Nginx storage authentication

[bartoszbetka]

Resolves #19

[cameel]

I have fixed the small issues and pushed a few fixups. Please review them.

Please fix the remaining issues. Mostly in nginx-storage/default.conf.j2.

[cameel]

We don't have a container called gatekeeper-api. This should be called gatekeeper-settings, not gatekeeper-api-settings.

[cameel]

The container is running the gatekeeper not concent API so it does not make sense to call it concent-api. This is misleading. It should be called gatekeeper.

[cameel]

Services should be created and destroyed in the right order. nginx instances should be created last and destroyed first because they open access to the cluster.

[cameel]

Why are you removing Content-Length? Gatekeeper will need to be able to access it in later releases.

[cameel]

Your error responses are inconsistent. Here you have error_message and error_code but a few lines above it's message and code. We need to stick to a single format of error responses to make it easy for the client to parse them.

[cameel]

Why are you removing the body and Content-Length? Doesn't auth_request strip the body automatically?

[bartoszbetka]

According to nginx site: https://www.nginx.com/resources/admin-guide/restricting-access-auth-request/ request body is discarded for authentication subrequests, so we will need to removing the body and Content-Length.

[cameel]

But if it's discarded, it should not be necessary, right? What happens in gatekeeper if you remove these lines?

[bartoszbetka]

I not sure what happend, because gatekeeper not work properly now(problem with golem token)
Without this header, I occur additional errors:

• download-auth: [DEBUG] Ignoring connection reset
• update-auth: ERROR | Request body exceeded settings.DATA_UPLOAD_MAX_MEMORY_SIZE

In update-auth looks like subrequest send file in body to the django.
Smaller file occur next problem:

• [DEBUG] Ignoring EPIPE
  I think it not work porperly without this header.

[cameel]

OK. Looks like auth_request does not remove the body after all. So we do have to remove it.

[cameel]

Why do you need this header? And shouldn't it be called X-Original-URI?

[bartoszbetka]

According to nginx site: https://www.nginx.com/resources/admin-guide/restricting-access-auth-request/ this header pass the full original request URI with arguments but It's look like without it, also work. I find also this topic: bitly/oauth2_proxy#247

[cameel]

I know, but do you use it? If not then it's not necessary here.

[bartoszbetka]

Ok. I delete it.

[cameel]

Why do you need this header? And shouldn't it be called X-Original-URI?

[cameel]

What is this for? I don't see this variable used anywhere else in this file. Is it needed here?

[bartoszbetka]

Ok. So, I forgot to remove these variables, their goal was to check the http status during debugging.

[cameel]

1. Why case-insensitive regex match (~*) and and not a normal one (~)?
2. What will the match be if request_uri looks like this: /download/a/b/c/download/file.jpg?

[bartoszbetka]

1. According to this post https://serverfault.com/questions/801356/what-is-the-difference-between-nginx-and-regexes, version with ~* is matching as a case-insensitive regular expression.
2. So if request look like this download/a/b/c/download/file.jpg, it change properly and go to gatekeeper in this form of request /gatekeeper/download-auth/a/b/c/download/file.jpg

[cameel]

According to this post https://serverfault.com/questions/801356/what-is-the-difference-between-nginx-and-regexes, version with ~* is matching as a case-insensitive regular expression.

I'm asking why do you need a case-insensitive match here.