Why limit_except does not include a deny all directive? #496
Description
Bug Overview
Current implementation of limit_except (with or without CORS support) is like the following:
As the directive is not including a deny all, there's a weird behavior:
- accessing a resource using HTTP POST will make nginx to open that file under `/etc/nginx/html´
- if the file is not there, user GET a 404
- if the file is there, he get a 405
But is any case, nginx is still trying to access that file, even is resource will be denied later (I don't get why the http method check inside redirectToS3 njs is not capturing the POST)
Including the deny all fix this behavior, while the HTTP code returned is a 403 (and not a 405 anymore)
Expected Behavior
An HTTP POST to /foo/bar should not try to access /etc/nginx/html/foo/bar, nor I should get a 404.
I should get immediately an http error (405 would be probably optimal)
Steps to Reproduce the Bug
Perform a `curl -X POST´ to http://proxydomain/foo/bar and inspect the access log
Environment Details
- Version of the S3 container used: [DockerHub/GCR]
- Commit/Tag (if building the NGINX S3 gateway from source):
- Version of NGINX Open Source or NGINX Plus: [OSS/Plus]
- Version of NGINX JavaScript: [0.8.8/0.8.7/etc...]
- Target deployment platforms [e.g. AWS/GCP/local cluster/etc...]:
- S3 backend implementation: [e.g. AWS, Ceph, NetApp StorageGrid, etc...]
- Authentication method: [e.g. IAM, IAM with Fargate, IAM with K8S, AWS Credentials, etc...]
Additional Context
No response