From 5644bc8f012d3df08bc12f6ddb364b7a4d76193e Mon Sep 17 00:00:00 2001 From: Er2 Date: Thu, 3 Oct 2024 18:08:19 +0300 Subject: [PATCH] s3api: Fix signature v4 with reverse proxy at sub-path (#6092) --- weed/s3api/auth_signature_v4.go | 36 +++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go index 71ef6cd6e..c8135ef10 100644 --- a/weed/s3api/auth_signature_v4.go +++ b/weed/s3api/auth_signature_v4.go @@ -148,15 +148,38 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r } } + if forwardedPrefix := r.Header.Get("X-Forwarded-Prefix"); forwardedPrefix != "" { + // Handling usage of reverse proxy at prefix. Note that it's an undefined behavior for AWS S3 and not supported in MinIO. + // Trying with prefix before main path. + + // Get canonical request. + canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, forwardedPrefix + req.URL.Path, req.Method) + + errCode = iam.genAndCompareSignatureV4(canonicalRequest, cred.SecretKey, t, signV4Values) + if errCode == s3err.ErrNone { + return identity, errCode + } + } + // Get canonical request. canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, req.URL.Path, req.Method) + errCode = iam.genAndCompareSignatureV4(canonicalRequest, cred.SecretKey, t, signV4Values) + + if errCode == s3err.ErrNone { + return identity, errCode + } + return nil, errCode +} + +// Generate and compare signature for request. +func (iam *IdentityAccessManagement) genAndCompareSignatureV4(canonicalRequest, secretKey string, t time.Time, signV4Values signValues) s3err.ErrorCode { // Get string to sign from canonical request. stringToSign := getStringToSign(canonicalRequest, t, signV4Values.Credential.getScope()) // Calculate signature. newSignature := iam.getSignature( - cred.SecretKey, + secretKey, signV4Values.Credential.scope.date, signV4Values.Credential.scope.region, signV4Values.Credential.scope.service, @@ -165,11 +188,9 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r // Verify if signature match. if !compareSignatureV4(newSignature, signV4Values.Signature) { - return nil, s3err.ErrSignatureDoesNotMatch + return s3err.ErrSignatureDoesNotMatch } - - // Return error none. - return identity, s3err.ErrNone + return s3err.ErrNone } // credentialHeader data type represents structured form of Credential @@ -664,7 +685,10 @@ func extractSignedHeaders(signedHeaders []string, r *http.Request) (http.Header, extractedSignedHeaders.Set(header, "100-continue") case "host": // Go http server removes "host" from Request.Header - if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" { + if forwardedHost := r.Header.Get("X-Forwarded-Host"); forwardedHost != "" { + // Trying to use reverse proxy at prefix. Note that it's an undefined behavior for AWS S3 and not supported in MinIO. + extractedSignedHeaders.Set(header, forwardedHost) + } else if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" { extractedSignedHeaders.Set(header, forwardedFor) } else { extractedSignedHeaders.Set(header, r.Host)