MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/cmd/generic-handlers.go

613 lines
20 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-18 15:41:13 -04:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Add license and fix development scripts
2015-02-15 03:48:15 -05:00
server: Move all the top level files into cmd folder. (#2490) This change brings a change which was done for the 'mc' package to allow for clean repo and have a cleaner github drop in experience.
2016-08-18 19:23:42 -04:00
package cmd
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase
2015-02-11 06:23:15 -05:00
import (
fix: reject invalid r.Host headers (#14846) r.Host headers can come in unparsed that may contain invalid hostnames, reject such requests as invalid. This is a continuation fix from #14844
2022-05-02 07:42:41 -04:00
"fmt"
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
"net"
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase
2015-02-11 06:23:15 -05:00
"net/http"
fix: handle redirects for specific resources (#12629)
2021-07-07 15:04:16 -04:00
"path"
fix: convert '\' to '/' on windows (#16852)
2023-03-20 03:35:25 -04:00
"path/filepath"
fix: make sure to log panic in handlers (#13611)
2021-11-08 12:28:13 -05:00
"runtime/debug"
Add proper router for handling putBucketACLHandler
2015-10-07 23:36:36 -04:00
"strings"
fix: handle unsupported APIs more granularly (#11674)
2021-03-31 02:19:36 -04:00
"sync/atomic"
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented
2015-04-27 06:54:49 -04:00
"time"
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase
2015-02-11 06:23:15 -05:00
allow non-standards fallback for all http.TimeFormats (#15662) fixes #15645
2022-09-07 10:24:54 -04:00
"github.com/dustin/go-humanize"
s3: Return invalid bucket name the first thing in all S3 calls (#17742)
2023-07-28 13:49:20 -04:00
"github.com/minio/minio-go/v7/pkg/s3utils"
Move dependency from minio-go v6 to v7 (#10042)
2020-07-14 12:38:05 -04:00
"github.com/minio/minio-go/v7/pkg/set"
perf: websocket grid connectivity for all internode communication (#18461) This PR adds a WebSocket grid feature that allows servers to communicate via a single two-way connection. There are two request types: * Single requests, which are `[]byte => ([]byte, error)`. This is for efficient small roundtrips with small payloads. * Streaming requests which are `[]byte, chan []byte => chan []byte (and error)`, which allows for different combinations of full two-way streams with an initial payload. Only a single stream is created between two machines - and there is, as such, no server/client relation since both sides can initiate and handle requests. Which server initiates the request is decided deterministically on the server names. Requests are made through a mux client and server, which handles message passing, congestion, cancelation, timeouts, etc. If a connection is lost, all requests are canceled, and the calling server will try to reconnect. Registered handlers can operate directly on byte slices or use a higher-level generics abstraction. There is no versioning of handlers/clients, and incompatible changes should be handled by adding new handlers. The request path can be changed to a new one for any protocol changes. First, all servers create a "Manager." The manager must know its address as well as all remote addresses. This will manage all connections. To get a connection to any remote, ask the manager to provide it given the remote address using. ``` func (m *Manager) Connection(host string) *Connection ``` All serverside handlers must also be registered on the manager. This will make sure that all incoming requests are served. The number of in-flight requests and responses must also be given for streaming requests. The "Connection" returned manages the mux-clients. Requests issued to the connection will be sent to the remote. * `func (c *Connection) Request(ctx context.Context, h HandlerID, req []byte) ([]byte, error)` performs a single request and returns the result. Any deadline provided on the request is forwarded to the server, and canceling the context will make the function return at once. * `func (c *Connection) NewStream(ctx context.Context, h HandlerID, payload []byte) (st *Stream, err error)` will initiate a remote call and send the initial payload. ```Go // A Stream is a two-way stream. // All responses *must* be read by the caller. // If the call is canceled through the context, //The appropriate error will be returned. type Stream struct { // Responses from the remote server. // Channel will be closed after an error or when the remote closes. // All responses *must* be read by the caller until either an error is returned or the channel is closed. // Canceling the context will cause the context cancellation error to be returned. Responses <-chan Response // Requests sent to the server. // If the handler is defined with 0 incoming capacity this will be nil. // Channel *must* be closed to signal the end of the stream. // If the request context is canceled, the stream will no longer process requests. Requests chan<- []byte } type Response struct { Msg []byte Err error } ``` There are generic versions of the server/client handlers that allow the use of type safe implementations for data types that support msgpack marshal/unmarshal.
2023-11-20 20:09:35 -05:00
"github.com/minio/minio/internal/grid"
Update to minio/pkg/v2 (#17967)
2023-09-04 15:57:37 -04:00
xnet "github.com/minio/pkg/v2/net"
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 15:02:30 -04:00
allow non-standards fallback for all http.TimeFormats (#15662) fixes #15645
2022-09-07 10:24:54 -04:00
"github.com/minio/minio/internal/amztime"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 17:59:40 -04:00
"github.com/minio/minio/internal/config/dns"
"github.com/minio/minio/internal/crypto"
xhttp "github.com/minio/minio/internal/http"
"github.com/minio/minio/internal/logger"
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
"github.com/minio/minio/internal/mcontext"
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase
2015-02-11 06:23:15 -05:00
)
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
const (
// Maximum allowed form data field values. 64MiB is a guessed practical value
// which is more than enough to accommodate any form data fields and headers.
requestFormDataSize = 64 * humanize.MiByte
Limit POST form fields and file size + Generic Request Size limiter (#2317) * Use less memory when receiving a file via multipart * Add generic http request maximum size limiter to secure against malicious clients
2016-07-28 15:02:22 -04:00
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
// For any HTTP request, request body should be not more than 16GiB + requestFormDataSize
// where, 16GiB is the maximum allowed object size for object upload.
requestMaxBodySize = globalMaxObjectSize + requestFormDataSize
Limit POST form fields and file size + Generic Request Size limiter (#2317) * Use less memory when receiving a file via multipart * Add generic http request maximum size limiter to secure against malicious clients
2016-07-28 15:02:22 -04:00
restirct max size of http header and user metadata (#4634) (#4680) S3 only allows http headers with a size of 8 KB and user-defined metadata with a size of 2 KB. This change adds a new API error and returns this error to clients which sends to large http requests. Fixes #4634
2017-08-22 19:53:35 -04:00
// Maximum size for http headers - See: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html
maxHeaderSize = 8 * 1024
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
restirct max size of http header and user metadata (#4634) (#4680) S3 only allows http headers with a size of 8 KB and user-defined metadata with a size of 2 KB. This change adds a new API error and returns this error to clients which sends to large http requests. Fixes #4634
2017-08-22 19:53:35 -04:00
// Maximum size for user-defined metadata - See: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html
maxUserDataSize = 2 * 1024
limit number of buckets to 500k (#15668) 500k is a reasonable limit for any single MinIO cluster deployment, in future we may increase this value. However for now we are going to keep this limit.
2022-09-09 06:06:34 -04:00
// maxBuckets upto 500000 for any MinIO deployment.
maxBuckets = 500 * 1000
restirct max size of http header and user metadata (#4634) (#4680) S3 only allows http headers with a size of 8 KB and user-defined metadata with a size of 2 KB. This change adds a new API error and returns this error to clients which sends to large http requests. Fixes #4634
2017-08-22 19:53:35 -04:00
)
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
// ReservedMetadataPrefix is the prefix of a metadata key which
// is reserved and for internal use only.
const (
ReservedMetadataPrefix = "X-Minio-Internal-"
ReservedMetadataPrefixLower = "x-minio-internal-"
)
// containsReservedMetadata returns true if the http.Header contains
// keys which are treated as metadata but are reserved for internal use
// and must not set by clients
func containsReservedMetadata(header http.Header) bool {
for key := range header {
Reduce allocations (#17584) * Reduce allocations * Add stringsHasPrefixFold which can compare string prefixes, while ignoring case and not allocating. * Reuse all msgp.Readers * Reuse metadata buffers when not reading data. * Make type safe. Make buffer 4K instead of 8. * Unslice
2023-07-06 19:02:08 -04:00
if stringsHasPrefixFold(key, ReservedMetadataPrefix) {
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
return true
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
}
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
}
return false
restirct max size of http header and user metadata (#4634) (#4680) S3 only allows http headers with a size of 8 KB and user-defined metadata with a size of 2 KB. This change adds a new API error and returns this error to clients which sends to large http requests. Fixes #4634
2017-08-22 19:53:35 -04:00
}
// isHTTPHeaderSizeTooLarge returns true if the provided
// header is larger than 8 KB or the user-defined metadata
// is larger than 2 KB.
func isHTTPHeaderSizeTooLarge(header http.Header) bool {
var size, usersize int
for key := range header {
length := len(key) + len(header.Get(key))
size += length
for _, prefix := range userMetadataKeyPrefixes {
Reduce allocations (#17584) * Reduce allocations * Add stringsHasPrefixFold which can compare string prefixes, while ignoring case and not allocating. * Reuse all msgp.Readers * Reuse metadata buffers when not reading data. * Make type safe. Make buffer 4K instead of 8. * Unslice
2023-07-06 19:02:08 -04:00
if stringsHasPrefixFold(key, prefix) {
restirct max size of http header and user metadata (#4634) (#4680) S3 only allows http headers with a size of 8 KB and user-defined metadata with a size of 2 KB. This change adds a new API error and returns this error to clients which sends to large http requests. Fixes #4634
2017-08-22 19:53:35 -04:00
usersize += length
break
}
}
if usersize > maxUserDataSize || size > maxHeaderSize {
return true
}
}
return false
}
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
// Limits body and header to specific allowed maximum limits as per S3/MinIO API requirements.
fix: set request ID in tracing context key (#17602) Since `addCustomerHeaders` middleware was after the `httpTracer` middleware, the request ID was not set in the http tracing context. By reordering these middleware functions, the request ID header becomes available. We also avoid setting the tracing context key again in `newContext`. Bonus: All middleware functions are renamed with a "Middleware" suffix to avoid confusion with http Handler functions.
2023-07-08 10:31:42 -04:00
func setRequestLimitMiddleware(h http.Handler) http.Handler {
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc, ok := r.Context().Value(mcontext.ContextTraceKey).(*mcontext.TraceCtxt)
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
// Reject unsupported reserved metadata first before validation.
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
if containsReservedMetadata(r.Header) {
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
if ok {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
}
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrUnsupportedMetadata), r.URL)
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
return
}
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
if isHTTPHeaderSizeTooLarge(r.Header) {
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
if ok {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
}
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrMetadataTooLarge), r.URL)
atomic.AddUint64(&globalHTTPStats.rejectedRequestsHeader, 1)
return
}
// Restricting read data to a given maximum length
r.Body = http.MaxBytesReader(w, r.Body, requestMaxBodySize)
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
h.ServeHTTP(w, r)
})
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-07 18:18:59 -05:00
}
routers: Move API and Web routers into their own files. This is done to ensure we have a clean way to add new routers such as - diskRouter - configRouter - lockRouter
2016-03-27 15:37:21 -04:00
// Reserved bucket.
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-12 19:08:15 -05:00
const (
fix: regression in counting total requests (#17024)
2023-04-12 17:37:19 -04:00
minioReservedBucket = "minio"
minioReservedBucketPath = SlashSeparator + minioReservedBucket
prometheus: Add S3 4xx and 5xx S3 monitoring (#15052) Currently minio_s3_requests_errors_total covers 4xx and 5xx S3 responses which can be confusing when s3 applications sent a lot of HEAD requests with obvious 404 responses or when the replication is enabled. Add - minio_s3_requests_4xx_errors_total - minio_s3_requests_5xx_errors_total to help users monitor 4xx and 5xx HTTP status codes separately.
2022-06-08 14:22:34 -04:00
loginPathPrefix = SlashSeparator + "login"
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-12 19:08:15 -05:00
)
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
func guessIsBrowserReq(r *http.Request) bool {
aType := getRequestAuthType(r)
fix: only redirect for GET/HEAD requests (#12702) fixes #12701
2021-07-13 14:25:08 -04:00
return strings.Contains(r.Header.Get("User-Agent"), "Mozilla") &&
globalBrowserEnabled && aType == authTypeAnonymous
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
}
fix: set request ID in tracing context key (#17602) Since `addCustomerHeaders` middleware was after the `httpTracer` middleware, the request ID was not set in the http tracing context. By reordering these middleware functions, the request ID header becomes available. We also avoid setting the tracing context key again in `newContext`. Bonus: All middleware functions are renamed with a "Middleware" suffix to avoid confusion with http Handler functions.
2023-07-08 10:31:42 -04:00
func setBrowserRedirectMiddleware(h http.Handler) http.Handler {
Revert "deprecate embedded browser (#12163)" This reverts commit 736d8cbac483d8bf56c3422ca9a9c4c3e043c6cf. Bring contrib files for older contributions
2021-04-29 22:01:43 -04:00
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fix: only redirect for GET/HEAD requests (#12702) fixes #12701
2021-07-13 14:25:08 -04:00
read := r.Method == http.MethodGet || r.Method == http.MethodHead
Revert "deprecate embedded browser (#12163)" This reverts commit 736d8cbac483d8bf56c3422ca9a9c4c3e043c6cf. Bring contrib files for older contributions
2021-04-29 22:01:43 -04:00
// Re-direction is handled specifically for browser requests.
healthcheck requests with user-agent mozilla do not need redirects (#18642) apparently, windows powershell curl has this abhorrent behavior
2023-12-12 19:16:26 -05:00
if !guessIsHealthCheckReq(r) && guessIsBrowserReq(r) && read && globalBrowserRedirect {
Revert "deprecate embedded browser (#12163)" This reverts commit 736d8cbac483d8bf56c3422ca9a9c4c3e043c6cf. Bring contrib files for older contributions
2021-04-29 22:01:43 -04:00
// Fetch the redirect location if any.
fix: handle redirects for specific resources (#12629)
2021-07-07 15:04:16 -04:00
if u := getRedirectLocation(r); u != nil {
Revert "deprecate embedded browser (#12163)" This reverts commit 736d8cbac483d8bf56c3422ca9a9c4c3e043c6cf. Bring contrib files for older contributions
2021-04-29 22:01:43 -04:00
// Employ a temporary re-direct.
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)
Revert "deprecate embedded browser (#12163)" This reverts commit 736d8cbac483d8bf56c3422ca9a9c4c3e043c6cf. Bring contrib files for older contributions
2021-04-29 22:01:43 -04:00
return
}
}
h.ServeHTTP(w, r)
})
}
fix: panic in browser redirect handler for unexpected r.Host (#14844) ``` panic: "GET /": invalid hostname goroutine 148 [running]: runtime/debug.Stack() runtime/debug/stack.go:24 +0x65 github.com/minio/minio/cmd.setCriticalErrorHandler.func1.1() github.com/minio/minio/cmd/generic-handlers.go:469 +0x8e panic({0x2201f00, 0xc001f1ddd0}) runtime/panic.go:1038 +0x215 github.com/minio/pkg/net.URL.String({{0x25aa417, 0x5}, {0x0, 0x0}, 0x0, {0xc000174380, 0xd7}, {0x0, 0x0}, {0x0, ...}, ...}) github.com/minio/pkg@v1.1.23/net/url.go:97 +0xfe github.com/minio/minio/cmd.setBrowserRedirectHandler.func1({0x49af080, 0xc0003c20e0}, 0xc00002ea00) github.com/minio/minio/cmd/generic-handlers.go:136 +0x118 net/http.HandlerFunc.ServeHTTP(0xc00002ea00, {0x49af080, 0xc0003c20e0}, 0xa) net/http/server.go:2047 +0x2f github.com/minio/minio/cmd.setAuthHandler.func1({0x49af080, 0xc0003c20e0}, 0xc00002ea00) github.com/minio/minio/cmd/auth-handler.go:525 +0x3d8 net/http.HandlerFunc.ServeHTTP(0xc00002e900, {0x49af080, 0xc0003c20e0}, 0xc001f33701) net/http/server.go:2047 +0x2f github.com/gorilla/mux.(*Router).ServeHTTP(0xc0025d0780, {0x49af080, 0xc0003c20e0}, 0xc00002e800) github.com/gorilla/mux@v1.8.0/mux.go:210 +0x1cf github.com/rs/cors.(*Cors).Handler.func1({0x49af080, 0xc0003c20e0}, 0xc00002e800) github.com/rs/cors@v1.7.0/cors.go:219 +0x1bd net/http.HandlerFunc.ServeHTTP(0x0, {0x49af080, 0xc0003c20e0}, 0xc00068d9f8) net/http/server.go:2047 +0x2f github.com/minio/minio/cmd.setCriticalErrorHandler.func1({0x49af080, 0xc0003c20e0}, 0x4a5cd3) github.com/minio/minio/cmd/generic-handlers.go:476 +0x83 net/http.HandlerFunc.ServeHTTP(0x72, {0x49af080, 0xc0003c20e0}, 0x0) net/http/server.go:2047 +0x2f github.com/minio/minio/internal/http.(*Server).Start.func1({0x49af080, 0xc0003c20e0}, 0x10000c001f1dda0) github.com/minio/minio/internal/http/server.go:105 +0x1b6 net/http.HandlerFunc.ServeHTTP(0x0, {0x49af080, 0xc0003c20e0}, 0x46982e) net/http/server.go:2047 +0x2f net/http.serverHandler.ServeHTTP({0xc003dc1950}, {0x49af080, 0xc0003c20e0}, 0xc00002e800) net/http/server.go:2879 +0x43b net/http.(*conn).serve(0xc000514d20, {0x49cfc38, 0xc0010c0e70}) net/http/server.go:1930 +0xb08 created by net/http.(*Server).Serve net/http/server.go:3034 +0x4e8 ```
2022-05-01 16:45:45 -04:00
var redirectPrefixes = map[string]struct{}{
"favicon-16x16.png": {},
"favicon-32x32.png": {},
"favicon-96x96.png": {},
"index.html": {},
minioReservedBucket: {},
}
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 03:42:22 -05:00
// Fetch redirect location if urlPath satisfies certain
// criteria. Some special names are considered to be
// redirectable, this is purely internal function and
// serves only limited purpose on redirect-handler for
// browser requests.
fix: allow customizing console redirection (#12665) MinIO might be running inside proxies, and console while being on another port might not be reachable on a specific port behind such proxies. For such scenarios customize the redirect URL such that console can be redirected to correct proxy endpoint instead. fixes #12661
2021-07-09 17:27:09 -04:00
func getRedirectLocation(r *http.Request) *xnet.URL {
fix: handle redirects for specific resources (#12629)
2021-07-07 15:04:16 -04:00
resource, err := getResource(r.URL.Path, r.Host, globalDomainNames)
if err != nil {
return nil
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
}
fix: panic in browser redirect handler for unexpected r.Host (#14844) ``` panic: "GET /": invalid hostname goroutine 148 [running]: runtime/debug.Stack() runtime/debug/stack.go:24 +0x65 github.com/minio/minio/cmd.setCriticalErrorHandler.func1.1() github.com/minio/minio/cmd/generic-handlers.go:469 +0x8e panic({0x2201f00, 0xc001f1ddd0}) runtime/panic.go:1038 +0x215 github.com/minio/pkg/net.URL.String({{0x25aa417, 0x5}, {0x0, 0x0}, 0x0, {0xc000174380, 0xd7}, {0x0, 0x0}, {0x0, ...}, ...}) github.com/minio/pkg@v1.1.23/net/url.go:97 +0xfe github.com/minio/minio/cmd.setBrowserRedirectHandler.func1({0x49af080, 0xc0003c20e0}, 0xc00002ea00) github.com/minio/minio/cmd/generic-handlers.go:136 +0x118 net/http.HandlerFunc.ServeHTTP(0xc00002ea00, {0x49af080, 0xc0003c20e0}, 0xa) net/http/server.go:2047 +0x2f github.com/minio/minio/cmd.setAuthHandler.func1({0x49af080, 0xc0003c20e0}, 0xc00002ea00) github.com/minio/minio/cmd/auth-handler.go:525 +0x3d8 net/http.HandlerFunc.ServeHTTP(0xc00002e900, {0x49af080, 0xc0003c20e0}, 0xc001f33701) net/http/server.go:2047 +0x2f github.com/gorilla/mux.(*Router).ServeHTTP(0xc0025d0780, {0x49af080, 0xc0003c20e0}, 0xc00002e800) github.com/gorilla/mux@v1.8.0/mux.go:210 +0x1cf github.com/rs/cors.(*Cors).Handler.func1({0x49af080, 0xc0003c20e0}, 0xc00002e800) github.com/rs/cors@v1.7.0/cors.go:219 +0x1bd net/http.HandlerFunc.ServeHTTP(0x0, {0x49af080, 0xc0003c20e0}, 0xc00068d9f8) net/http/server.go:2047 +0x2f github.com/minio/minio/cmd.setCriticalErrorHandler.func1({0x49af080, 0xc0003c20e0}, 0x4a5cd3) github.com/minio/minio/cmd/generic-handlers.go:476 +0x83 net/http.HandlerFunc.ServeHTTP(0x72, {0x49af080, 0xc0003c20e0}, 0x0) net/http/server.go:2047 +0x2f github.com/minio/minio/internal/http.(*Server).Start.func1({0x49af080, 0xc0003c20e0}, 0x10000c001f1dda0) github.com/minio/minio/internal/http/server.go:105 +0x1b6 net/http.HandlerFunc.ServeHTTP(0x0, {0x49af080, 0xc0003c20e0}, 0x46982e) net/http/server.go:2047 +0x2f net/http.serverHandler.ServeHTTP({0xc003dc1950}, {0x49af080, 0xc0003c20e0}, 0xc00002e800) net/http/server.go:2879 +0x43b net/http.(*conn).serve(0xc000514d20, {0x49cfc38, 0xc0010c0e70}) net/http/server.go:1930 +0xb08 created by net/http.(*Server).Serve net/http/server.go:3034 +0x4e8 ```
2022-05-01 16:45:45 -04:00
bucket, _ := path2BucketObject(resource)
_, redirect := redirectPrefixes[path.Clean(bucket)]
if redirect || resource == slashSeparator {
if globalBrowserRedirectURL != nil {
return globalBrowserRedirectURL
}
xhost, err := xnet.ParseHost(r.Host)
if err != nil {
return nil
}
return &xnet.URL{
Host: net.JoinHostPort(xhost.Name, globalMinioConsolePort),
Scheme: func() string {
scheme := "http"
if r.TLS != nil {
scheme = "https"
}
return scheme
}(),
fix: handle redirects for specific resources (#12629)
2021-07-07 15:04:16 -04:00
}
Revert "deprecate embedded browser (#12163)" This reverts commit 736d8cbac483d8bf56c3422ca9a9c4c3e043c6cf. Bring contrib files for older contributions
2021-04-29 22:01:43 -04:00
}
fix: handle redirects for specific resources (#12629)
2021-07-07 15:04:16 -04:00
return nil
Revert "deprecate embedded browser (#12163)" This reverts commit 736d8cbac483d8bf56c3422ca9a9c4c3e043c6cf. Bring contrib files for older contributions
2021-04-29 22:01:43 -04:00
}
Add healthcheck endpoints (#5543) This PR adds readiness and liveness endpoints to probe Minio server instance health. Endpoints can only be accessed without authentication and the paths are /minio/health/live and /minio/health/ready for liveness and readiness respectively. The new healthcheck liveness endpoint is used for Docker healthcheck now. Fixes #5357 Fixes #5514
2018-03-12 02:16:53 -04:00
// guessIsHealthCheckReq - returns true if incoming request looks
fix: make sure to correctly initialize health checks (#17765) health checks were missing for drives replaced since - HealFormat() would replace the drives without a health check - disconnected drives when they reconnect via connectEndpoint() the loop also loses health checks for local disks and merges these into a single code. - other than this separate cleanUp, health check variables to avoid overloading them with similar requirements. - also ensure that we compete via context selector for disk monitoring such that the canceled disks don't linger around longer waiting for the ticker to trigger. - allow disabling active monitoring.
2023-08-01 13:54:26 -04:00
// like healthCheck request
Add healthcheck endpoints (#5543) This PR adds readiness and liveness endpoints to probe Minio server instance health. Endpoints can only be accessed without authentication and the paths are /minio/health/live and /minio/health/ready for liveness and readiness respectively. The new healthcheck liveness endpoint is used for Docker healthcheck now. Fixes #5357 Fixes #5514
2018-03-12 02:16:53 -04:00
func guessIsHealthCheckReq(req *http.Request) bool {
if req == nil {
return false
}
aType := getRequestAuthType(req)
Update healthcheck related examples and add head support (#5650) - Add head method for healthcheck endpoint. Some platforms/users may use the HTTP Head method to check for health status. - Add liveness and readiness probe examples in Kubernetes yaml example docs. Note that readiness probe not added to StatefulSet example due to https://github.com/kubernetes/kubernetes/issues/27114
2018-03-15 00:25:02 -04:00
return aType == authTypeAnonymous && (req.Method == http.MethodGet || req.Method == http.MethodHead) &&
Add healthcheck endpoints (#5543) This PR adds readiness and liveness endpoints to probe Minio server instance health. Endpoints can only be accessed without authentication and the paths are /minio/health/live and /minio/health/ready for liveness and readiness respectively. The new healthcheck liveness endpoint is used for Docker healthcheck now. Fixes #5357 Fixes #5514
2018-03-12 02:16:53 -04:00
(req.URL.Path == healthCheckPathPrefix+healthCheckLivenessPath ||
fix: return proper errors Get/HeadObject for deleteMarkers (#9957)
2020-07-02 19:17:27 -04:00
req.URL.Path == healthCheckPathPrefix+healthCheckReadinessPath ||
read-health check endpoint returns success if cluster can serve read requests (#11310)
2021-02-09 04:00:44 -05:00
req.URL.Path == healthCheckPathPrefix+healthCheckClusterPath ||
req.URL.Path == healthCheckPathPrefix+healthCheckClusterReadPath)
Add healthcheck endpoints (#5543) This PR adds readiness and liveness endpoints to probe Minio server instance health. Endpoints can only be accessed without authentication and the paths are /minio/health/live and /minio/health/ready for liveness and readiness respectively. The new healthcheck liveness endpoint is used for Docker healthcheck now. Fixes #5357 Fixes #5514
2018-03-12 02:16:53 -04:00
}
Introduce new unauthenticated endpoint /metric (#5723) (#5829) /metric exposes Promethus compatible data for scraping metrics Fixes: #5723
2018-04-18 19:01:42 -04:00
// guessIsMetricsReq - returns true if incoming request looks
// like metrics request
func guessIsMetricsReq(req *http.Request) bool {
if req == nil {
return false
}
aType := getRequestAuthType(req)
Authorize prometheus endpoint with bearer token (#7640)
2019-09-22 10:57:12 -04:00
return (aType == authTypeAnonymous || aType == authTypeJWT) &&
Updated Prometheus metrics (#11141) * Add metrics for nodes online and offline * Add cluster capacity metrics * Introduce v2 metrics
2021-01-18 23:35:38 -05:00
req.URL.Path == minioReservedBucketPath+prometheusMetricsPathLegacy ||
req.URL.Path == minioReservedBucketPath+prometheusMetricsV2ClusterPath ||
move bucket centric metrics to /minio/v2/metrics/bucket handlers (#17663) users/customers do not have a reasonable number of buckets anymore, this is why we must avoid overpopulating cluster endpoints, instead move the bucket monitoring to a separate endpoint. some of it's a breaking change here for a couple of metrics, but it is imperative that we do it to improve the responsiveness of our Prometheus cluster endpoint. Bonus: Added new cluster metrics for usage, objects and histograms
2023-07-19 01:25:12 -04:00
req.URL.Path == minioReservedBucketPath+prometheusMetricsV2NodePath ||
Add support for resource metrics (#18057) Add a new endpoint for "resource" metrics `/v2/metrics/resource` This should return system metrics related to drives, network, CPU and memory. Except for drives, other metrics should have corresponding "avg" and "max" values also. Reuse the real-time feature to capture the required data, introducing CPU and memory metrics in it. Collect the data every minute and keep updating the average and max values accordingly, returning the latest values when the API is called.
2023-09-30 16:40:20 -04:00
req.URL.Path == minioReservedBucketPath+prometheusMetricsV2BucketPath ||
req.URL.Path == minioReservedBucketPath+prometheusMetricsV2ResourcePath
Introduce new unauthenticated endpoint /metric (#5723) (#5829) /metric exposes Promethus compatible data for scraping metrics Fixes: #5723
2018-04-18 19:01:42 -04:00
}
Ignore reservedBucket checks for net/rpc requests (#4884) All `net/rpc` requests go to `/minio`, so the existing generic handler for reserved bucket check would essentially erroneously send errors leading to distributed setups to wait infinitely. For `net/rpc` requests alone we should skip this check and allow resource bucket names to be from `/minio` .
2017-09-01 15:16:54 -04:00
// guessIsRPCReq - returns true if the request is for an RPC endpoint.
func guessIsRPCReq(req *http.Request) bool {
if req == nil {
return false
}
perf: websocket grid connectivity for all internode communication (#18461) This PR adds a WebSocket grid feature that allows servers to communicate via a single two-way connection. There are two request types: * Single requests, which are `[]byte => ([]byte, error)`. This is for efficient small roundtrips with small payloads. * Streaming requests which are `[]byte, chan []byte => chan []byte (and error)`, which allows for different combinations of full two-way streams with an initial payload. Only a single stream is created between two machines - and there is, as such, no server/client relation since both sides can initiate and handle requests. Which server initiates the request is decided deterministically on the server names. Requests are made through a mux client and server, which handles message passing, congestion, cancelation, timeouts, etc. If a connection is lost, all requests are canceled, and the calling server will try to reconnect. Registered handlers can operate directly on byte slices or use a higher-level generics abstraction. There is no versioning of handlers/clients, and incompatible changes should be handled by adding new handlers. The request path can be changed to a new one for any protocol changes. First, all servers create a "Manager." The manager must know its address as well as all remote addresses. This will manage all connections. To get a connection to any remote, ask the manager to provide it given the remote address using. ``` func (m *Manager) Connection(host string) *Connection ``` All serverside handlers must also be registered on the manager. This will make sure that all incoming requests are served. The number of in-flight requests and responses must also be given for streaming requests. The "Connection" returned manages the mux-clients. Requests issued to the connection will be sent to the remote. * `func (c *Connection) Request(ctx context.Context, h HandlerID, req []byte) ([]byte, error)` performs a single request and returns the result. Any deadline provided on the request is forwarded to the server, and canceling the context will make the function return at once. * `func (c *Connection) NewStream(ctx context.Context, h HandlerID, payload []byte) (st *Stream, err error)` will initiate a remote call and send the initial payload. ```Go // A Stream is a two-way stream. // All responses *must* be read by the caller. // If the call is canceled through the context, //The appropriate error will be returned. type Stream struct { // Responses from the remote server. // Channel will be closed after an error or when the remote closes. // All responses *must* be read by the caller until either an error is returned or the channel is closed. // Canceling the context will cause the context cancellation error to be returned. Responses <-chan Response // Requests sent to the server. // If the handler is defined with 0 incoming capacity this will be nil. // Channel *must* be closed to signal the end of the stream. // If the request context is canceled, the stream will no longer process requests. Requests chan<- []byte } type Response struct { Msg []byte Err error } ``` There are generic versions of the server/client handlers that allow the use of type safe implementations for data types that support msgpack marshal/unmarshal.
2023-11-20 20:09:35 -05:00
if req.Method == http.MethodGet && req.URL != nil && req.URL.Path == grid.RoutePath {
return true
}
fix: Better check of RPC type requests (#6927) guessIsRPCReq() considers all POST requests as RPC but doesn't check if this is an object operation API or not, which is actually confusing bucket forwarder handler when it receives a new multipart upload API which is a POST http request. Due to this bug, users having a federated setup are not able to upload a multipart object using an endpoint which doesn't actually contain the specified bucket that will store the object. Hence this commit will fix the described issue.
2018-12-05 17:28:48 -05:00
return req.Method == http.MethodPost &&
Use const slashSeparator instead of "/" everywhere (#8028)
2019-08-06 15:08:58 -04:00
strings.HasPrefix(req.URL.Path, minioReservedBucketPath+SlashSeparator)
Ignore reservedBucket checks for net/rpc requests (#4884) All `net/rpc` requests go to `/minio`, so the existing generic handler for reserved bucket check would essentially erroneously send errors leading to distributed setups to wait infinitely. For `net/rpc` requests alone we should skip this check and allow resource bucket names to be from `/minio` .
2017-09-01 15:16:54 -04:00
}
Revert "deprecate embedded browser (#12163)" This reverts commit 736d8cbac483d8bf56c3422ca9a9c4c3e043c6cf. Bring contrib files for older contributions
2021-04-29 22:01:43 -04:00
// Check to allow access to the reserved "bucket" `/minio` for Admin
// API requests.
func isAdminReq(r *http.Request) bool {
return strings.HasPrefix(r.URL.Path, adminPathPrefix)
Log in with OIDC not work with MINIO_DOMAIN (#8558) (#8559)
2019-11-21 20:45:15 -05:00
}
Implement KMS handlers (#15737)
2022-10-04 13:05:09 -04:00
// Check to allow access to the reserved "bucket" `/minio` for KMS
// API requests.
func isKMSReq(r *http.Request) bool {
return strings.HasPrefix(r.URL.Path, kmsPathPrefix)
}
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 03:42:22 -05:00
// Supported Amz date headers.
var amzDateHeaders = []string{
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
// Do not chane this order, x-amz-date value should be
// validated first.
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 03:42:22 -05:00
"x-amz-date",
"date",
}
error: Signature errors should be returned with APIErrorCode. The reasoning is that we can reply back with wide range of S3 error responses, which would provide more richer context to S3 client. Fixes #1267
2016-03-30 23:04:51 -04:00
// parseAmzDateHeader - parses supported amz date headers, in
// supported amz date formats.
func parseAmzDateHeader(req *http.Request) (time.Time, APIErrorCode) {
for _, amzDateHeader := range amzDateHeaders {
re-implement data usage crawler to be more efficient (#9075) Implementation overview: https://gist.github.com/klauspost/1801c858d5e0df391114436fdad6987b
2020-03-18 19:19:29 -04:00
amzDateStr := req.Header.Get(amzDateHeader)
error: Signature errors should be returned with APIErrorCode. The reasoning is that we can reply back with wide range of S3 error responses, which would provide more richer context to S3 client. Fixes #1267
2016-03-30 23:04:51 -04:00
if amzDateStr != "" {
allow non-standards fallback for all http.TimeFormats (#15662) fixes #15645
2022-09-07 10:24:54 -04:00
t, err := amztime.Parse(amzDateStr)
if err != nil {
return time.Time{}, ErrMalformedDate
}
return t, ErrNone
handlers: Cleanup time handlers helpers.
2016-03-07 12:52:20 -05:00
}
}
error: Signature errors should be returned with APIErrorCode. The reasoning is that we can reply back with wide range of S3 error responses, which would provide more richer context to S3 client. Fixes #1267
2016-03-30 23:04:51 -04:00
// Date header missing.
return time.Time{}, ErrMissingDateHeader
handlers: Cleanup time handlers helpers.
2016-03-07 12:52:20 -05:00
}
server: Validate path for bad components in a handler. (#4170)
2017-04-24 21:13:46 -04:00
// Bad path components to be rejected by the path validity handler.
const (
dotdotComponent = ".."
dotComponent = "."
)
fix: reject invalid r.Host headers (#14846) r.Host headers can come in unparsed that may contain invalid hostnames, reject such requests as invalid. This is a continuation fix from #14844
2022-05-02 07:42:41 -04:00
func hasBadHost(host string) error {
if globalIsCICD && strings.TrimSpace(host) == "" {
// under CI/CD test setups ignore empty hosts as invalid hosts
return nil
}
_, err := xnet.ParseHost(host)
return err
}
server: Validate path for bad components in a handler. (#4170)
2017-04-24 21:13:46 -04:00
// Check if the incoming path has bad path components,
// such as ".." and "."
func hasBadPathComponent(path string) bool {
fix: convert '\' to '/' on windows (#16852)
2023-03-20 03:35:25 -04:00
path = filepath.ToSlash(strings.TrimSpace(path)) // For windows '\' must be converted to '/'
Use const slashSeparator instead of "/" everywhere (#8028)
2019-08-06 15:08:58 -04:00
for _, p := range strings.Split(path, SlashSeparator) {
server: Validate path for bad components in a handler. (#4170)
2017-04-24 21:13:46 -04:00
switch strings.TrimSpace(p) {
case dotdotComponent:
return true
case dotComponent:
return true
}
}
return false
}
Validate and reject unusual requests (#7258)
2019-02-20 00:02:41 -05:00
// Check if client is sending a malicious request.
func hasMultipleAuth(r *http.Request) bool {
authTypeCount := 0
fix: reject invalid r.Host headers (#14846) r.Host headers can come in unparsed that may contain invalid hostnames, reject such requests as invalid. This is a continuation fix from #14844
2022-05-02 07:42:41 -04:00
for _, hasValidAuth := range []func(*http.Request) bool{
isRequestSignatureV2, isRequestPresignedSignatureV2,
isRequestSignatureV4, isRequestPresignedSignatureV4,
isRequestJWT, isRequestPostPolicySignatureV4,
} {
Validate and reject unusual requests (#7258)
2019-02-20 00:02:41 -05:00
if hasValidAuth(r) {
authTypeCount++
}
}
return authTypeCount > 1
}
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
// requestValidityHandler validates all the incoming paths for
// any malicious requests.
fix: set request ID in tracing context key (#17602) Since `addCustomerHeaders` middleware was after the `httpTracer` middleware, the request ID was not set in the http tracing context. By reordering these middleware functions, the request ID header becomes available. We also avoid setting the tracing context key again in `newContext`. Bonus: All middleware functions are renamed with a "Middleware" suffix to avoid confusion with http Handler functions.
2023-07-08 10:31:42 -04:00
func setRequestValidityMiddleware(h http.Handler) http.Handler {
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc, ok := r.Context().Value(mcontext.ContextTraceKey).(*mcontext.TraceCtxt)
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
fix: reject invalid r.Host headers (#14846) r.Host headers can come in unparsed that may contain invalid hostnames, reject such requests as invalid. This is a continuation fix from #14844
2022-05-02 07:42:41 -04:00
if err := hasBadHost(r.Host); err != nil {
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
if ok {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
}
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
fix: reject invalid r.Host headers (#14846) r.Host headers can come in unparsed that may contain invalid hostnames, reject such requests as invalid. This is a continuation fix from #14844
2022-05-02 07:42:41 -04:00
invalidReq := errorCodes.ToAPIErr(ErrInvalidRequest)
invalidReq.Description = fmt.Sprintf("%s (%s)", invalidReq.Description, err)
writeErrorResponse(r.Context(), w, invalidReq, r.URL)
atomic.AddUint64(&globalHTTPStats.rejectedRequestsInvalid, 1)
return
}
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
// Check for bad components in URL path.
if hasBadPathComponent(r.URL.Path) {
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
if ok {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
}
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL)
fix: handle unsupported APIs more granularly (#11674)
2021-03-31 02:19:36 -04:00
atomic.AddUint64(&globalHTTPStats.rejectedRequestsInvalid, 1)
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
return
}
// Check for bad components in URL query values.
remove delimiter if not set by client, also fetchOwner is optional (#17366)
2023-06-07 00:31:47 -04:00
for k, vv := range r.Form {
if k == "delimiter" { // delimiters are allowed to have `.` or `..`
continue
}
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
for _, v := range vv {
if hasBadPathComponent(v) {
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
if ok {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
}
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL)
fix: handle unsupported APIs more granularly (#11674)
2021-03-31 02:19:36 -04:00
atomic.AddUint64(&globalHTTPStats.rejectedRequestsInvalid, 1)
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
return
}
server: Validate path for bad components in a handler. (#4170)
2017-04-24 21:13:46 -04:00
}
}
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
if hasMultipleAuth(r) {
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
if ok {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc.FuncName = "handler.Auth"
tc.ResponseRecorder.LogErrBody = true
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
}
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
fix: reject invalid r.Host headers (#14846) r.Host headers can come in unparsed that may contain invalid hostnames, reject such requests as invalid. This is a continuation fix from #14844
2022-05-02 07:42:41 -04:00
invalidReq := errorCodes.ToAPIErr(ErrInvalidRequest)
invalidReq.Description = fmt.Sprintf("%s (request has multiple authentication types, please use one)", invalidReq.Description)
writeErrorResponse(r.Context(), w, invalidReq, r.URL)
fix: handle unsupported APIs more granularly (#11674)
2021-03-31 02:19:36 -04:00
atomic.AddUint64(&globalHTTPStats.rejectedRequestsInvalid, 1)
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
return
}
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
// For all other requests reject access to reserved buckets
bucketName, _ := request2BucketObjectName(r)
if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
Implement KMS handlers (#15737)
2022-10-04 13:05:09 -04:00
if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) {
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
if ok {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
}
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL)
return
}
s3: Return invalid bucket name the first thing in all S3 calls (#17742)
2023-07-28 13:49:20 -04:00
} else {
// Validate bucket names if it is not empty
if bucketName != "" && s3utils.CheckValidBucketNameStrict(bucketName) != nil {
if ok {
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
}
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidBucketName), r.URL)
return
}
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
}
// Deny SSE-C requests if not made over TLS
if !globalIsTLS && (crypto.SSEC.IsRequested(r.Header) || crypto.SSECopy.IsRequested(r.Header)) {
if r.Method == http.MethodHead {
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
if ok {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = false
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
}
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest))
} else {
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
if ok {
Add X-Amz-Request-Id to internode calls (#16146)
2022-12-06 12:27:26 -05:00
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
handle missing funcNames for handlers (#15188) also use designated names for internal calls - storageREST calls are storageR - lockREST calls are lockR - peerREST calls are just peer Named in this fashion to facilitate wildcard matches by having prefixes of the same name. Additionally, also enable funcNames for generic handlers that return errors, currently we disable '<unknown>'
2022-06-28 08:04:10 -04:00
}
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest), r.URL)
}
return
}
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
h.ServeHTTP(w, r)
})
server: Validate path for bad components in a handler. (#4170)
2017-04-24 21:13:46 -04:00
}
Limit number of connections upto system maxlimit (#5109)
2017-12-20 03:00:14 -05:00
fix: set request ID in tracing context key (#17602) Since `addCustomerHeaders` middleware was after the `httpTracer` middleware, the request ID was not set in the http tracing context. By reordering these middleware functions, the request ID header becomes available. We also avoid setting the tracing context key again in `newContext`. Bonus: All middleware functions are renamed with a "Middleware" suffix to avoid confusion with http Handler functions.
2023-07-08 10:31:42 -04:00
// setBucketForwardingMiddleware middleware forwards the path style requests
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
// on a bucket to the right bucket location, bucket to IP configuration
// is obtained from centralized etcd configuration service.
fix: set request ID in tracing context key (#17602) Since `addCustomerHeaders` middleware was after the `httpTracer` middleware, the request ID was not set in the http tracing context. By reordering these middleware functions, the request ID header becomes available. We also avoid setting the tracing context key again in `newContext`. Bonus: All middleware functions are renamed with a "Middleware" suffix to avoid confusion with http Handler functions.
2023-07-08 10:31:42 -04:00
func setBucketForwardingMiddleware(h http.Handler) http.Handler {
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fix: honor requested allow origin settings properly (#17789) fixes #17778
2023-08-02 23:41:21 -04:00
if origin := w.Header().Get("Access-Control-Allow-Origin"); origin == "null" {
// This is a workaround change to ensure that "Origin: null"
// incoming request to a response back as "*" instead of "null"
w.Header().Set("Access-Control-Allow-Origin", "*")
}
Fix adding bucket forwarder handler in server mode (#14288) MinIO configuration is loaded after the initialization of the server handlers, which will miss the initialization of the bucket forwarder handler. Though the federation is deprecated, let's fix this for the time being.
2022-02-10 11:49:36 -05:00
if globalDNSConfig == nil || !globalBucketFederation ||
guessIsHealthCheckReq(r) || guessIsMetricsReq(r) ||
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) {
h.ServeHTTP(w, r)
return
}
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
bucket, object := request2BucketObjectName(r)
// Requests in federated setups for STS type calls which are
// performed at '/' resource should be routed by the muxer,
// the assumption is simply such that requests without a bucket
// in a federated setup cannot be proxied, so serve them at
// current server.
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
if bucket == "" {
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
h.ServeHTTP(w, r)
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
return
}
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
// MakeBucket requests should be handled at current endpoint
if r.Method == http.MethodPut && bucket != "" && object == "" && r.URL.RawQuery == "" {
h.ServeHTTP(w, r)
return
}
// CopyObject requests should be handled at current endpoint as path style
// requests have target bucket and object in URI and source details are in
// header fields
if r.Method == http.MethodPut && r.Header.Get(xhttp.AmzCopySource) != "" {
bucket, object = path2BucketObject(r.Header.Get(xhttp.AmzCopySource))
if bucket == "" || object == "" {
h.ServeHTTP(w, r)
return
}
}
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
sr, err := globalDNSConfig.Get(bucket)
if err != nil {
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
if err == dns.ErrNoEntriesFound {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNoSuchBucket), r.URL)
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
} else {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
writeErrorResponse(r.Context(), w, toAPIError(r.Context(), err), r.URL)
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
}
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
return
}
if globalDomainIPs.Intersection(set.CreateStringSet(getHostsSlice(sr)...)).IsEmpty() {
r.URL.Scheme = "http"
update x/net/http2 to address few bugs (#11144) additionally also configure http2 healthcheck values to quickly detect unstable connections and let them timeout. also use single transport for proxying requests
2020-12-22 00:42:38 -05:00
if globalIsTLS {
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
r.URL.Scheme = "https"
Add support for federation on browser (#6891)
2018-12-19 08:13:47 -05:00
}
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
r.URL.Host = getHostFromSrv(sr)
avoid double CORS headers in federation (#11334) CORS proxying adds double headers one by the receiving server, one by proxied server. Remove them before proxying when 'Origin' header is found.
2021-01-23 21:27:23 -05:00
// Make sure we remove any existing headers before
// proxying the request to another node.
for k := range w.Header() {
w.Header().Del(k)
}
initialize forwarder after init() to avoid crashes (#11330) DNSCache dialer is a global value initialized in init(), whereas `go` keeps `var =` before `init()` , also we don't need to keep proxy routers as global entities - register the forwarder as necessary to avoid crashes.
2021-01-22 18:37:41 -05:00
globalForwarder.ServeHTTP(w, r)
Allow CopyObject in pathStyle across federated instances (#8064) Fixes #7976
2019-08-22 04:02:39 -04:00
return
}
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
h.ServeHTTP(w, r)
Bring etcd support for bucket DNS federation - Supports centralized `config.json` - Supports centralized `bucket` service records for client lookups - implement a new proxy forwarder
2018-02-02 21:18:52 -05:00
})
}
fix: set request ID in tracing context key (#17602) Since `addCustomerHeaders` middleware was after the `httpTracer` middleware, the request ID was not set in the http tracing context. By reordering these middleware functions, the request ID header becomes available. We also avoid setting the tracing context key again in `newContext`. Bonus: All middleware functions are renamed with a "Middleware" suffix to avoid confusion with http Handler functions.
2023-07-08 10:31:42 -04:00
// addCustomHeadersMiddleware adds various HTTP(S) response headers.
add more XSS HTTP headers (#12256)
2021-07-19 19:05:02 -04:00
// Security Headers enable various security protections behaviors in the client's browser.
fix: set request ID in tracing context key (#17602) Since `addCustomerHeaders` middleware was after the `httpTracer` middleware, the request ID was not set in the http tracing context. By reordering these middleware functions, the request ID header becomes available. We also avoid setting the tracing context key again in `newContext`. Bonus: All middleware functions are renamed with a "Middleware" suffix to avoid confusion with http Handler functions.
2023-07-08 10:31:42 -04:00
func addCustomHeadersMiddleware(h http.Handler) http.Handler {
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
header := w.Header()
add more XSS HTTP headers (#12256)
2021-07-19 19:05:02 -04:00
header.Set("X-XSS-Protection", "1; mode=block") // Prevents against XSS attacks
header.Set("X-Content-Type-Options", "nosniff") // Prevent mime-sniff
header.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains") // HSTS mitigates variants of MITM attacks
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
// Previously, this value was set right before a response was sent to
// the client. So, logger and Error response XML were not using this
// value. This is set here so that this header can be logged as
// part of the log entry, Error response XML and auditing.
// Set custom headers such as x-amz-request-id for each request.
w.Header().Set(xhttp.AmzRequestID, mustGetRequestID(UTCNow()))
add x-amz-id-2 to indicate the node that received the request (#16474)
2023-01-25 12:14:10 -05:00
if globalLocalNodeName != "" {
add correct HostId instead of deploymentId for error responses (#16686)
2023-02-22 05:11:09 -05:00
w.Header().Set(xhttp.AmzRequestHostID, globalLocalNodeNameHex)
add x-amz-id-2 to indicate the node that received the request (#16474)
2023-01-25 12:14:10 -05:00
}
Use one http response recorder per external http call (#16938)
2023-03-31 12:37:29 -04:00
h.ServeHTTP(w, r)
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
})
add some security HTTP headers (#5814) This change adds some security headers like Content-Security-Policy. It does not set the HSTS header because Content-Security-Policy prevents mixed HTTP and HTTPS content and the server does not use cookies. However it is a header which could be added later on. It also moves some header added by #5805 from a vendored file to a generic handler. Fixes ##5813
2018-04-12 18:57:41 -04:00
}
replace os.Exit with panic for logger.CriticalIf (#6065) This commit prevents complete server failures caused by `logger.CriticalIf` calls. Instead of calling `os.Exit(1)` the function now executes a panic with a special value indicating that a critical error happend. At the top HTTP handler layer panics are recovered and if its a critical error the client gets an InternalServerError status code. Further this allows unit tests to cover critical-error code paths.
2018-06-25 16:51:49 -04:00
fix: make sure to log panic in handlers (#13611)
2021-11-08 12:28:13 -05:00
// criticalErrorHandler handles panics and fatal errors by
replace os.Exit with panic for logger.CriticalIf (#6065) This commit prevents complete server failures caused by `logger.CriticalIf` calls. Instead of calling `os.Exit(1)` the function now executes a panic with a special value indicating that a critical error happend. At the top HTTP handler layer panics are recovered and if its a critical error the client gets an InternalServerError status code. Further this allows unit tests to cover critical-error code paths.
2018-06-25 16:51:49 -04:00
// `panic(logger.ErrCritical)` as done by `logger.CriticalIf`.
//
// It should be always the first / highest HTTP handler.
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
func setCriticalErrorHandler(h http.Handler) http.Handler {
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
defer func() {
fix: make sure to log panic in handlers (#13611)
2021-11-08 12:28:13 -05:00
if rec := recover(); rec == logger.ErrCritical { // handle
stack := debug.Stack()
logger.Error("critical: \"%s %s\": %v\n%s", r.Method, r.URL, rec, string(stack))
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInternalError), r.URL)
return
} else if rec != nil {
stack := debug.Stack()
logger.Error("panic: \"%s %s\": %v\n%s", r.Method, r.URL, rec, string(stack))
// Try to write an error response, upstream may not have written header.
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInternalError), r.URL)
return
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
}
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 11:04:03 -04:00
}()
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-04 12:54:22 -05:00
h.ServeHTTP(w, r)
})
move SSE-C TLS enforcement into generic handler (#6639) This commit moves the check that SSE-C requests must be made over TLS into a generic HTTP handler. Since the HTTP server uses custom TCP connection handling it is not possible to use `http.Request.TLS` to check for TLS connections. So using `globalIsSSL` is the only option to detect whether the request is made over TLS. By extracting this check into a separate handler it's possible to refactor other parts of the SSE handling code further.
2018-10-16 22:22:09 -04:00
}
proxy multipart to peers via multipart uploadID (#15926)
2022-10-25 13:52:29 -04:00
fix: set request ID in tracing context key (#17602) Since `addCustomerHeaders` middleware was after the `httpTracer` middleware, the request ID was not set in the http tracing context. By reordering these middleware functions, the request ID header becomes available. We also avoid setting the tracing context key again in `newContext`. Bonus: All middleware functions are renamed with a "Middleware" suffix to avoid confusion with http Handler functions.
2023-07-08 10:31:42 -04:00
// setUploadForwardingMiddleware middleware forwards multiparts requests
proxy multipart to peers via multipart uploadID (#15926)
2022-10-25 13:52:29 -04:00
// in a site replication setup to peer that initiated the upload
fix: set request ID in tracing context key (#17602) Since `addCustomerHeaders` middleware was after the `httpTracer` middleware, the request ID was not set in the http tracing context. By reordering these middleware functions, the request ID header becomes available. We also avoid setting the tracing context key again in `newContext`. Bonus: All middleware functions are renamed with a "Middleware" suffix to avoid confusion with http Handler functions.
2023-07-08 10:31:42 -04:00
func setUploadForwardingMiddleware(h http.Handler) http.Handler {
proxy multipart to peers via multipart uploadID (#15926)
2022-10-25 13:52:29 -04:00
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if !globalSiteReplicationSys.isEnabled() ||
guessIsHealthCheckReq(r) || guessIsMetricsReq(r) ||
guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) {
h.ServeHTTP(w, r)
return
}
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
proxy multipart to peers via multipart uploadID (#15926)
2022-10-25 13:52:29 -04:00
bucket, object := request2BucketObjectName(r)
uploadID := r.Form.Get(xhttp.UploadID)
if bucket != "" && object != "" && uploadID != "" {
deplID, err := getDeplIDFromUpload(uploadID)
if err != nil {
fix: parsing multipart uploadID under site replicated setup (#16048) continue the fix from #16034
2022-11-10 19:17:45 -05:00
h.ServeHTTP(w, r)
proxy multipart to peers via multipart uploadID (#15926)
2022-10-25 13:52:29 -04:00
return
}
remote, self := globalSiteReplicationSys.getPeerForUpload(deplID)
if self {
h.ServeHTTP(w, r)
return
}
// forward request to peer handling this upload
if globalBucketTargetSys.isOffline(remote.EndpointURL) {
Enable audit log for global handlers (#16964) Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2023-04-07 00:03:39 -04:00
defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
proxy multipart to peers via multipart uploadID (#15926)
2022-10-25 13:52:29 -04:00
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrReplicationRemoteConnectionError), r.URL)
return
}
r.URL.Scheme = remote.EndpointURL.Scheme
r.URL.Host = remote.EndpointURL.Host
// Make sure we remove any existing headers before
// proxying the request to another node.
for k := range w.Header() {
w.Header().Del(k)
}
Add audit logging of site replication multipart proxying (#17122)
2023-05-03 14:19:45 -04:00
ctx := newContext(r, w, "SiteReplicationUploadForwarding")
defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))
proxy multipart to peers via multipart uploadID (#15926)
2022-10-25 13:52:29 -04:00
globalForwarder.ServeHTTP(w, r)
return
}
h.ServeHTTP(w, r)
})
}