Private S3 File Storage for File Pushes

[erikspigle-payroc]

We run private S3 behind our firewall that isn't publicly available. I was able to test out using this as the backend storage for a pwpush instance that we stood up with success. Where all of the success ends is when doing file shares to the public given there is no line of sight to the S3 bucket as it is private and behind the firewall.

Is there not some way to have only the pwpush instance access and share out the file shares form an S3 bucket? Or will we have to be relegated to doing a local file share? Reading the following makes me feel this is by design but isn't helpful for any of us who may run private S3 buckets. Having a way to have pwpush solely access and present would be helpful.

---

https://docs.pwpush.com/docs/file-pushes/#cors-configuration

The application performs direct uploads from the browser to your Amazon S3 bucket. This provides better performance and reduces load on the application itself.

For this to work, you have to add a CORS configuration to your bucket.

This direct upload functionality is done using a library called ActiveStorage. For the full documentation on configuring CORS for ActiveStorage, see here.

[pglombardo]

Hi @erikspigle-payroc,

That CORS documentation applies to uploads only so that probably doesn't apply.

As for Downloads, the base library in use supports a proxy mode where the application downloads the files from S3 behind the scenes and serves the files directly to public users.

I may be able to make this configurable...

A couple questions:

1. Are you using the pwpush-public-gateway image to make your pushes publicly accessible? Or some other method?
2. Push creation with file attachments are done only internally on a private intranet then. Correct?

[erikspigle-payroc]

Right now, we're strictly in a proof-of-concept phase with this. To answer your questions:

1. We plan to use that image for public access, yes.
2. Correct, we'll have the full pwpush image for internal and allow access to upload only to employees.

[pglombardo]

This is untested but if you want to try. Create a file s3_proxy.rb with the following contents:

Rails.application.config.active_storage.resolve_model_to_route = :rails_storage_proxy

Then mount that into the pwpush container into /opt/PasswordPusher/config/initializers/s3_proxy.rb.

That may likely automatically enable proxying...

Bind mount cheat sheet if you need it.

[erikspigle-payroc]

Thanks, we may circle back and give it a look. We moved on for now to using NFS and will consider this depending on how the POC shakes out.