Reverse proxy S3 bucket via Haproxy

I'm trying to setup a reverse proxy to my S3 bucket (I'm using DigitalOcean Spaces) using Haproxy (specifically Haproxy Ingress).

After some trial and error, I got somewhere with the proxy, but it doesn't work quite yet.
A GET request works fine, however, a PUT request (like putObject) doesn't work, because I get the error "403 - SignatureDoesNotMatch". I can't seem to find why that is unfortunately and I've search far and wide.

My backend at the moment is as follows:

backend s3-reverse-proxy_443
    mode http
    balance roundrobin
    acl https-request ssl_fc
    http-request redirect scheme https if !https-request
    http-request set-header Host <bucket>.ams3.digitaloceanspaces.com
    http-request set-header X-Original-Forwarded-For %[hdr(x-forwarded-for)] if { hdr(x-forwarded-for) -m found }
    http-request del-header x-forwarded-for
    option forwardfor
    http-response set-header Strict-Transport-Security "max-age=15768000"
    server srv001 5.101.110.225:443 weight 1 proto h2 alpn h2 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets verify none check inter 2s

Tried overruling the server by just using the ".ams3.digitaloceanspaces.com", but that didn't work.

I think it has something to do with the headers, but I've tried adding "Authorization" & "Connection" headers, but none of them seem to work.

I'm also using backend-protocol "h2-ssl", because without it, it didn't proxy.

Thanks in advance!


Made some progress, signature version v4 doesn't work, but v2 does.
However, if I'm correct, the docker registry uses v4, and I want it to be compatible with the newest standards.

I don't know much about S3, I'm currently reading the docs about the difference in authentication, but any help would be welcome!


So, after some more investigation, the signature version v4 uses the request URI to calculate the signature. When the bucket itself calculates that same signature, the request URI is different because it listens to another URI.

I've seen some people that are using nginx to recalculate the signature when the request is handled by nginx, but haven't found a way to do that in Haproxy.

The best way to go now is to use signature version v2, however, that may be deprecated for most S3 bucket providers.



Read more here: https://stackoverflow.com/questions/67375890/reverse-proxy-s3-bucket-via-haproxy

Content Attribution

This content was originally published by Bart Versluijs at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: