I have the following nginx config:
upstream upstream_server {
server localhost:8000;
}
server {
client_max_body_size 50M;
error_log /dev/stderr;
listen 80;
location ~ ^/document_store/(.*?)/(.*?)/(.*) {
internal;
resolver 8.8.8.8 ipv6=off;
set $download_protocol $1;
set $download_host $2;
set $download_path $3;
set $download_url $download_protocol://$download_host/$download_path;
proxy_set_header Host $download_host;
proxy_set_header Authorization '';
proxy_set_header Cookie '';
proxy_hide_header Content-Disposition;
proxy_hide_header Access-Control-Allow-Origin;
add_header Content-Disposition $upstream_http_content_disposition;
add_header Access-Control-Allow-Origin *;
proxy_max_temp_file_size 0;
proxy_pass $download_url$is_args$args;
}
location / {
proxy_pass http://upstream_server;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
}
Context:
All requests hit the / block and are proxied to the django app running on gunicorn behind this server. For some requests, the django app will return a 200, with an x-accel-redirect header of the form: /document_store/<PROTOCOL>/<PRE-SIGNED S3 URL>.
Expected behaviour:
Nginx intercepts the response with the x-accel-redirect header, and instead serves the file from the pre-signed s3 url.
Actual behaviour:
Django successfully returns a 200, with the header set as expected. Nginx intercepts this request, and returns a 403.
I have logged out the contents of the x-accel-redirect header, and passed <PROTOCOL>://<PRE-SIGNED S3 URL> to curl, which results in the file being downloaded successfully, so I am confident that:
- The header is being constructed properly
- The pre-signed header gives access to the file in question
question from:
https://stackoverflow.com/questions/65858890/nginx-returns-403-when-serving-a-file-from-s3-via-x-accel-redirect-using-a-pre 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
