I'm a beginner in the matter of security and OpenSSL. My objective is to programatically generate a certificate that passes the "obsolete" shaming that Chrome does. The certificates I used to generate used AES_128_GCM with RSA even though I tried setting the cipher list to kEECDH:kEDH:!ADH:AES256-SHA256 and the server context uses SSL_CTX_new(TLSv1_2_server_method());.
Based on the example from the documentation I tried the following :
X509 *x = NULL;
EVP_PKEY *pk = NULL;
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *params = NULL;
if(NULL == (params = EVP_PKEY_new()))
goto err;
if(1 != EVP_PKEY_set1_DH(params, DH_get_2048_256()))
goto err;
if(!(ctx = EVP_PKEY_CTX_new(params, NULL)))
goto err;
if(!EVP_PKEY_keygen_init(ctx))
goto err;
if(!EVP_PKEY_keygen(ctx, &pk))
goto err;
if ((x=X509_new()) == NULL)
goto err;
X509_set_version(x,2);
X509_set_pubkey(x,pk);
//... (setting the issuer, subject, etc)
//Here is where it fails
if (!X509_sign(x,pk,EVP_sha256()))
goto err;
The same code for RSA instead of DH works. The error that X509_sign gives is EVP_PKEY_sign_init operation not supported for this keytype.
What could I do? I would prefer the connection to use ECDHE but I have no idea how to set that up. I need this to be secure within reason but my knowledge of security is really limited. I am working on it though. Any help would be appreciated but please provide code with your answer (not command-line generation).
My objective is to programatically generate a certificate that passes the "obsolete" shaming that Chrome does...
What could I do? I would prefer the connection to use ECDHE but I have no idea how to set that up....
I tried setting the cipher list to kEECDH:kEDH:!ADH:AES256-SHA256...
Usually, HIGH:!aNULL:!RC4:!MD5 is enough. Since you want to use the ephemeral key exchanges (whihc is a good thing), you should remove RSA key transport, too: HIGH:!aNULL:!kRSA:!RC4:!MD5.
Based on the example from the documentation...
Also see SSL/TLS Client on the OpenSSL wiki. Its a client, but it shows you how to set up a context.
Because its a server, you will also probably want context options like SSL_OP_SAFARI_ECDHE_ECDSA_BUG.
OpenSSL certificate generation for DHE exchange
Just about any certificate will do. It can be a RSA key, an DSS key or an ECDSA key. The key in the certificate will be used to sign server messages (some hand waiving), so its used for server authentication.
Ephemeral key exchanges are different. You ensure that with SSL_CTX_set_cipher_list and the cipher suite string.
Since you are not using cipher suites like SRP and PSK you can remove them too. RSA still shows up, but its for server authentication, and not key transport:
$ openssl ciphers -v 'HIGH:!aNULL:!kRSA:!RC4:!MD5:!3DES:!DSS:!DSA:!SRP:!PSK'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
Related
I'm trying to upload a file to GCS using cloud function. Api gateway is used to invoke it (POST).
The file size may vary but they are less than 32MB.
When I try to upload a file with size 10MB or above (less than 32MB), it is giving an error as 413 Request Entity Too Large: The data value transmitted exceeds the capacity limit.
Based on this article, max HTTP Request size is 32MB for Gen2 functions.
But it still fails to read the uploaded file.
Below is the sample code,
import functions_framework
#functions_framework.http
def main(request):
"""HTTP Cloud Function.
Args:
request (flask.Request): The request object.
<https://flask.palletsprojects.com/en/1.1.x/api/#incoming-request-data>
Returns:
The response text, or any set of values that can be turned into a
Response object using `make_response`
<https://flask.palletsprojects.com/en/1.1.x/api/#flask.make_response>.
"""
try:
request_json = request.get_json(silent=True)
request_args = request.args
print(request.files.get('file').content_type)
print(request.headers['Fullfilepath'])
if request_json and 'name' in request_json:
name = request_json['name']
elif request_args and 'name' in request_args:
name = request_args['name']
else:
name = 'World'
return 'Hello {}!'.format(name)
except Exception as e:
print(e)
return "Something went wrong", 500
if __name__ == "__main__":
main()
Note: If a file size is below 10MB, this works
Could someone explain why its not working with Gen2 cloud function?
EDIT:
I use postman make api call.
Below is the cURL snippet from postman for the request,
curl --location --request POST 'https://<gen2-function-url>' \
--header 'Fullfilepath: myFile.xlsx' \
--form 'file=#"/C:/Users/jithin/Downloads/myFile.xlsx"'
CURL OUTPUT (less than 10MB - working):
* Trying 216.249.35.23:443...
* TCP_NODELAY set
* Connected to <gen2-fn>
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.a.run.app
* start date: Sep 26 08:18:32 2022 GMT
* expire date: Dec 19 08:18:31 2022 GMT
* subjectAltName: host "<gen2-fn>" matched cert's "*.a.run.app"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x6587b7c0)
> POST / HTTP/2
> Host: <gen2-fn>
> user-agent: curl/7.68.0
> accept: */*
> fullfilepath:myFile.xlsx
> content-length: 133134
> content-type: multipart/form-data; boundary=------------------------4aa0493a972a819f
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* We are completely uploaded and fine
< HTTP/2 200
< content-type: text/html; charset=utf-8
< x-cloud-trace-context: ac66dub6c7d036958f95o05;o=1
< date: Wed, 02 Nov 2022 08:48:59 GMT
< server: Google Frontend
< content-length: 12
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
* Connection #0 to host <gen2-fn> left intact
Hello World!%
CURL OUTPUT (more than 10MB - NOT working):
* Trying 216.249.35.23:443...
* TCP_NODELAY set
* Connected to <gen2-fn>
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.a.run.app
* start date: Oct 17 08:15:34 2022 GMT
* expire date: Jan 9 08:15:33 2023 GMT
* subjectAltName: host "<gen2-fn>" matched cert's "*.a.run.app"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5432697c0)
> POST / HTTP/2
> Host: <gen2-fn>
> user-agent: curl/7.68.0
> accept: */*
> fullfilepath:myFile1.xlsx
> content-length: 16492439
> content-type: multipart/form-data; boundary=------------------------d75d043c4ffd6fce
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* We are completely uploaded and fine
< HTTP/2 500
< content-type: text/html; charset=utf-8
< x-cloud-trace-context: 464039806234sdf503247ec892803a20;o=1
< date: Wed, 02 Nov 2022 08:48:21 GMT
< server: Google Frontend
< content-length: 20
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
* Connection #0 to host <gen2-fn> left intact
Something went wrong%
I created a bucket in s3. Static website hosting, choose Enable. I upload two html file.
page1.html
This is page1
page2.html
This is page2
I added metadata x-amz-website-redirect-location = /page2.html into page1 object in s3 website console.
When I visit http://bucket-name.s3-website.Region.amazonaws.com/page1.html on chrome. it's not redirect(it's page1 content not page2). I followed the documentation and search about this question. https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-to-page-redirect.html
thanks in advance.
screenshot of page1 metadata
My bucket settings.
curl -v the site
$ curl -v https://aws-redirect-test.s3.ap-northeast-1.amazonaws.com/page1.html
* Trying 3.5.154.185...
* TCP_NODELAY set
* Connected to aws-redirect-test.s3.ap-northeast-1.amazonaws.com (3.5.154.185) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.s3-ap-northeast-1.amazonaws.com
* start date: Dec 9 00:00:00 2021 GMT
* expire date: Dec 2 23:59:59 2022 GMT
* subjectAltName: host "aws-redirect-test.s3.ap-northeast-1.amazonaws.com" matched cert's "*.s3.ap-northeast-1.amazonaws.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET /page1.html HTTP/1.1
> Host: aws-redirect-test.s3.ap-northeast-1.amazonaws.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< x-amz-id-2: jWBm/e0Rdb2BB3R/nFffH8/YS2+f1AgXFHQfT6bUzmMK9tMZDtSNYprUp4Ka6m9xMKookshlWwo=
< x-amz-request-id: T4JG7K11X2FTBCA8
< Date: Thu, 09 Jun 2022 02:15:03 GMT
< Last-Modified: Thu, 09 Jun 2022 02:12:42 GMT
< ETag: "a12ac1ca5226842e56871deaa4d9ef9c"
< x-amz-website-redirect-location: /page2.html
< Accept-Ranges: bytes
< Content-Type: text/html
< Server: AmazonS3
< Content-Length: 14
<
This is page1
* Connection #0 to host aws-redirect-test.s3.ap-northeast-1.amazonaws.com left intact
* Closing connection 0
You are not using the website endpoint. I tested the following url and it works.
http://aws-redirect-test.s3-website-ap-northeast-1.amazonaws.com/page1.html
How we can get the messages from AWS Active MQ queue using curl command ?
curl -v -u -XGET username:password 'https://hostname:8162/api/message/lte_ap_kpi_sci?type=queue'
curl -v -XGET http://username:password#hostname:8162/api/message?destination=queue://lte_ap_kpi_sci&json=true&oneShot=true
Used above command but wasn't able to get any messages from queue.
Please find below logs
lte_ap_kpi_sci'
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying IP:PORT...
* TCP_NODELAY set
* Connected to hostname
(IP) port PORT (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.mq.region.amazonaws.com
* start date: Apr 18 00:00:00 2021 GMT
* expire date: May 17 23:59:59 2022 GMT
* subjectAltName: host "hostname" matched cert's "*.mq.region.amazonaws.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
* Server auth using Basic with user 'admin'
> GET /api/message?destination=queue://lte_ap_kpi_sci HTTP/1.1
> Host: hostname:PORT
> Authorization: Basic token==
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Wed, 23 Feb 2022 18:51:08 GMT
< X-FRAME-OPTIONS: SAMEORIGIN
< Location: https://hostname:PORT/
< Transfer-Encoding: chunked
< Server: Jetty(9.4.43.v20210629)
<
* Connection #0 to host hostname left intact
Is there any possible way to read the messages from queue using curl command ?
I have Superset setup on an AWS EKS cluster. I want to terminate HTTPS on the NLB layer, and send it to the superset via plain text. This is how I set up the entire setup.
GSLB Vip → NLB DNS Name → Nginx controller → http → ingress → service → pod
When I curl the VIP/health, I get a response.
curl -ivk https://superset-xx.com/health
Connected to superset-xx.com port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: xxx.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ccc-bbb
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=dddd; OU=management:idms.group.5738053; O=asd Inc.; ST=California; C=US
* start date: Oct 13 20:01:12 2021 GMT
* expire date: Nov 12 20:01:11 2023 GMT
* issuer: CN=X Corporate Server CA 1; OU=Certification Authority; O=V Inc.; C=US
* SSL certificate verify ok.
> GET /health HTTP/1.1
> Host: superset-xx.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.17.8
Server: nginx/1.17.8
< Date: Thu, 14 Oct 2021 00:25:43 GMT
Date: Thu, 14 Oct 2021 00:25:43 GMT
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 2
But when I hit the login or the welcome endpoint, it is stuck. It seems to be stuck at redirection. Every time I hit the URL, it seems to be recording this in the superset logs.
This is the controller yaml
Name: ingress-nginx
Namespace: ingress-nginx
Labels: app.kubernetes.io/name=ingress-nginx
app.kubernetes.io/part-of=ingress-nginx
Annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-internal: true
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:ssss
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
service.beta.kubernetes.io/aws-load-balancer-subnets:ss
service.beta.kubernetes.io/aws-load-balancer-type: nlb
Selector: app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
Type: LoadBalancer
IP: 1.2.3.4
LoadBalancer Ingress: aaa.amazonaws.com
Port: http 8080/TCP
TargetPort: http/TCP
NodePort: http 31840/TCP
Endpoints: a.b.c.d:80
Port: https 443/TCP
TargetPort: http/TCP
NodePort: https 30330/TCP
Endpoints: a.b.c.d:80
Session Affinity: None
External Traffic Policy: Local
HealthCheck NodePort: 30599
Events: <none>
Any idea what could be wrong here? If you need any other configs, let me know.
Thanks in advance for the help.
I try to upload file to S3 by pre-singed url with curl.
It returns success when I run following command
❯ curl -v -X PUT --upload-file [file directory] '[pre-sined url]'
* Trying [port]...
* TCP_NODELAY set
* Connected to bucket-name.s3.region.amazonaws.com (ip address) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Washington; L=Seattle; O=Amazon.com, Inc.; CN=*.region.amazonaws.com
* start date: Nov 9 00:00:00 2019 GMT
* expire date: Dec 10 12:00:00 2020 GMT
* subjectAltName: host "bukcet-name.s3.region.amazonaws.com" matched cert's "*.s3.region.amazonaws.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Baltimore CA-2 G2
* SSL certificate verify ok.
> PUT [pre-signed url] HTTP/1.1
> Host: bukcet-name.s3.region.amazonaws.com
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Type: image/png
> Content-Length: 145701
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< x-amz-id-2: hogehoge
< x-amz-request-id:hugahuga
< Date: Mon, 17 Feb 2020 08:09:01 GMT
< ETag: "hogehuga"
< Content-Length: 0
< Server: AmazonS3
<
* Connection #0 to host bukcet-name.s3.region.amazonaws.com left intact
* Closing connection 0
But When I look at S3, file is not uploaded.
I want to know how to upload file correctly to S3.
[Update]
I added x-amz-acl: bucket-owner-full-control header in curl and set <AllowedHeader>x-amz-acl</AllowedHeader> in S3 bucket CORS.
curl -v -X PUT -H 'x-amz-acl: bucket-owner-full-control' --upload-file [file directory] '[pre-sined url]'
but It returns error.
<Error><Code>AccessDenied</Code><Message>There were headers present in the request which were not signed</Message><HeadersNotSigned>x-amz-acl</HeadersNotSigned>
Also I wonder my presigned url does not have file name in directry path. Is it correct presigned url?
My implementaion to generate pre-signed url is like this:
req, _ := svc.PutObjectRequest(&s3.PutObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
})
url, err := req.Presign(expires)
DO I need to add ACL inside PutObjectInput struct?
This isssue is resolved by adding file name in the end of s3 directory when it is generated.
For example(Golang):
req, _ := svc.PutObjectRequest(&s3.PutObjectInput{
Bucket: aws.String("hogehoge/fugafuga/filename"),
Key: aws.String(key),
})
url, err := req.Presign(expires)