Mc: "Extra Headers" in newer mc client

maybe nginx added something juicy to the headers and then Minio complains?

@zllovesuki do you have Nginx proxy between Minio? can you point directly to Minio and see if that works?

@harshavardhana well, it's running on Kubernetes so the Ingress is always there. I don't think nginx is the problem because prior versions of mc works fine with Nginx in between the user and Minio.

@harshavardhana well, it's running on Kubernetes so the Ingress is always there. I don't think nginx is the problem because prior versions of mc works fine with Nginx in between the user and Minio.

Then perhaps I need to reproduce this locally perhaps recent changes in signature v4 are causing the issue. @zllovesuki

Still broken as of current release on homebrew.

Rachels-MacBook:~ rachel$ mc version
Version: 2018-09-10T23:39:12Z
Release-tag: RELEASE.2018-09-10T23-39-12Z
Commit-id: c352cadd4be2c6bed64884c78d1e8a8ac6efaf3f

Still broken as of current release on homebrew.

From what I can see this has to do with your nginx proxy, I am not sure what its trying to do with the headers. I can't seem to be able to reproduce it.

Still broken for me as well, reproducible with Minio behind nginx and mc on MacOS.

mc version Version: 2018-09-26T00:42:43Z Release-tag: RELEASE.2018-09-26T00-42-43Z Commit-id: 87f7e65c4c837c8886bf2dd8800c445983b36187

Previous versions of mc worked fine. The Minio webinterface works fine as well.

@zllovesuki Have you found a solution?

My nginx configuration:

```
upstream minio_servers {
server 127.0.0.1:9001;
server 127.0.0.1:9002;
server 127.0.0.1:9003;
server 127.0.0.1:9004;
}

server {
server_name my.minio.server;
client_max_body_size 512M;

location / {
    proxy_set_header Host $http_host;
    proxy_pass       http://minio_servers;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my.minio.server/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.minio.server/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

Found the issue!

This is the extra header that is only added for files with a custom xattr attribute on MacOS: X-Amz-Meta-Com.apple.quarantine: 0082;5bbe2ec5;Keka;

Check existing attributes with: xattr file.zip
You can get rid of attributes (here: com.apple.quarantine) by:
xattr -d com.apple.quarantine file.zip

After that, uploading with mc works just fine.

Interesting, I will check my computer later.

Can confirm.

Rachels-MacBook:~ rachel$ xattr -d com.apple.quarantine ~/Downloads/ezgif.com-optimize.gif 
Rachels-MacBook:~ rachel$ mc --debug cp ~/Downloads/ezgif.com-optimize.gif rachel/dist/hue.gif
mc: <DEBUG> GET /dist/?location= HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20181013T010120Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Sat, 13 Oct 2018 01:01:21 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Accept-Encoding
Vary: Origin
X-Amz-Request-Id: 155D054E3C2F83F1
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  411.104274ms

mc: <DEBUG> GET /dist/?delimiter=%2F&max-keys=1000&prefix=hue.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20181013T010121Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Sat, 13 Oct 2018 01:01:21 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Accept-Encoding
Vary: Origin
X-Amz-Request-Id: 155D054E3E630800
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  30.125179ms

mc: <DEBUG> HEAD /dist/hue.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20181013T010121Z

mc: <DEBUG> HTTP/1.1 404 Not Found
Connection: close
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Date: Sat, 13 Oct 2018 01:01:21 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Origin
X-Amz-Request-Id: 155D054E4051BC08
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  32.376025ms

mc: <DEBUG> GET /dist/?delimiter=%2F&max-keys=1000&prefix=hue.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20181013T010121Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Sat, 13 Oct 2018 01:01:21 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Accept-Encoding
Vary: Origin
X-Amz-Request-Id: 155D054E424FF8C5
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  33.95394ms

mc: <DEBUG> HEAD /dist/hue.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20181013T010121Z

mc: <DEBUG> HTTP/1.1 404 Not Found
Connection: close
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Date: Sat, 13 Oct 2018 01:01:21 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Origin
X-Amz-Request-Id: 155D054E444DEED8
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  28.903296ms

...optimize.gif:  1.99 MB / 1.99 MB  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓  100.00% 3.15 MB/s 0smc: <DEBUG> PUT /dist/hue.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Content-Length: 2083206
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
Content-Type: image/gif
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20181013T010121Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Content-Length: 0
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Date: Sat, 13 Oct 2018 01:01:22 GMT
Etag: "c0e09c3ba99d1133c8c848e29fb27430"
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Origin
X-Amz-Request-Id: 155D054E84C7E947
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  1.088734018s

...optimize.gif:  1.99 MB / 1.99 MB  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓  100.00% 1.82 MB/s 1s

Is it a good idea for mc to strip such attrs?

Is it a good idea for mc to strip such attrs?

We can support it @zllovesuki - it must be a bug.

looks like this is working fine when I directly use Minio

mc: <DEBUG> POST /sjm-airlines/rhel-server-7.4-x86_64-dvd.iso?uploads= HTTP/1.1
Host: localhost:9000
User-Agent: Minio (linux; amd64) minio-go/v6.0.8 mc/2018-10-11T22:45:56Z
Content-Length: 0
Authorization: AWS4-HMAC-SHA256 Credential=minio/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-meta-user.xdg.origin.url, Signature=**REDACTED**
Content-Type: application/x-iso9660-image
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20181013T010537Z
X-Amz-Meta-User.xdg.origin.url: https://access.cdn.redhat.com//content/origin/files/sha256/43/431a58c8c0351803a608ffa56948c5a7861876f78ccbe784724dd8c987ff7000/rhel-server-7.4-x86_64-dvd.iso?_auth_=1520282889_258e1e3f3dc397397d0dace5891c60aa
Accept-Encoding: gzip

The problem seems to be coming in from the nginx trying to do something with these headers, can you enable MINIO_HTTP_TRACE=/dev/stdout to see what nginx is sending to Minio?

@zllovesuki ^^

@harshavardhana stdout is going to explode if I do TRACE on the prod server. Maybe you can reference @tholu's config?

@harshavardhana stdout is going to explode if I do TRACE on the prod server. Maybe you can reference @tholu's config?

@zllovesuki you can even write to a file @zllovesuki ? MINIO_HTTP_TRACE=trace.log

Finally I have time to sit down...

Here's the trace file. minio-trace.txt

For reference this is the yaml for test minio:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: minio-test
  namespace: objectstore
spec:
  rules:
  - host: test.objectstore.co
    http:
      paths:
      - backend:
          serviceName: minio-test
          servicePort: 9000
        path: /
  tls:
  - hosts:
    - test.objectstore.co
    secretName: objectstore-tls-gs
---
apiVersion: v1
kind: Service
metadata:
  name: minio-test
  namespace: objectstore
spec:
  ports:
  - port: 9000
    protocol: TCP
    targetPort: 9000
  selector:
    app: minio-test
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: minio-test
  name: minio-test
  namespace: objectstore
spec:
  replicas: 1
  selector:
    matchLabels:
      app: minio-test
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: minio-test
    spec:
      containers:
      - args:
        - server
        - /storage
        command:
        - minio
        env:
        - name: MINIO_ACCESS_KEY
          value: test
        - name: MINIO_SECRET_KEY
          value: testtest123
        - name: MINIO_BROWSER
          value: "off"
        - name: _MINIO_CACHE
          value: "off"
        - name: MINIO_HTTP_TRACE
          value: "/dev/stdout"
        image: minio/minio:RELEASE.2018-07-13T00-09-07Z
        imagePullPolicy: IfNotPresent
        name: minio
        ports:
        - containerPort: 9000
          protocol: TCP
        volumeMounts:
        - mountPath: /storage
          name: storage
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      volumes:
      - name: storage
        emptyDir: {}

Ingress controller from: https://github.com/kubernetes/ingress-nginx. Running image quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.19.0, with the following configuration:

apiVersion: v1
data:
  disable-access-log: "true"
  enable-dynamic-tls-records: "true"
  enable-modsecurity: "false"
  enable-owasp-modsecurity-crs: "false"
  enable-vts-status: "true"
  error-log-level: warn
  keep-alive: "60"
  load-balance: ip_hash
  max-worker-connections: "20480"
  proxy-body-size: 2g
  proxy-buffer-size: 64k
  proxy-connect-timeout: "5"
  proxy-read-timeout: "3600"
  proxy-send-timeout: "3600"
  proxy-stream-timeout: "604800"
  server-name-hash-max-size: "512"
  server-tokens: "false"
  ssl-ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-dh-param: default/nginx-dhparam-4096
  ssl-ecdh-curve: prime256v1:secp384r1:secp521r1
  ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
  ssl-session-tickets: "false"
  worker-processes: "4"
kind: ConfigMap
metadata:
  name: nginx-conf
  namespace: default

@zllovesuki we found the solution https://github.com/minio/mc/issues/2569 and in-fact its Nginx problem

for people Googling: set ignore-invalid-headers to false in your configmap

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.