-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
403 SignatureDoesNotMatch Forbidden in newer releases #726
Comments
FYI - i also tested a docker pull from a few weeks back and that also didn't work for me.... just letting you know and seeing if you have an idea of what is breaking. I'm using s3cmd client. The working container I have from 5 months ago I believe has the jclouds updates to improve performance so that was a big one so I'm in no hurry to update to newer anyway. When you guys slap the latest tag on the 2.3.0 docker image I will give it a try so we know 2.3.0 broke something (at least with my use case) |
Tested latest 2.4.0, same thing. I suspect this broke things for others out there since all i'm doing is proxying to s3proxies on different ports |
You can try experimenting with |
I tried it but it doesn't seem to give specifics: [s3proxy] D 11-23 18:49:36.860 S3Proxy-Jetty-19 o.gaul.s3proxy.S3ProxyHandler:302 |::] request: Request(GET http://dyniback.s3.domain.net/)@7633f90 |
The only thing I can see is I am going from https to http. if that is part of the signature it will fail and the only solution will be to configure ssl within s3proxy. Is there anything that shows exactly what is used to make up the signature? I configured s3proxy with ssl and still sig does not match. |
The plot thickens, I can't actually make s3proxy work at all on a non-standard port, even without HAProxy: docker run -d --restart=unless-stopped --net=host --name=s3-backups -v /mnt/s3/backups:/mnt/s3/backups -e S3PROXY_AUTHORIZATION=aws-v2-or-v4 -e S3PROXY_IDENTITY=backups -e S3PROXY_CREDENTIAL=JEuhCv3U -e S3PROXY_ENDPOINT="http://127.0.0.1:30565" -e S3PROXY_CORS_ALLOW_ALL="true" -e S3PROXY_SERVICE_PATH="/backups" -e JCLOUDS_PROVIDER="filesystem" -e S3PROXY_V4_MAX_NON_CHUNKED_REQ_SIZE="310000000" -e JCLOUDS_FILESYSTEM_BASEDIR="/mnt/s3/backups" -e LOG_LEVEL="trace" andrewgaul/s3proxy:2.4.0 Trying to connect using 127.0.0.1:30565 from s3cmd - signature does not match. Adding a domain name to my hosts file didn't make a different either. What else changed? NOTE: The above config works with the 5 month old container just fine. I read somewhere that the signature calculation is different when using a non-standard port, is that part what is broken? Apparently the :80/:443 is stripped but when using a non-standard port, the port number is used in the calculation. Actually, I can't make s3proxy work at all with the latest container. Nothing works. Even using port 80. I did try the latest aws cli too. |
docker run -d --restart=unless-stopped --net=host -m 500m --name=s3-test -e S3PROXY_AUTHORIZATION=aws-v2-or-v4 -e S3PROXY_IDENTITY=test -e S3PROXY_CREDENTIAL=test -e S3PROXY_ENDPOINT="http://127.0.0.1:8080" -e S3PROXY_CORS_ALLOW_ALL="true" -e LOG_LEVEL="trace" andrewgaul/s3proxy:2.4.0 that is working config. so something i'm passing is breaking the signature calc possibly, will try to narrow it down |
Looks like I solved the puzzle finally - S3PROXY_SERVICE_PATH was breaking things. Removed it and it worked. Oh and, it works fine with HAProxy |
I was running s3proxy containers behind haproxy and after updating to the latest version from an older version (current latest tag on dockerhub), something broke.
403 SignatureDoesNotMatch Forbidden {}
[s3proxy] D 11-21 18:52:34.837 S3Proxy-Jetty-14 o.gaul.s3proxy.S3ProxyHandler:301 |::] request: Request(GET http://somehost.realdomain.net/)@2439a92f
I have -e S3PROXY_CORS_ALLOW_ALL="true" and -e S3PROXY_ENDPOINT="http://127.0.0.1:30565" (changing endpoint to https makes no difference)
https is terminated on haproxy and it connects to an s3proxy running on localhost:
The actual request URL from the client is https, but it does show as http in the s3proxy logs, perhaps that is it? ..or is the non-standard port included in the signature calculation now?
I will try to debug this further myself too.
UPDATE:
I went back 5 months to "sha-4175022" docker image and it works (2.2.0 i believe). The latest docker image from 2 days ago does not work. Not sure what changed between 2.2 and 2.3 or maybe it is just because it is a dev build with some broken code pushes.
The text was updated successfully, but these errors were encountered: