Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow preserving cookies for proxies #1054

Merged
merged 1 commit into from Jan 2, 2019

Conversation

harshavardhana
Copy link
Member

No description provided.

@harshavardhana
Copy link
Member Author

This is how you can test this PR

version: '2'

# starts 4 docker containers running minio server instances. Each
# minio server's web interface will be accessible on the host at port
# 9001 through 9004.
services:
 minio1:
  image: minio/minio:edge
  volumes:
   - data1:/data
  ports:
   - "9001:9000"
  environment:
   MINIO_ACCESS_KEY: minio
   MINIO_SECRET_KEY: minio123
  command: server /data
 minio2:
  image: minio/minio:edge
  volumes:
   - data2:/data
  ports:
   - "9002:9000"
  environment:
   MINIO_ACCESS_KEY: minio
   MINIO_SECRET_KEY: minio123
  command: server /data

## By default this config uses default local driver,
## For custom volumes replace with volume driver configuration.
volumes:
  data1:
  data2:
~ docker-compose -f compose.yml up 

Once you have obtained the IPs of running Docker containers

Setup haproxy with sticky sessions

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	# An alternative list with additional directives can be obtained from
	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

listen my_website_name
    bind 0.0.0.0:80
    mode http
    maxconn 40000
    balance roundrobin
    option http-keep-alive
    option forwardfor
    cookie SRVNAME insert
    timeout connect  30000
    timeout client  30000
    timeout server 30000
    server ServerA 172.19.0.2:9000 cookie SA check
    server ServerB 172.19.0.3:9000 cookie SB check

Vendorize minio-go with mc

~ mc ls --debug haproxy
mc: GET / HTTP/1.1
Host: localhost
User-Agent: Minio (linux; amd64) minio-go/v6.0.12 mc/2018-12-31T09:34:43Z
Authorization: AWS4-HMAC-SHA256 Credential=minio/20181231/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=REDACTED
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20181231T093836Z
Accept-Encoding: gzip

mc: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Mon, 31 Dec 2018 09:38:36 GMT
Server: Minio/DEVELOPMENT.2018-12-29T16-41-29Z (linux; amd64)
Set-Cookie: SRVNAME=SA; path=/
Vary: Origin
X-Amz-Request-Id: 157561610E1AB295
X-Minio-Deployment-Id: b6a7f6b3-c468-4c07-8d8c-f491e4c7d7fe
X-Xss-Protection: 1; mode=block

mc: Response Time: 1.310933ms

mc: GET / HTTP/1.1
Host: localhost
User-Agent: Minio (linux; amd64) minio-go/v6.0.12 mc/2018-12-31T09:34:43Z
Authorization: AWS4-HMAC-SHA256 Credential=minio/20181231/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=REDACTED
Cookie: SRVNAME=SA
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20181231T093836Z
Accept-Encoding: gzip

mc: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Mon, 31 Dec 2018 09:38:36 GMT
Server: Minio/DEVELOPMENT.2018-12-29T16-41-29Z (linux; amd64)
Vary: Origin
X-Amz-Request-Id: 157561610E2A91F6
X-Minio-Deployment-Id: b6a7f6b3-c468-4c07-8d8c-f491e4c7d7fe
X-Xss-Protection: 1; mode=block

mc: Response Time: 616.729µs

Observe the highlighted headers one in response for first request and another in second request as part of request headers. Without this change you would see haproxy sending multiple responses because client is not sending the Cookie correctly so not sticking to a given session.

@harshavardhana
Copy link
Member Author

ping @vadmeste @wlan0 - can I get some reviews?

Copy link
Member

@vadmeste vadmeste left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wlan0
Copy link
Contributor

wlan0 commented Jan 2, 2019

LGTM as well

@kannappanr kannappanr merged commit 5f40a0c into minio:master Jan 2, 2019
@harshavardhana harshavardhana deleted the set-cookie branch January 2, 2019 23:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants