Giter Site home page Giter Site logo

nginxinc / nginx-aws-signature Goto Github PK

View Code? Open in Web Editor NEW
2.0 9.0 5.0 4.58 MB

NGINX AWS Signature Library to authenticate AWS services such as S3 and Lambda via NGINX and NGINX Plus.

License: Apache License 2.0

JavaScript 90.04% Shell 9.29% Makefile 0.67%
aws awssignature ec2 ecs eks lambda s3 sts nginx-lambda-gateway nginx-s3-gateway

nginx-aws-signature's Introduction

nginx_aws_signature

NGINX AWS Signature Library to authenticate AWS services such as S3 and Lambda via NGINX and NGINX Plus.

TABLE OF CONTENTS:

Getting Started

This project is to provide the common library for your apps or services. To get this project up and running, the following nginx project can be used prior to implementing your project.

Directory Structure and File Descriptions

nginx-aws-signature
│
├── core
│   ├── awscredentials.js       common lib to read and write AWS credentials
│   ├── awssig2.js              common lib to build AWS signature v2
│   ├── awssig4.js              common lib to build AWS signature v4
│   │                           :
│   │                           add new lib when AWS releases new signature ver.
│   │                           :
│   └── utils.js                common lib to be reused by all NJS codebase
│
├── tests
│   ├── docker
│   │   ├── build_text          Docker environments for testing NJS codebases
│   │   │   ├── nginx           NGINX config files for testing NJS codebases
│   │   │   └── ssl             NGINX Plus license files when testing lib on NGINX Plus
│   │   ├── Dockerfile.oss      for testing AWS signaure lib on NGINX OSS
│   │   ├── Dockerfile.plus     for testing AWS signaure lib on NGINX Plus
│   │   └── docker-compose.yml  to build and run a container for testing AWS signaure lib
│   ├── unit-test               contains automated tests for validang that the lib works
│   └── test.sh                 test launcher
│
└── Makefile                    automate to build/start/stop testing environment

NGINX AWS Signature Signing Flow

How to Use

Sparse Checkouts of Submodules

Create or update git submodule when using this lib in your repository. Otherwise, skip the following steps, and copy core/*.js into the prefered directory on your NGINX instance.

Step 1. Choose one of the following options

  • Option 1. Clone this repo with a depth of 1 for the first time

    git clone --depth=1 --no-checkout [email protected]:nginxinc/nginx-aws-signature.git <path/to/submodule>

  • Option 2. Update a submodule when using the latest lib after cloning

    git submodule update --init <path/to/submodule>

Step 2. Sparse checkouts of submodules

git submodule absorbgitdirs
git -C <path/to/submodule> config core.sparseCheckout true
echo 'core/*' >>.git/modules/<path/to/submodule>/info/sparse-checkout
git submodule update --force --checkout <path/to/submodule>

Configure NGINX

js_import /etc/nginx/awssig/awscredentials.js;
js_import /etc/nginx/awssig/awssig4.js;
js_import /etc/nginx/serverless/lambdagateway.js;

js_set $awsDate                 awssig4.awsHeaderDate;
js_set $awsPayloadHash          awssig4.awsHeaderPayloadHash;
js_set $awsSessionToken         awscredentials.sessionToken;
js_set $lambdaFunctionARNAuth   lambdagateway.lambdaFunctionARNAuth;
js_var $defaultHostName         'nginx-lambda-gateway';

map $request_uri $lambda_url {
    default  https://lambda.us-east-1.amazonaws.com;
}

server {
    listen 80; # Use SSL/TLS in production

    location /2015-03-31/functions/foo/invocations {
        auth_request /aws/credentials/retrieval;
        proxy_set_header x-amz-date           $awsDate;
        proxy_set_header x-amz-content-sha256 $awsPayloadHash;
        proxy_set_header x-amz-security-token $awsSessionToken;
        proxy_set_header Authorization        $lambdaFunctionARNAuth;
        proxy_pass $lambda_url$request_uri;
    }

    location /aws/credentials/retrieval {
        internal;
        js_content awscredentials.fetchCredentials;
    }
}

Examples:

Project Config example
nginx-s3-gateway /etc/nginx/conf.d/default.conf
nginx-lambda-gateway /etc/nginx/conf.d/nginx_lambda_gateway.conf

Integrate AWS Signature Lib To Your Custom NJS

Import library files of nginx-aws-signature, and implement a function to generate Authorization header by using the lib with the proper parameters in your custom NJS.

/etc/nginx/<custom-njs-path>/<your-njs>.js:

import awscred from "../awssig/awscredentials.js";
import awssig4 from "../awssig/awssig4.js";
import utils   from "../awssig/utils.js";

const SERVICE = 'lambda';

utils.requireEnvVar('LAMBDA_SERVER');
utils.requireEnvVar('LAMBDA_REGION');

function lambdaFunctionARNAuth(r) {
    const host   = process.env['LAMBDA_SERVER'];
    const region = process.env['LAMBDA_REGION'];
    const queryParams = '';
    const credentials = awscred.readCredentials(r);

    const signature = awssig4.signatureV4(
        r, awscred.Now(), region, SERVICE,
        r.variables.request_uri, queryParams, host, credentials
    );
    return signature;
}

Examples:

Project NJS example
nginx-s3-gateway s3gateway.js
nginx-lambda-gateway lambdagateway.js

Contributing

Please see the contributing guide for guidelines on how to best contribute to this project.

Authors and acknowledgment

This project was inspired the on the great work by nginx-s3-gateway and nginx-serverless.

License

Apache License, Version 2.0

© F5, Inc. 2023

nginx-aws-signature's People

Contributors

dekobon avatar dependabot[bot] avatar shawndotkim avatar shawnhankim avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

shawnhankim whitefangvn summertony15 bgardner-noggin bwjun-tving

nginx-aws-signature's Issues

Create a repo and diagram for nginx-aws-signature

Is your feature request related to a problem? Please describe

As a SWE,
I want to reuse a nginx-aws-signature library for accessing several AWS services such as S3 and Lambda via NGINX.

Describe the solution you'd like

  • Create a repo of nginx-aws-signature.
  • Create a diagram of nginx-aws-signature.

Describe alternatives you've considered

  • First approach is to implement the library per each repo such as nginx-s3-gateway and nginx-lambda-gateway.
  • Second approach is to consolidate the common library for accessing several AWS services.

Additional context

  • N/A

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.