Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ShareLink URL is not https if nginx use https #3479

Open
HorseLuke opened this issue Nov 27, 2024 · 1 comment
Open

ShareLink URL is not https if nginx use https #3479

HorseLuke opened this issue Nov 27, 2024 · 1 comment
Labels
community triage

Comments

@HorseLuke
Copy link

HorseLuke commented Nov 27, 2024
edited
Loading

NOTE

Please subscribe to our paid subscription plans for 24x7 support from our Engineering team.

If use nginx https proxy to minio console http, the generated ShareLink URL is not https.

Expected Behavior

ShareLink URL should be "https://".

Current Behavior

ShareLink URL is "http://".

Possible Solution

The problem is from the function getRequestURLWithScheme in file /api/user_objects.go.
It does not consider nginx proxy http header X-Forwarded-Proto, only detect http.Request.TLS

func getRequestURLWithScheme(r *http.Request) string {
	scheme := "http"
	if r.TLS != nil {
		scheme = "https"
	}
        // ignore
}

Steps to Reproduce (for bugs)

  1. Install nginx and minio
  2. Proxy nginx and minio console, details: https://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.html

nginx conf , with https enabled:

server {

   listen       80;
   listen  [::]:80;
   listen 443 ssl;
   ssl_certificate  /etc/nginx/certs/test.crt;
   ssl_certificate_key  /etc/nginx/certs/test.key;

   server_name  minio_console.test.com;

   # Allow special characters in headers
   ignore_invalid_headers off;
   # Allow any size file to be uploaded.
   # Set to a value such as 1000m; to restrict file size to a specific value
   client_max_body_size 1000m;
   # Disable buffering
   proxy_buffering off;
   proxy_request_buffering off;

   location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-NginX-Proxy true;

      # This is necessary to pass the correct IP to be hashed
      real_ip_header X-Real-IP;

      proxy_connect_timeout 300;

      # To support websocket
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      chunked_transfer_encoding off;

      proxy_pass http://minio_console; # This uses the upstream directive definition to load balance
   }
}
  1. open https://minio_console.test.com/ , upload and generate share link

Context

Generated ShareLink URL is not safe

Regression

No

Your Environment
@ramondeklein
Copy link
Collaborator

Did you follow the instructions and set MINIO_BROWSER_REDIRECT_URL?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HorseLuke @ramondeklein