In a setup where aws S3 cannot be reached, an nginx forward proxy is provided that will enable AWS download even when AWS is blocked.
Let’s say the nginx server is reachable via
https://s3.nginx.com and we have the bucket at
The Mender server is set up in k8s with the Helm chart. The configuration
s3.AWS_EXTERNAL_URI (here) is set to
This works. The Mender server generates s3 bucket URLs starting with
https://s3.nginx.com for the artifacts.
However, when accessing the url, a signature error is thrown. This happens because of a presigning process where the signature depends on the url. This means that the download is signed with
https://s3.nginx.com. The proxy then forwards the request and changes the start to
https://s3-eu-central-1.amazonaws.com, leading to a wrong signature.
The configuration in the code also mentions a
ProxyUri. However, there appears to be no Helm value for this.
Is there a solution to this problem? Otherwise the only solution that comes to my mind is to make the bucket public and either hope that public artifact url’s are not signed or cut off the signature headers from the url when forwarding in the proxy.