I'm trying to setup a reverse proxy to my S3 bucket (I'm using DigitalOcean Spaces) using Haproxy (specifically Haproxy Ingress).
After some trial and error, I got somewhere with the proxy, but it doesn't work quite yet.
A GET request works fine, however, a PUT request (like putObject) doesn't work, because I get the error "403 - SignatureDoesNotMatch". I can't seem to find why that is unfortunately and I've search far and wide.
My backend at the moment is as follows:
backend s3-reverse-proxy_443
mode http
balance roundrobin
acl https-request ssl_fc
http-request redirect scheme https if !https-request
http-request set-header Host <bucket>.ams3.digitaloceanspaces.com
http-request set-header X-Original-Forwarded-For %[hdr(x-forwarded-for)] if { hdr(x-forwarded-for) -m found }
http-request del-header x-forwarded-for
option forwardfor
http-response set-header Strict-Transport-Security "max-age=15768000"
server srv001 5.101.110.225:443 weight 1 proto h2 alpn h2 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets verify none check inter 2s
Tried overruling the server by just using the ".ams3.digitaloceanspaces.com", but that didn't work.
I think it has something to do with the headers, but I've tried adding "Authorization" & "Connection" headers, but none of them seem to work.
I'm also using backend-protocol "h2-ssl", because without it, it didn't proxy.
Thanks in advance!
Made some progress, signature version v4 doesn't work, but v2 does.
However, if I'm correct, the docker registry uses v4, and I want it to be compatible with the newest standards.
I don't know much about S3, I'm currently reading the docs about the difference in authentication, but any help would be welcome!
So, after some more investigation, the signature version v4 uses the request URI to calculate the signature. When the bucket itself calculates that same signature, the request URI is different because it listens to another URI.
I've seen some people that are using nginx to recalculate the signature when the request is handled by nginx, but haven't found a way to do that in Haproxy.
The best way to go now is to use signature version v2, however, that may be deprecated for most S3 bucket providers.