Details
-
Type: New Feature
-
Status: Closed (View Workflow)
-
Priority: Major
-
Resolution: Won't Fix
-
Affects Version/s: None
-
Fix Version/s: None
-
Labels:
-
Story Points:2
-
Epic Link:
-
Sprint:Summer 2019 Sprint 12, Fall 2019 Sprint 2, Fall 2019 Sprint 3
Description
Currently, we are using redirect rules in Apache in order to serve jar and logo files from an AppStore's S3 bucket.
However, this is problematic. For this to work, permissions need to be set on the bucket that make it less secure.
Instead, we would like to control all access to the S3 bucket. This is important to control costs, among other things.
Goal: Only AppStore itself can get data from the S3 bucket. We want clients (e.g., IGB) to be able to download artifacts from the bucket - such as App jar files. But we only want this to happen through App Store.
We have discussed it and think the best solution will be to configure AppStore to function as a proxy. When a client requests an artifact that is actually stored in S3, AppStore will authenticate to the bucket and stream the data through itself and to the client. The client will never know where the data actually came from. No-one will ever see the address of our S3 bucket.
Jar files are rarely large, so we think this will not be too taxing on the server.
Notes:
We searched for: "proxy server for S3 in django" and found:
- https://stackoverflow.com/questions/2636783/django-as-s3-proxy
- https://stackoverflow.com/questions/44639182/nginx-proxy-amazon-s3-resources/44749584#44749584 - READ THIS! See comment near the end which tells us that proxying this way is a terrible idea, and a comment on that comment that gives a counter-argument.
For this task, we should read above and also do more searching as there may already be some very cool libraries already available for us to use.
We should also investigate whether we can get Apache to handle the proxy aspect. If we can configure Apache in a different way, this will save us some headaches of coding. Links I found:
Example configuration from above:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
ProxyRequests off
ProxyPass /s3/ http://s3.amazonaws.com/your_bucket/
From what I've read (not tons) this seems like the best solution:
In this solution, looks like we can use mod_proxy in Apache, thus require no coding changes for App Store, just server configuration.
Sameer Shanbhag - could you try it out the above on your DevAppStore? Looks like you would only need to make changes to default-ssl.conf and/or 000-default.conf