Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mc mirror fails with AccessDenied (unsigned headers) when trying to mirror from minio proxied by nginx to minio proxied by traefik #2193

Closed
thomasf opened this issue Jun 23, 2017 · 1 comment
Closed

mc mirror fails with AccessDenied (unsigned headers) when trying to mirror from minio proxied by nginx to minio proxied by traefik #2193

thomasf opened this issue Jun 23, 2017 · 1 comment
Labels
fixed priority: medium
Milestone
Current

Comments

@thomasf
Copy link

thomasf commented Jun 23, 2017

The problem seems to happen when both traefik and nginx are used for TLS termination and when mirroring from a minio instance running behind nginx to one running behind traefik.

I have created a repository with a docker compose setup and a test.sh script which I think replicate the problem locally.

https://github.com/thomasf/issue-mc-mirror-traefik-nginx-tls

mc: <DEBUG> GET /testbucket/some/dir HTTP/1.1
Host: test.localhost.23c.se:8000
User-Agent: Minio (linux; amd64) minio-go/2.0.4 mc/2017-06-21T15:26:12Z
Authorization: AWS4-HMAC-SHA256 Credential=testTESTtest/20170623/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20170623T075444Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Content-Length: 2056
Accept-Ranges: bytes
Connection: keep-alive
Content-Type: application/octet-stream
Date: Fri, 23 Jun 2017 07:54:44 GMT
Etag: "335a52281a38ccaca17114cc107400e2"
Last-Modified: Fri, 23 Jun 2017 07:54:44 GMT
Server: nginx/1.10.3
Vary: Origin
X-Amz-Bucket-Region: 
X-Amz-Request-Id: 14CAB10A766FD001

mc: <DEBUG> Response Time:  1.00556ms

mc: <DEBUG> PUT /testbucket/some/dir HTTP/1.1
Host: test2.localhost.23c.se
User-Agent: Minio (linux; amd64) minio-go/2.0.4 mc/2017-06-21T15:26:12Z
Content-Length: 2056
Authorization: AWS4-HMAC-SHA256 Credential=testTESTtest/20170623/us-east-1/s3/aws4_request, SignedHeaders=connection;content-md5;host;x-amz-bucket-region;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
Connection: keep-alive
Content-Md5: M1pSKBo4zKyhcRTMEHQA4g==
Content-Type: application/octet-stream
X-Amz-Bucket-Region: 
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20170623T075444Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 400 Bad Request
Content-Length: 288
Accept-Ranges: bytes
Content-Type: application/xml
Date: Fri, 23 Jun 2017 07:54:44 GMT
Server: Minio/RELEASE.2017-06-13T19-01-01Z (linux; amd64)
Vary: Origin
X-Amz-Bucket-Region: 
X-Amz-Request-Id: 14CAB10A76827DB7

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>There were headers present in the request which were not signed</Message><Key></Key><BucketName></BucketName><Resource>/testbucket/some/dir</Resource><RequestId>3L137</RequestId><HostId>3L137</HostId></Error>mc: <DEBUG> Response Time:  1.03023ms

mc: <ERROR> Failed to copy `https://test.localhost.23c.se:8000/testbucket/some/dir`. Insufficient permissions to access this file `https://test2.localhost.23c.se/testbucket/some/dir`
 (3) mirror-main.go:241 cmd.(*mirrorJob).startStatus.func1(..) Tags: [https://test.localhost.23c.se:8000/testbucket/some/dir]
 (2) common-methods.go:154 cmd.uploadSourceToTargetURL(..) Tags: [https://test2.localhost.23c.se/testbucket/some/dir]
 (1) common-methods.go:98 cmd.putTargetStreamFromAlias(..) Tags: [test2t, https://test2.localhost.23c.se/testbucket/some/dir]
 (0) client-s3.go:595 cmd.(*s3Client).Put(..)
 Release-Tag:DEVELOPMENT.2017-06-21T15-26-12Z | Commit:631f7fc194fe | Host:transwhale | OS:linux | Arch:amd64 | Lang:go1.8.3 | Mem:3.0MB/9.5MB | Heap:3.0MB/5.7MB
mc: <DEBUG> HEAD /testbucket/some/dir2 HTTP/1.1
Host: test.localhost.23c.se:8000
User-Agent: Minio (linux; amd64) minio-go/2.0.4 mc/2017-06-21T15:26:12Z
Authorization: AWS4-HMAC-SHA256 Credential=testTESTtest/20170623/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20170623T075444Z
@thomasf thomasf changed the title mc mirror fails with AccessDenied (unsigned headers) when trying to mirror from minio proxied by nginx to minio proxied by traefik if nginx mc mirror fails with AccessDenied (unsigned headers) when trying to mirror from minio proxied by nginx to minio proxied by traefik Jun 23, 2017
harshavardhana added a commit to harshavardhana/minio-go that referenced this issue Jun 23, 2017
@harshavardhana @minio-trusted
api: objectInfo filtering should include more headers.
c95c059 
Fixes minio/mc#2193
@harshavardhana harshavardhana mentioned this issue Jun 23, 2017
Merged
@deekoder deekoder added this to the Current milestone Jun 23, 2017
harshavardhana added a commit to minio/minio-go that referenced this issue Jun 24, 2017
@harshavardhana
api: objectInfo filtering should include more headers. (#724)
fdad76b 
Fixes minio/mc#2193
@zllovesuki zllovesuki mentioned this issue Jul 26, 2018
Closed
@lock
Copy link

lock bot commented Apr 25, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Apr 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
fixed priority: medium
Projects
None yet
Milestone
Current
Development

No branches or pull requests
3 participants
@thomasf @harshavardhana @deekoder