Skip to content

fix: allow downloading S3 files from MinIO over http #570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: allow downloading S3 files from MinIO over http #570

wants to merge 2 commits into from

Conversation

@vsarunas
Copy link
Contributor

@vsarunas vsarunas commented Nov 18, 2025

Allow downloading files from S3 over custom HTTP endpoints like MinIO.

Without this the download fails with:

http: server gave HTTP response to HTTPS client

Fixes #569

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.

  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

  • If applicable, I've documented the impact of any changes to security controls.

@vsarunas vsarunas requested a review from a team as a code owner November 18, 2025 10:21
@vsarunas vsarunas mentioned this pull request Nov 18, 2025
Open
CreatorHead
CreatorHead reviewed Nov 18, 2025
View reviewed changes
get_s3.go Outdated
// If it's not an AWS domain, set the custom endpoint
if !isAWSDomain {
opts.BaseEndpoint = aws.String("https://" + url.Host)
opts.BaseEndpoint = aws.String(url.Scheme + "://" + url.Host)
Copy link
Contributor

@CreatorHead CreatorHead Nov 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a small edge-case thought: url.Scheme should always be present for non-AWS S3 endpoints, but if anything upstream ever passes a malformed URL (e.g., s3::127.0.0.1:9000/... with no scheme), this would produce an invalid endpoint like ://host.

Not blocking, but adding a tiny fallback would make this more robust without changing existing behavior will be a better option. Let me know your thoughts. (I'm just Thinking around a defensive improvement)

Copy link
Contributor

@CreatorHead CreatorHead Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you be open to adding a small test for this?
Right now this logic is untested, which might make it easy to regress later.

Copy link
Contributor Author

@vsarunas vsarunas Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added verification on empty scheme with fallback to https.
I'm not very clear on the extent of the test; ideally the entire newS3Client() should be tested.

@crw crw added the bug label Nov 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CreatorHead CreatorHead CreatorHead approved these changes

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

minio s3 address resolution error (http -> https)

3 participants

@vsarunas @CreatorHead @crw