lsm/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2025-09-24 02:03:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

s3api: Fix signature v4 with reverse proxy at sub-path (#6092)

Browse Source
This commit is contained in:
Er2
2024-10-03 18:08:19 +03:00
committed by GitHub
parent 416cc58cce
commit 5644bc8f01
1 changed files with 30 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
weed/s3api/auth_signature_v4.go
View File

@@ -148,15 +148,38 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r
} }
} }
if forwardedPrefix := r.Header.Get("X-Forwarded-Prefix"); forwardedPrefix != "" {
// Handling usage of reverse proxy at prefix. Note that it's an undefined behavior for AWS S3 and not supported in MinIO.
// Trying with prefix before main path.
// Get canonical request.
canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, forwardedPrefix + req.URL.Path, req.Method)
errCode = iam.genAndCompareSignatureV4(canonicalRequest, cred.SecretKey, t, signV4Values)
if errCode == s3err.ErrNone {
return identity, errCode
}
}
// Get canonical request. // Get canonical request.
canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, req.URL.Path, req.Method) canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, req.URL.Path, req.Method)
errCode = iam.genAndCompareSignatureV4(canonicalRequest, cred.SecretKey, t, signV4Values)
if errCode == s3err.ErrNone {
return identity, errCode
}
return nil, errCode
}
// Generate and compare signature for request.
func (iam *IdentityAccessManagement) genAndCompareSignatureV4(canonicalRequest, secretKey string, t time.Time, signV4Values signValues) s3err.ErrorCode {
// Get string to sign from canonical request. // Get string to sign from canonical request.
stringToSign := getStringToSign(canonicalRequest, t, signV4Values.Credential.getScope()) stringToSign := getStringToSign(canonicalRequest, t, signV4Values.Credential.getScope())
// Calculate signature. // Calculate signature.
newSignature := iam.getSignature( newSignature := iam.getSignature(
cred.SecretKey, secretKey,
signV4Values.Credential.scope.date, signV4Values.Credential.scope.date,
signV4Values.Credential.scope.region, signV4Values.Credential.scope.region,
signV4Values.Credential.scope.service, signV4Values.Credential.scope.service,
@@ -165,11 +188,9 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r
// Verify if signature match. // Verify if signature match.
if !compareSignatureV4(newSignature, signV4Values.Signature) { if !compareSignatureV4(newSignature, signV4Values.Signature) {
return nil, s3err.ErrSignatureDoesNotMatch return s3err.ErrSignatureDoesNotMatch
} }
return s3err.ErrNone
// Return error none.
return identity, s3err.ErrNone
} }
// credentialHeader data type represents structured form of Credential // credentialHeader data type represents structured form of Credential
@@ -664,7 +685,10 @@ func extractSignedHeaders(signedHeaders []string, r *http.Request) (http.Header,
extractedSignedHeaders.Set(header, "100-continue") extractedSignedHeaders.Set(header, "100-continue")
case "host": case "host":
// Go http server removes "host" from Request.Header // Go http server removes "host" from Request.Header
if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" { if forwardedHost := r.Header.Get("X-Forwarded-Host"); forwardedHost != "" {
// Trying to use reverse proxy at prefix. Note that it's an undefined behavior for AWS S3 and not supported in MinIO.
extractedSignedHeaders.Set(header, forwardedHost)
} else if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" {
extractedSignedHeaders.Set(header, forwardedFor) extractedSignedHeaders.Set(header, forwardedFor)
} else { } else {
extractedSignedHeaders.Set(header, r.Host) extractedSignedHeaders.Set(header, r.Host)