mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2024-11-27 12:49:41 +08:00
s3api: Fix signature v4 with reverse proxy at sub-path (#6092)
This commit is contained in:
Er2
GitHub
parent
416cc58cce
commit
5644bc8f01
@ -148,15 +148,38 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r
|
||||
}
|
||||
}
|
||||
|
||||
if forwardedPrefix := r.Header.Get("X-Forwarded-Prefix"); forwardedPrefix != "" {
|
||||
// Handling usage of reverse proxy at prefix. Note that it's an undefined behavior for AWS S3 and not supported in MinIO.
|
||||
// Trying with prefix before main path.
|
||||
|
||||
// Get canonical request.
|
||||
canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, forwardedPrefix + req.URL.Path, req.Method)
|
||||
|
||||
errCode = iam.genAndCompareSignatureV4(canonicalRequest, cred.SecretKey, t, signV4Values)
|
||||
if errCode == s3err.ErrNone {
|
||||
return identity, errCode
|
||||
}
|
||||
}
|
||||
|
||||
// Get canonical request.
|
||||
canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, req.URL.Path, req.Method)
|
||||
|
||||
errCode = iam.genAndCompareSignatureV4(canonicalRequest, cred.SecretKey, t, signV4Values)
|
||||
|
||||
if errCode == s3err.ErrNone {
|
||||
return identity, errCode
|
||||
}
|
||||
return nil, errCode
|
||||
}
|
||||
|
||||
// Generate and compare signature for request.
|
||||
func (iam *IdentityAccessManagement) genAndCompareSignatureV4(canonicalRequest, secretKey string, t time.Time, signV4Values signValues) s3err.ErrorCode {
|
||||
// Get string to sign from canonical request.
|
||||
stringToSign := getStringToSign(canonicalRequest, t, signV4Values.Credential.getScope())
|
||||
|
||||
// Calculate signature.
|
||||
newSignature := iam.getSignature(
|
||||
cred.SecretKey,
|
||||
secretKey,
|
||||
signV4Values.Credential.scope.date,
|
||||
signV4Values.Credential.scope.region,
|
||||
signV4Values.Credential.scope.service,
|
||||
@ -165,11 +188,9 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r
|
||||
|
||||
// Verify if signature match.
|
||||
if !compareSignatureV4(newSignature, signV4Values.Signature) {
|
||||
return nil, s3err.ErrSignatureDoesNotMatch
|
||||
return s3err.ErrSignatureDoesNotMatch
|
||||
}
|
||||
|
||||
// Return error none.
|
||||
return identity, s3err.ErrNone
|
||||
return s3err.ErrNone
|
||||
}
|
||||
|
||||
// credentialHeader data type represents structured form of Credential
|
||||
@ -664,7 +685,10 @@ func extractSignedHeaders(signedHeaders []string, r *http.Request) (http.Header,
|
||||
extractedSignedHeaders.Set(header, "100-continue")
|
||||
case "host":
|
||||
// Go http server removes "host" from Request.Header
|
||||
if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" {
|
||||
if forwardedHost := r.Header.Get("X-Forwarded-Host"); forwardedHost != "" {
|
||||
// Trying to use reverse proxy at prefix. Note that it's an undefined behavior for AWS S3 and not supported in MinIO.
|
||||
extractedSignedHeaders.Set(header, forwardedHost)
|
||||
} else if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" {
|
||||
extractedSignedHeaders.Set(header, forwardedFor)
|
||||
} else {
|
||||
extractedSignedHeaders.Set(header, r.Host)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user