Problem with creating presigned download link for some file types

[YouSysAdmin]

Root cause

The problem is related to Cloudflare's frivolous attitude towards traffic caching.
If you encounter this problem, just disable caching for the domain/subdomain/path where the Minio API is located

#5092 (comment)

After uploading *.gz, *.tar.gz, *.tar, *.zip, *.gzip files and trying to create a link to download these files, the MinIO server returns the error

• The problem is not reproduced if using AWS CLI for link requisition
• The problem is not produced for other types of files

I couldn't reproduce this problem on the Play server, but considering that it is present only when using the official client and absent for AWS CLI, I think it's better to create the Issue here.

Expected behavior

Returning a presigned share link

Actual behavior

ZIP

mc share download storage/backup/ff.zip

mc: <ERROR> Unable to stat `storage/backup/ff.zip`. Insufficient permissions to access this path `https://storage.example.host/backup/ff.zip`.

TAR

mc share download storage/backup/ff.tar

mc: <ERROR> Unable to stat `storage/backup/ff.tar`. Insufficient permissions to access this path `https://storage.example.host/backup/ff.tar`

TAR.GZ

mc share download storage/backup/ff.tar.gz
mc: <ERROR> Unable to stat `storage/backup/ff.tar.gz`. Insufficient permissions to access this path `https://storage.example.host/backup/ff.tar.gz`.

Steps to reproduce the behavior

Correct file header and file size don't have any effects so simply making a 1Mb file

# Make test files
dd if=/dev/zero of=ff.gz  bs=1M  count=1
dd if=/dev/zero of=ff.tar.gz  bs=1M  count=1
dd if=/dev/zero of=ff.tar bs=1M  count=1
dd if=/dev/zero of=ff.zip  bs=1M  count=1
dd if=/dev/zero of=ff.gzip  bs=1M  count=1

# Upload all test files
mc cp -r ./ storage/backup

# List files in the bucket
mc ls storage/backup
[2024-12-03 12:11:40 EET] 1.0MiB STANDARD ff.gz
[2024-12-03 12:11:40 EET] 1.0MiB STANDARD ff.gzip
[2024-12-03 12:11:40 EET] 1.0MiB STANDARD ff.tar
[2024-12-03 12:11:40 EET] 1.0MiB STANDARD ff.tar.gz
[2024-12-03 12:11:41 EET] 1.0MiB STANDARD ff.zip

# Make a presigned download link
mc share download storage/backup/ff.tar
mc share download storage/backup/ff.tar.gz
mc share download storage/backup/ff.zip
mc share download storage/backup/ff.gzip
mc share download storage/backup/ff.gz

mc --version

mc version RELEASE.2024-11-17T19-35-25Z (commit-id=bb4ff4951a3e54bbee6ac75cfaf387c521e98709)
Runtime: go1.23.3 darwin/arm64

MinIO server version

❯ mc admin info storage
●  storage.example.host
   Uptime: 8 minutes
   Version: 2024-11-07T00:52:20Z
   Network: 1/1 OK
   Drives: 1/1 OK
   Pool: 1

System information

Minio Docker Compose

# Minio
MINIO_ROOT_USER=user
MINIO_ROOT_PASSWORD=key
MINIO_BROWSER_REDIRECT=false

---
#######################################################
# Networks
#######################################################
networks:
  minio:
    name: minio

#######################################################
# Minio service
#######################################################
x-minio-common: &minio-common
  image: quay.io/minio/minio:RELEASE.2024-11-07T00-52-20Z
  command: server --console-address ":9001" /data
  restart: unless-stopped
  networks:
    - minio
  expose:
    - "9000"
    - "9001"
  env_file:
    - ./.env
  healthcheck:
    test: ["CMD", "mc", "ready", "local"]
    interval: 5s
    timeout: 5s
    retries: 5

services:
  minio:
    <<: *minio-common
    hostname: minio
    labels:
      - traefik.enable=true
      - traefik.http.routers.minio-console.rule=Host(`minio.example.host`)
      - traefik.http.routers.minio-console.entrypoints=websecure-internal
      - traefik.http.routers.minio-console.tls.certresolver=letsencrypt
      - traefik.http.services.minio-console.loadbalancer.server.port=9001
      - traefik.http.routers.minio-console.service=minio-console

      - traefik.http.routers.minio-api.rule=Host(`storage.example.host`)
      - traefik.http.routers.minio-api.entrypoints=websecure
      - traefik.http.routers.minio-api.tls.certresolver=letsencrypt
      - traefik.http.services.minio-api.loadbalancer.server.port=9000
      - traefik.http.routers.minio-api.service=minio-api

    volumes:
      - minio-data:/data

#######################################################
# Volumes
#######################################################
volumes:
  minio-data:
    # Minio storage
    driver: local
    driver_opts:
      type: "none"
      o: "bind"
      device: "/persistent-data/minio"

Log

GZ

2024-12-03T13:14:13.248 [STORAGE] storage.StatVol 127.0.0.1:9000 /data backup 32.28µs
2024-12-03T13:14:13.248 [200 OK] s3.GetBucketLocation storage.example.host/backup/?location=  IP   523µs       ⇣  504.048µs  ↑ 247 B ↓ 128 B
2024-12-03T13:14:13.388 [403 Forbidden] s3.GetObject storage.example.host/backup/ff.gz IP   292µs       ⇣  274.14µs  ↑ 267 B ↓ 421 B
2024-12-03T13:14:14.565 [OS] os.Lstat 127.0.0.1:9000 /data/.minio.sys/format.json 8.897µs
2024-12-03T13:14:14.565 [STORAGE] storage.DiskInfo 127.0.0.1:9000 /data 87.473µs

JSON

2024-12-03T13:17:12.370 [STORAGE] storage.StatVol 127.0.0.1:9000 /data backup 32.911µs
2024-12-03T13:17:12.370 [200 OK] s3.GetBucketLocation storage.example.host/backup/?location=  IP   431µs       ⇣  412.538µs  ↑ 247 B ↓ 128 B
2024-12-03T13:17:12.444 [OS] os.OpenFileR 127.0.0.1:9000 /data/backup/ff.json/xl.meta 50.905µs
2024-12-03T13:17:12.444 [STORAGE] storage.ReadXL 127.0.0.1:9000 /data backup ff.json 192.148µs 357 B
2024-12-03T13:17:12.443 [200 OK] s3.HeadObject storage.example.host/backup/ff.json IP   872µs       ⇣  822.37µs  ↑ 267 B ↓ 0 B
2024-12-03T13:17:12.515 [OS] os.OpenFileR 127.0.0.1:9000 /data/backup/ff.json/xl.meta 57.817µs
2024-12-03T13:17:12.515 [STORAGE] storage.ReadXL 127.0.0.1:9000 /data backup ff.json 154.608µs 357 B
2024-12-03T13:17:12.514 [200 OK] s3.HeadObject storage.example.host/backup/ff.json IP

AWS CLI

aws --endpoint-url=https://storage.example.host s3 presign backup/ff.tar.gz
https://storage.example.host/backup/ff.tar.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=*****40a60a35f00d42fb710c

MinIO Console

no problems with uploading/downloading/sharing

[harshavardhana]

# Upload all test files
mc cp -r ./ minio/backup

# List files in the bucket
mc ls storage/backup
[2024-12-03 12:11:40 EET] 1.0MiB STANDARD ff.gz
[2024-12-03 12:11:40 EET] 1.0MiB STANDARD ff.gzip
[2024-12-03 12:11:40 EET] 1.0MiB STANDARD ff.tar
[2024-12-03 12:11:40 EET] 1.0MiB STANDARD ff.tar.gz
[2024-12-03 12:11:41 EET] 1.0MiB STANDARD ff.zip

# Make a presigned download link
mc share download storage/backup/ff.tar
mc share download storage/backup/ff.tar.gz
mc share download storage/backup/ff.zip
mc share download storage/backup/ff.gzip
mc share download storage/backup/ff.gz

you have copied the files to minio/backup by trying to generate presigned URL via storage/

[harshavardhana]

2024-12-03T13:14:13.388 [403 Forbidden] s3.GetObject storage.example.host/backup/ff.gz IP 292µs ⇣ 274.14µs ↑ 267 B ↓ 421 B

it clearly shows that you lack permissions @YouSysAdmin

[YouSysAdmin]

Hi @harshavardhana
All actions were performed using the root token that was used at the time server init.
All files uploaded using this token and the command mc cp -r storage/backup/ff.gz ./ correctly work.

The problem is only with *.gz, *.tar.gz, *.tar, *.zip, *.gzip file types, for all other file types without any problems, and problem reproducing only for mc (from MinIO Console also without problem any actions)

you have copied the files to minio/backup by trying to generate presigned URL via storage/

sorry, my mistake during anonymizing the report

[harshavardhana]

The problem is only with *.gz, *.tar.gz, *.tar, *.zip, *.gzip file types, for all other file types without any problems, and problem reproducing only for mc (from MinIO Console also without problem any actions)

There is no such thing, the trace shows you don't have permissions.

[YouSysAdmin]

I went to bed and will not leave the access open.
If the MinIO team wants to continue the conversation in constructive not in the style of "you're stupid", reopen issue, I'm ready to help

[YouSysAdmin]

The problem is related to Cloudflare's frivolous attitude towards traffic caching.
If you encounter this problem, just disable caching for the domain/subdomain/path where the Minio API is located

[klauspost]

Glad you figured it out 👍🏼