s3api: Fix signature v4 with reverse proxy at sub-path (#6092)

weed/s3api/auth_signature_v4.go

@@ -148,15 +148,38 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r
 		}
 	}
 
+	if forwardedPrefix := r.Header.Get("X-Forwarded-Prefix"); forwardedPrefix != "" {
+		// Handling usage of reverse proxy at prefix. Note that it's an undefined behavior for AWS S3 and not supported in MinIO.
+		// Trying with prefix before main path.
+
+		// Get canonical request.
+		canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, forwardedPrefix + req.URL.Path, req.Method)
+
+		errCode = iam.genAndCompareSignatureV4(canonicalRequest, cred.SecretKey, t, signV4Values)
+		if errCode == s3err.ErrNone {
+			return identity, errCode
+		}
+	}
+
 	// Get canonical request.
 	canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, req.URL.Path, req.Method)
 
+	errCode = iam.genAndCompareSignatureV4(canonicalRequest, cred.SecretKey, t, signV4Values)
+
+	if errCode == s3err.ErrNone {
+		return identity, errCode
+	}
+	return nil, errCode
+}
+
+// Generate and compare signature for request.
+func (iam *IdentityAccessManagement) genAndCompareSignatureV4(canonicalRequest, secretKey string, t time.Time, signV4Values signValues) s3err.ErrorCode {
 	// Get string to sign from canonical request.
 	stringToSign := getStringToSign(canonicalRequest, t, signV4Values.Credential.getScope())
 
 	// Calculate signature.
 	newSignature := iam.getSignature(
-		cred.SecretKey,
+		secretKey,
 		signV4Values.Credential.scope.date,
 		signV4Values.Credential.scope.region,
 		signV4Values.Credential.scope.service,
@@ -165,11 +188,9 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r
 
 	// Verify if signature match.
 	if !compareSignatureV4(newSignature, signV4Values.Signature) {
-		return nil, s3err.ErrSignatureDoesNotMatch
+		return s3err.ErrSignatureDoesNotMatch
 	}
-
-	// Return error none.
-	return identity, s3err.ErrNone
+	return s3err.ErrNone
 }
 
 // credentialHeader data type represents structured form of Credential
@@ -664,7 +685,10 @@ func extractSignedHeaders(signedHeaders []string, r *http.Request) (http.Header,
 			extractedSignedHeaders.Set(header, "100-continue")
 		case "host":
 			// Go http server removes "host" from Request.Header
-			if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" {
+			if forwardedHost := r.Header.Get("X-Forwarded-Host"); forwardedHost != "" {
+				// Trying to use reverse proxy at prefix. Note that it's an undefined behavior for AWS S3 and not supported in MinIO.
+				extractedSignedHeaders.Set(header, forwardedHost)
+			} else if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" {
 				extractedSignedHeaders.Set(header, forwardedFor)
 			} else {
 				extractedSignedHeaders.Set(header, r.Host)