Last active
April 21, 2022 12:32
-
-
Save Gargron/40afa9dc37629dfc78d6656f0ca33293 to your computer and use it in GitHub Desktop.
Example nginx configuration for proxying an S3 bucket through Nginx with cache and cache lock
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 443 ssl; | |
| server_name files.example.com; | |
| root /var/www/html; | |
| keepalive_timeout 30; | |
| location = / { | |
| index index.html; | |
| } | |
| location / { | |
| try_files $uri @s3; | |
| } | |
| set $s3_hostname "YOUR_S3_HOSTNAME"; | |
| set $s3_backend 'https://$s3_hostname'; | |
| set $s3_bucket "YOUR_BUCKET_NAME"; | |
| location @s3 { | |
| limit_except GET { | |
| deny all; | |
| } | |
| resolver 8.8.8.8; | |
| proxy_set_header Host $s3_hostname; | |
| proxy_set_header Connection ''; | |
| proxy_set_header Authorization ''; | |
| proxy_hide_header Set-Cookie; | |
| proxy_hide_header 'Access-Control-Allow-Origin'; | |
| proxy_hide_header 'Access-Control-Allow-Methods'; | |
| proxy_hide_header 'Access-Control-Allow-Headers'; | |
| proxy_hide_header x-amz-id-2; | |
| proxy_hide_header x-amz-request-id; | |
| proxy_hide_header x-amz-meta-server-side-encryption; | |
| proxy_hide_header x-amz-server-side-encryption; | |
| proxy_hide_header x-amz-bucket-region; | |
| proxy_hide_header x-amzn-requestid; | |
| proxy_ignore_headers Set-Cookie; | |
| proxy_pass $s3_backend/$s3_bucket$uri; | |
| proxy_intercept_errors off; | |
| proxy_cache CACHE; | |
| proxy_cache_valid 200 48h; | |
| proxy_cache_valid 403 15m; | |
| proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; | |
| proxy_cache_lock on; | |
| expires 1y; | |
| add_header Cache-Control public; | |
| add_header 'Access-Control-Allow-Origin' '*'; | |
| add_header 'Access-Control-Allow-Methods' 'GET'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
| add_header X-Cache-Status $upstream_cache_status; | |
| } | |
| # ... | |
| } |
The informational headers set by S3-like services are unnecessary for general use, so we hide them.
If you hardcode the domain without the variable, it will only resolve it once at the start. That means if the upstream service updates its DNS (e.g. because the IP they are serving data from has changed) your configuration will stop working as it will continue to connect to the old IP.
Okay got it now ! Thanks for the clear answer !
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It was very helpful, thanks !
I have two questions :
proxy_hide_headeretc.)