search

minio / minio-js

MinIO Client SDK for Javascript
https://docs.min.io/docs/javascript-client-quickstart-guide.html
Apache License 2.0
951 stars 277 forks source link

minio-js: SignatureDoesNotMatch error when using js client code where share button in UI works when MinIO sits behind Reverse-Proxy #1266

Closed arvindkannan closed 8 months ago

arvindkannan commented 8 months ago

I have problem with show in browser images using minio-js.

My code:

var Minio = require('minio')

var s3Client = new Minio.Client({
  endPoint: 'somewebsite.com/s3',
  accessKey: 'YOUR-ACCESSKEYID',
  secretKey: 'YOUR-SECRETACCESSKEY',
  useSSL: true // Default is true.
})

var presignedUrl = s3Client.presignedPutObject('bucketname', 'somefilename.pdf', 10000, function(e, presignedUrl) {
  if (e) return console.log(e)
  console.log(presignedUrl)
})

URL i get is like http://127.0.0.1:9000/bucketname/somefilename.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=IKOuiLumBs8UoCUg%2F20221219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221219T150326Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=34da742218296f849239605b34cfe3d4db228456f6888313c01052bf1eec3dde

This localhost is converted to the actual sharable url(considering IIS reverse proxy) as https://somewebite.com/s3/bucketname/somefilename.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=IKOuiLumBs8UoCUg%2F20221219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221219T150326Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=34da742218296f849239605b34cfe3d4db228456f6888313c01052bf1eec3dde

but receiving error opening this URL as below in browser

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>

Problem is same if we open MinIO UI and select the file inside bucket and choose share and copying link and modify localhost to proxy address opening outside the server network works though.

Hint: The minio server is running behind IIS re-write and Share via UI works as expected and only minio.js generated one fails to open and throws the above error. Not sure if there is any issue in minio.js nor some minio server configuration, most likely there is no issue on minio server side as ui generate share works.

prakashsvmx commented 8 months ago

Please set MINIO_SERVER_URL . Host header is a signed header. So the proxy should not manipulate it.

arvindkannan commented 8 months ago

@prakashsvmx when we set MINIO_SERVER_URL the login fails in UI, scenario is like minio will be running in local instance and only 9000 s3 api should be accessible via IIS reverse proxy and UI should be only accessible within server only. There will be no specific DNS assigned and thus we will leverage using iis-reverseproxy.

Without setting MINIO_SERVER_URL share url works if we generate via UI and only throws signature error for sharable url generated via minio.js, identified it should be on client-js side and server have nothing to do

arvindkannan commented 8 months ago

Also identified more people raised similar issues and setting MINIO_SERVER_URL is not ideal solution for. Quoting even PR on similar item #1234 raised for similar request/issue #1232 @prakashsvmx

[Reopening]