MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-09 21:49:46 -05:00
Code Issues Packages Projects Releases Wiki Activity

Handle incoming proxy requests ip, scheme (#5591)

Browse Source 
This PR implements functions to get the right ip, scheme
from the incoming proxied requests.
This commit is contained in:
Harshavardhana
2018-03-02 15:23:04 -08:00
committed by kannappanr
parent d71b1d25f8
commit e4f6877c8b
9 changed files with 275 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
cmd/object-handlers.go
View File

@@ -32,6 +32,7 @@ import (
mux "github.com/gorilla/mux"
"github.com/minio/minio/pkg/errors"
"github.com/minio/minio/pkg/handlers"
"github.com/minio/minio/pkg/hash"
"github.com/minio/minio/pkg/ioutil"
sha256 "github.com/minio/sha256-simd"
@@ -57,22 +58,6 @@ func setHeadGetRespHeaders(w http.ResponseWriter, reqParams url.Values) {
}
}
// getSourceIPAddress - get the source ip address of the request.
func getSourceIPAddress(r *http.Request) string {
var ip string
// Attempt to get ip from standard headers.
// Do not support X-Forwarded-For because it is easy to spoof.
ip = r.Header.Get("X-Real-Ip")
parsedIP := net.ParseIP(ip)
// Skip non valid IP address.
if parsedIP != nil {
return ip
}
// Default to remote address if headers not set.
ip, _, _ = net.SplitHostPort(r.RemoteAddr)
return ip
}
// errAllowableNotFound - For an anon user, return 404 if have ListBucket, 403 otherwise
// this is in keeping with the permissions sections of the docs of both:
// HEAD Object: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html
@@ -81,7 +66,7 @@ func errAllowableObjectNotFound(bucket string, r *http.Request) APIErrorCode {
if getRequestAuthType(r) == authTypeAnonymous {
// We care about the bucket as a whole, not a particular resource.
resource := "/" + bucket
sourceIP := getSourceIPAddress(r)
sourceIP := handlers.GetSourceIP(r)
if s3Error := enforceBucketPolicy(bucket, "s3:ListBucket", resource,
r.Referer(), sourceIP, r.URL.Query()); s3Error != ErrNone {
return ErrAccessDenied
@@ -631,7 +616,7 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
return
case authTypeAnonymous:
// http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
sourceIP := getSourceIPAddress(r)
sourceIP := handlers.GetSourceIP(r)
if s3Err = enforceBucketPolicy(bucket, "s3:PutObject", r.URL.Path, r.Referer(), sourceIP, r.URL.Query()); s3Err != ErrNone {
writeErrorResponse(w, s3Err, r.URL)
return
@@ -1049,7 +1034,7 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http
case authTypeAnonymous:
// http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
if s3Error := enforceBucketPolicy(bucket, "s3:PutObject", r.URL.Path,
r.Referer(), getSourceIPAddress(r), r.URL.Query()); s3Error != ErrNone {
r.Referer(), handlers.GetSourceIP(r), r.URL.Query()); s3Error != ErrNone {
writeErrorResponse(w, s3Error, r.URL)
return
}