Support custom request headers

[olljanat]

First step to implement minio/minio#19698 by allowing client to set User-Agent and X-Forwarded-For headers for all requests.

Needed by minio/minio#19744

[harshavardhana]

This is non-standard and non-idiomatic. There are no boundary checks on sanitized headers etc.

This can even conflict and cause signature issues if not carefully used.

[olljanat]

Those are standard HTTP headers and MinIO rely on them in it's code. Blocking ability to use them here does not provide any extra security because any customized client can use what ever values they want on those.

That why there is this warning

The aws:Referer, aws:SourceIp, and aws.UserAgent keys may be easily spoofed and therefore pose a potential security risk

in https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#id6

However, if would be way to get those to MinIO backend when SFTP is used then it is possible to block those connection from certain IPs and example completely from SFTP clients to some buckets with policies like I listed in minio/minio#19698