

The maintainers of this Docker image have created an ENV flag to add a backdoor foo user to the http basic_auth. If you set the environmental variable BACKDOOR to yes then the backdoor will be enabled. The backdoor is disabled by default.

If you want to fork this repo and remove the backdoor, remove this offending code block from run.sh:

if [ $BACKDOOR == "yes" ] then echo "$(date -Iminutes) WARNING: Adding backdoor user!" echo 'foo:$1$xxxxxxxx$X5WIzadvlkwenviwonbevpin.' >> /.htpasswd fi

Customisation

The image uses this config file in the container at: /nginx.conf, however this can be overwridden -v option to mount one from your host.

docker run -p 8000:8000 -v /path/to/nginx.conf:/nginx.conf cityofcapetown/nginx-s3-proxy 

If you want to store the cache on the host, bind a path to /data/cache:

docker run -p 8000:8000 -v /path/to/nginx.conf:/nginx.conf -v /my/path:/data/cache cityofcapetown/nginx-s3-proxy 

Feel free to alter the -p param if you wish to bind the port differently onto the host.

Example nginx.conf file:

worker_processes 2;
pid /run/nginx.pid;
daemon off;

events {
	worker_connections 768;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_names_hash_bucket_size 64;
    
    include /usr/local/nginx/conf/mime.types;
    default_type application/octet-stream;
    
    access_log /usr/local/nginx/logs/access.log;
    error_log  /usr/local/nginx/logs/error.log;
    
    gzip on;
    gzip_disable "msie6";
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    proxy_cache_lock on;
    proxy_cache_lock_timeout 60s;
    proxy_cache_path /data/cache levels=1:2 keys_zone=s3cache:10m max_size=30g;

    server {
        listen     8000;

        location / {
            proxy_pass https://your-bucket.s3.amazonaws.com;

            aws_access_key your-access-key;
            aws_secret_key your-secret-key;
            s3_bucket your-bucket;

            proxy_set_header Authorization $s3_auth_token;
            proxy_set_header x-amz-date $aws_date;

            proxy_cache        s3cache;
            proxy_cache_valid  200 302  24h;
        }
    }
}

Things you want to tweak include:

• proxy_pass
• aws_access_key
• aws_secret_key
• s3_bucket