SSE-C support through env variables #482
Description
Feature Overview
S3 has support for SSE-C. We have a usecase where we need the headers to support this.
We would like it to be bucket specific because that is the whole point of SSE-C
The example is in the additional config.
Alternatives Considered
Edit the nginx config ourselfs in our docker project.
Additional Context
Something like this
Global
S3GW_PORT=8080
S3_HOST=s3.amazonaws.com
Bucket: images
S3GW_IMAGES_SSE_ALGO=AES256
S3GW_IMAGES_SSE_KEY=
S3GW_IMAGES_SSE_KEY_MD5=
Bucket: videos
S3GW_VIDEOS_SSE_ALGO=AES256
S3GW_VIDEOS_SSE_KEY=
S3GW_VIDEOS_SSE_KEY_MD5=
worker_processes auto;
events { worker_connections 1024; }
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
# ----------------------------
# Map buckets to SSE-C headers
# ----------------------------
# Replace <bucket> with your actual bucket names in env vars
map $host $sse_algo {
default "";
images.example.com "${S3GW_IMAGES_SSE_ALGO}";
videos.example.com "${S3GW_VIDEOS_SSE_ALGO}";
}
map $host $sse_key {
default "";
images.example.com "${S3GW_IMAGES_SSE_KEY}";
videos.example.com "${S3GW_VIDEOS_SSE_KEY}";
}
map $host $sse_key_md5 {
default "";
images.example.com "${S3GW_IMAGES_SSE_KEY_MD5}";
videos.example.com "${S3GW_VIDEOS_SSE_KEY_MD5}";
}
server {
listen ${S3GW_PORT};
location / {
proxy_pass https://${S3_HOST};
# Forward per-bucket SSE-C headers
proxy_set_header x-amz-server-side-encryption-customer-algorithm $sse_algo;
proxy_set_header x-amz-server-side-encryption-customer-key $sse_key;
proxy_set_header x-amz-server-side-encryption-customer-key-md5 $sse_key_md5;
# Disable caching for SSE-C requests
proxy_no_cache $sse_key;
proxy_cache_bypass $sse_key;
proxy_set_header Host $bucket;
proxy_set_header Authorization $aws_auth;
proxy_set_header x-amz-content-sha256 $aws_payload_hash;
proxy_set_header x-amz-date $aws_date;
}
}
}