Fix problem where signature string is incorrect when a path other than root is used

Author: npahucki

nginx_conf_fragment.txt

@@ -11,4 +11,20 @@
 			proxy_set_header Authorization $s3_auth_token;
 			proxy_set_header x-amz-date $aws_date;
         }
+
+        # This is an example that does not use the server root for the proxy root
+		location /myfiles {
+			proxy_pass http://your_s3_bucket.s3.amazonaws.com/;
+
+			aws_access_key your_aws_access_key;
+			aws_secret_key the_secret_associated_with_the_above_access_key;
+			s3_bucket your_s3_bucket;
+			chop_prefix /myfiles; # Take out this part of the URL before signing it, since '/myfiles' will not be part of the URI sent to Amazon  
+			
+
+			proxy_set_header Authorization $s3_auth_token;
+			proxy_set_header x-amz-date $aws_date;
+        }
+
+
     }

ngx_http_aws_auth.c

@@ -20,6 +20,7 @@ typedef struct {
     ngx_str_t access_key;
     ngx_str_t secret;
     ngx_str_t s3_bucket;
+    ngx_str_t chop_prefix;
 } ngx_http_aws_auth_conf_t;
 
 
@@ -44,6 +45,13 @@ static ngx_command_t  ngx_http_aws_auth_commands[] = {
       NGX_HTTP_LOC_CONF_OFFSET,
       offsetof(ngx_http_aws_auth_conf_t, s3_bucket),
       NULL },
+    
+   { ngx_string("chop_prefix"),
+      NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_aws_auth_conf_t, chop_prefix),
+      NULL },
 
       ngx_null_command
 };
@@ -101,6 +109,7 @@ ngx_http_aws_auth_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 
     ngx_conf_merge_str_value(conf->access_key, prev->access_key, "");
     ngx_conf_merge_str_value(conf->secret, prev->secret, "");
+    ngx_conf_merge_str_value(conf->chop_prefix, prev->chop_prefix, "");
 
     return NGX_CONF_OK;
 }
@@ -113,12 +122,34 @@ ngx_http_aws_auth_variable_s3(ngx_http_request_t *r, ngx_http_variable_value_t *
     int t;
     unsigned int md_len;
     unsigned char md[EVP_MAX_MD_SIZE];
-
     aws_conf = ngx_http_get_module_loc_conf(r, ngx_http_aws_auth_module);
-
+    
+
+    /* 
+     *   This Block of code added to deal with paths that are not on the root -
+     *   that is, via proxy_pass that are being redirected and the base part of 
+     *   the proxy url needs to be taken off the beginning of the URI in order 
+     *   to sign it correctly.
+    */
+    u_char *uri = ngx_palloc(r->pool, r->uri.len);
+    ngx_sprintf(uri,"%V",&r->uri);
+    if(ngx_strcmp(aws_conf->chop_prefix.data, "")) {
+	if(!ngx_strncmp(r->uri.data, aws_conf->chop_prefix.data, aws_conf->chop_prefix.len)) {
+	  uri += aws_conf->chop_prefix.len;
+          ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0,
+            "chop_prefix '%V' chopped from URI",&aws_conf->chop_prefix);
+        } else {
+          ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+            "chop_prefix '%V' NOT in URI",&aws_conf->chop_prefix);
+        }
+    }
+	    
     u_char *str_to_sign = ngx_palloc(r->pool, r->uri.len + aws_conf->s3_bucket.len + 200);
-    ngx_sprintf(str_to_sign, "GET\n\n\n\nx-amz-date:%V\n/%V%V",
-        &ngx_cached_http_time, &aws_conf->s3_bucket, &r->uri);
+    ngx_sprintf(str_to_sign, "GET\n\n\n\nx-amz-date:%V\n/%V%s",
+        &ngx_cached_http_time, &aws_conf->s3_bucket,uri);
+    
+
+
 
     if (evp_md==NULL)
     {