fix: upload, download and listing of objects with "+" in their keys

When uploading an object containing several + in their keys, nginx considers the "+" as being a "valid" url charcter, then it is not re-encoding it when proxy_pass the url. This ends up in signature validation issues on cloudserver side, because cloud server receives the request with a plain "+" character instead of its urlencode counterpart "%2B". To solve the issue, we create a new variable named "urlencore_proxy_uri" where we urlencode the "+" and give that URL to the proxy_pass, this way nginx is not re-encoding it. We had to introduce lua to do this operation via a set_by_lua_block because a simple map module in nginx is not replacing ALL the occurences but only the last match. Ref: ZKUI-317
scality · Oct 10, 2023 · 1cf657b · 1cf657b
1 parent 1a37f88
commit 1cf657b
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 13 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
-ARG NGINX_IMAGE_VERSION=1.23.3-alpine
+ARG TAG=1.21.4.2-1-alpine-fat
 
-FROM nginx:${NGINX_IMAGE_VERSION}
+FROM openresty/openresty:${TAG}
 
 EXPOSE 8383
 

diff --git a/nginx.conf.gotempl b/nginx.conf.gotempl
@@ -1,13 +1,3 @@
-map $request_uri $proxy_uri {
-	"~^/s3/(?<path>.*)$" "/$path";
-}
-
-map $proxy_uri $encoded_uri {
-        ~(.*)\+(.*) $1%2B$2;
-        default $proxy_uri;
-}
-
-
 server {
   listen       {{ .Port }};
   server_name  _;
@@ -36,7 +26,15 @@ server {
   location /s3 {
     resolver {{ .DNSAddress }};
 	{{ .AdditionalS3LocationsRules }}
-    proxy_pass {{ .S3Endpoint }}$encoded_uri;
+
+    set_by_lua_block $urlencore_proxy_uri {
+                local uri = ngx.var.request_uri
+                local proxy_uri = ngx.re.gsub(uri, "^/s3", "")
+                local encoded_uri = ngx.re.gsub(proxy_uri, "\\+", "%2B", "jo")
+                return encoded_uri
+    }
+
+    proxy_pass {{ .S3Endpoint }}$urlencore_proxy_uri;
     proxy_redirect off;
   }