@dkocher commented

I cannot reproduce the issue. We add a Expect: 100-continue to all PUT requests and include it in the AWS4-HMAC-SHA256 signature. I have added a test case in e451ce03b1e6eb4393f84a3400f5ac76eb647c57.

@ylangisc commented

Can you please post the transcript from the log drawer (⌘-L) when trying to create a bucket?

2fcfe54 commented

I did not know about ( CMD-L ) !
You are right, it looks like the header is there.
Is it possible for some reason that NGINX is not forwarding the header ?
By the way, why are you including this header in the AWS4 signature ? It is not a mandatory header to put in the signed headers.

thank you

PUT /luminous/ HTTP/1.1
Date: Tue, 12 Dec 2017 09:37:12 GMT
Expect: 100-continue
Content-Type: application/octet-stream
x-amz-acl: private
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: os.unil.cloud.switch.ch
x-amz-date: 20171212T093712Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.3.1.27228 (Mac OS X/10.12.6) (x86_64)
HTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 12 Dec 2017 09:37:12 GMT
Content-Type: application/xml
Content-Length: 200
Connection: keep-alive
x-amz-request-id: tx000000000000000000026-005a2fa348-6645540-default
Accept-Ranges: bytes

2fcfe54 commented

I start to think this could be a nginx bug.

In nginx if I add the directive:

proxy_pass_header Expect;

the header is not forwarded, even if it is logged in the Nginx log file.

If I add the directive

 proxy_set_header Expect 100-continue;

then the header is added and the signature verifies correctly.

Note that all the others SignedHeaders are forwarded without a special config, is just this Expect header that has problems.

Nginx version 1.12.1-0+xenial0

2fcfe54 commented

I found a workaround in my Nginx config
In my location config section I added the following:

        if ( $http_expect ) {
          set $expect $http_expect;
        }
        proxy_set_header Expect $expect;

@dkocher commented

Added test in e451ce0. Thanks for the background infromation about nginx configuration issues.

791684b commented

Unfortunately the workaround in the Nginx configuration doesn't work as expected. We use Nginx as a pure proxy, and because Nginx try to minimize the communication with the backend, it will not forward the "Expect: 100-continue". It is the default behaviour of Nginx, and it is not possible to disable it.

We add a Expect: 100-continue to all PUT requests and include it in the AWS4-HMAC-SHA256 signature.

2fcfe54 commented

I would also strongly suggest not to include in the signature the Expect header.
To make S3-like storage solutions scale horizontally, there is often a reverse proxy in front of the storage backend, that might not forward the Expect header.
This header has always the same content string '100-continue', and this makes including in the signature this header nonsense.

Thank you

@dkocher commented

In b29f649. Upstream change in (iterate-ch/jets3t@bc17d73).

@dkocher commented

Milestone renamed