Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signing key validity in README is overestimated #69

Open
CpuID opened this issue Jul 20, 2019 · 8 comments
Open

Signing key validity in README is overestimated #69

CpuID opened this issue Jul 20, 2019 · 8 comments

Comments

@CpuID
Copy link

CpuID commented Jul 20, 2019

In https://github.com/anomalizer/ngx_aws_auth#security-considerations

Note that signing keys have a validity of just one week.

In my experience, they are valid for the date of signing key generation only, as they are date specific.

If you attempt to use a signing key generated on the day before, you will get a 400 Bad Request from S3 due to:

<Error><Code>AuthorizationHeaderMalformed</Code><Message>The authorization header is malformed; Invalid credential date. Date is not the same as X-Amz-Date.</Message>...

Verified over 2 days, in a container with a UTC timezone. Making requests against nginx right after midnight UTC fail, re-running generate_signing_key (well, my ported variant of it, identical in nature with test coverage) and reloading nginx allows successful requests to occur again.

Should the README be adjusted...?

@qdchong
Copy link

qdchong commented Aug 23, 2019

anyone encounter this issue as well? I thought the signing key is suppose to last for a week

@CpuID
Copy link
Author

CpuID commented Sep 5, 2019

It's also possible users will need to follow this workaround for "dynamic upstreams", https://tenzer.dk/nginx-with-dynamic-upstreams/ - still waiting to see if it yields the results I expect or not but promising so far.

@melkayam92
Copy link

@CpuID can u explain more about your solution or provide with an example conf?

thanks

@CpuID
Copy link
Author

CpuID commented Sep 22, 2019

@melkayam92 https://tenzer.dk/nginx-with-dynamic-upstreams/ Ctrl+f "The free alternative". Basically change the proxy_pass to that. Article explains the rationale, tl;dr - nginx DNS resolution doesn't honor TTLs by default.

@CpuID
Copy link
Author

CpuID commented Sep 22, 2019

I can confirm I haven't been able to repro the issues I had since doing this.

@melkayam92
Copy link

@CpuID thanks, so basically u regenerate key every day + the dynamic upstreams?

But I still don't understand wats the DNS resolution has to do with key expire issue?

@CpuID
Copy link
Author

CpuID commented Sep 22, 2019

@melkayam92 yep got a crontab on midnight UTC currently to rotate it, plus dynamic upstreams.

Unconfirmed, but a theory I had is maybe AWS cycle out the S3 backend instances at midnight UTC instead of rotating the keys on the existing instances... 🤷‍♂ :)

@CpuID
Copy link
Author

CpuID commented Nov 27, 2019

Damn, my crontab alone didn't seem to resolve this entirely, managed to get the The authorization header is malformed; Invalid credential date. Date is not the same as X-Amz-Date. error again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants