New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SignatureDoesNotMatch error if port 80 is used and port is indicated in Host header #9169
Comments
the port should never be part of the signature @fviard if it's 80 or 443 - the client should strip this |
Hum, I just tested aws s3, and it looks like that they have the same behavior as Minio. It looks like that it is common for "http" clients to do that: But still, based on the HTTP spec, omitting the "port" is just "optional" and not "mandatory" for a client when it is the default port. So, I'm thinking about whether I should fix s3cmd to handle that case, |
We have fixed all our SDKs to follow this @fviard , so this is a very well known historic issue. |
That the client adapt to random servers, I can understand. |
MinIO shouldn't be fixed here - port for standard ports shouldn't be part of the signature. Please fix this in s3cmd because otherwise we have to validate signature for both cases, since the port is stripped off when server receives it. |
I just had a quick look at Minio's code. But looking here, it looks like that you just have to use the "Host" header that you get instead of replacing it by r.host: |
We already use r.Host which has the value stripped off, if AWS S3 behaves the same why are you asking server to change the behavior here?. I don't think it's meaningful, it's a few lines on client to ignore the port. These ports are not preserved correctly when deployed behind proxies. So I don't see a good reason for server to complicate itself. AFAICS this is not our bug. |
That is the point, at this place, DON'T use r.Host that was stripped, but the original "Host" field that is inside signedHeaders.
There are not only aws s3 and Minio as possible destination. And if you think about it, look at the error it is not even a server request error from your side, it can be considered as a "bug" as because of something of the client that don't behave like you expect, you encounter a "Signature Mismatch" error. Also, I'm concerned that one day, someone will bang his head to understand the reason of having this error, when something subtle will have still put the port number, like a proxy or a redirection.
I might be wrong, but I have the feeling that you change 1 line in your code and the problem is fixed for everyone! That being said, don't worry, it is not because you fix that, that I will not change s3cmd. |
If Go server strips this port off, we have no way for us to assume is it 443 or 80. Today we are not doing anything different, r.Host is used as is. We do not have this control, that is perhaps how it is for AWS as well. This is why it's asked for SDKs to strip it off, and all AWS SDKs do this and so are ours. |
I shall close this anyways, as there is nothing actionable at this point in time. |
Ok, I understand now. It does not come from Minio but it is Go that is defective, preventing you to have the info that you need. |
…ort 80 or 443 is specified, due to stupid servers This hack is needed because it looks like that some servers are not respecting the HTTP spec, and so will fail the signature check if the port is specified in the "Host" header for default ports. STUPIDIEST THING EVER FOR A SERVER but looks like that it is common ... More details here: minio/minio#9169
Please see: s3tools/s3cmd#1059
When starting Minio server without ssl and requesting that it uses the port :80
./minio server testdir2 --address ":80"
On the client side (s3cmd), the client can define the server address in 2 ways:
127.0.0.1
or127.0.0.1:80
(here is localhost, but IP doesn't matter for this issue)
":80" is optional as it is the default port for a normal s3 service.
As you can see in the related issue in s3cmd, the problem is that the Minioserver will encounter a "SignatureDoesNotMach" error if the url used is the one with the port included (ex.: "127.0.0.1:80").
I think that the issue come from the fact that Minio does not take into account the "Host" header value that is provided with the request for calculating the signature but a "hard coded" value.
For example, here is the difference of the headers that are sent in the 2 cases:
One can see the difference for port 80 and the others directly when starting Minio:
(port info is automatically stripped in address)
As, indeed, the 2 values of "Host" header are valid for the port 80, Minio should be able to handle that gracefully.
Also, I did not test it, but I guess that the same issue could be possible for the port 443 when ssl is used?
Your Environment
minio version
): RELEASE.2020-03-14T02-21-58Zuname -a
): Ubuntu 18.04.1The text was updated successfully, but these errors were encountered: