How to customize AccessDenied page of MinIO? - nginx

When the expiration date of MinIO links passes, It responds to an XML like this:
<Error>
<Code>AccessDenied</Code>
<Message>Request has expired</Message>
<Key>key-of-the-resource</Key>
<BucketName>bucket-name</BucketName>
<Resource>/path-to/teh-resource</Resource>
<RequestId>16FC78B1C6185XC7</RequestId>
<HostId>5d405266-91b9-XXXX-ae27-c48694f203d5</HostId>
</Error>
Is there any way to customize this page by some sort of configuration inside the MinIO? I didn't find any related config on their documents.
Other potential solutions:
Use redirect links on my backend, and check if this link was expired, then redirect it to another page
Maybe we can use Nginx, but I don't know what the directives are. I appreciate your help with that.
Update
complete response headers:
$ curl <minio-url> -I
HTTP/2 403
date: Tue, 05 Jul 2022 12:51:13 GMT
content-length: 0
accept-ranges: bytes
content-security-policy: block-all-mixed-content
strict-transport-security: max-age=15724800; includeSubDomains
vary: Origin
vary: Accept-Encoding
x-amz-request-id: 16FEEFE391X98X88
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
complete response:
$ curl <minio-url>
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Request has expired</Message><Key>new_structure/7553257.jpg</Key><BucketName>storage</BucketName><Resource>/decodl-storage/new_structure/7553257.jpg</Resource><RequestId>16FEEFFB573XXXXC</RequestId><HostId>5d405266-91b9-xxxx-ae27-c48694f203d5</HostId></Error>

Assuming your 403 error returns with the Content-Type header being set to text/xml, you can transform this XML response to the HTML with the nginx using XSL Transformations. To do it you'll need the XSLT module, and you should be aware this module is not built by default, it should be installed additionally as a dynamic module (or enabled with the --with-http_xslt_module configuration parameter when you build nginx from the sources).
After you install the module, you should specify the xslt_stylesheet directive under the location used to proxy requests to the MinIO backend:
location ... {
xslt_stylesheet /path/to/error.xslt;
...
}
Here is an example of the XSLT file that can be used to transform the XML response you've showed in your question:
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html" encoding="UTF-8" />
<xsl:template match="/">
<xsl:text disable-output-escaping="yes"><!DOCTYPE html></xsl:text>
<html>
<head>
<title><xsl:value-of select="Error/Code"/></title>
</head>
<style type="text/css">
body {
height: 100vh;
margin: 0;
display: flex;
flex-direction: column;
align-items: center;
justify-content: center;
}
p {
font-weight: bold;
}
.itemvalue {
font-family: monospace, monospace;
font-weight: normal;
font-size: 1em;
}
</style>
<body>
<h1><xsl:value-of select="Error/Message"/></h1>
<p>Additional information:</p>
<table><tbody>
<xsl:for-each select="Error/*[not(name()='Code' or name()='Message')]">
<tr>
<td class="itemname"><xsl:value-of select="local-name()"/>:</td>
<td class="itemvalue"><xsl:value-of select="."/></td>
</tr>
</xsl:for-each>
</tbody></table>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
The above file, being applied to the response sample, will give you the following:
You can style the output whatever you like. I think this question is not about web design (and I'm not a designer), however provided information should be enough to be an example that you can adapt to your needs.
Update
If your MinIO response comes with somethat different MIME content type, e.g. application/xml, you'd need to add that content type to the list of MIME types processed by the XSLT module with the xslt_types directive:
location ... {
xslt_types application/xml;
xslt_stylesheet /path/to/error.xslt;
...
}
Digging futher into the XSLT I finished up with somewhat different XSLT file. This one will transform only error messages containing Error top level node, leaving any other response unchanged:
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/Error">
<html>
<head>
<title><xsl:value-of select="./Code"/></title>
</head>
<style type="text/css">
/* custom CSS styles, see the previous example */
</style>
<body>
<h1><xsl:value-of select="./Message"/></h1>
<p>Additional information:</p>
<table><tbody>
<xsl:for-each select="./node()[not(self::Code or self::Message)]">
<tr>
<td class="itemname"><xsl:value-of select="local-name()"/>:</td>
<td class="itemvalue"><xsl:value-of select="."/></td>
</tr>
</xsl:for-each>
</tbody></table>
</body>
</html>
</xsl:template>
<xsl:template match="/node()[not(self::Error)]">
<xsl:copy-of select="."/>
</xsl:template>
</xsl:stylesheet>

For those who may come across this question for ingress, I've created this Dockerfile for ingress-nginx-controller; you can build it and then use your image inside the ingress-nginx-controller deployment.
FROM k8s.gcr.io/ingress-nginx/controller:v1.0.0#sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6 as builder
USER root
WORKDIR /tmp
RUN apk add git openssl-dev pcre-dev zlib-dev libc-dev gcc make libxml2 libxslt-dev
RUN NGINX_VERSION=$(nginx -v 2>&1 | sed 's/nginx version: nginx\///') && \
wget -qO- https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz | tar xvz && \
mv nginx-${NGINX_VERSION} nginx
RUN ls ./nginx
RUN cd ./nginx && \
./configure --with-compat --with-http_xslt_module=dynamic && make modules
FROM k8s.gcr.io/ingress-nginx/controller:v1.0.0#sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6
USER root
RUN apk add libxml2 libxslt-dev
USER 101
COPY --from=builder /tmp/nginx/objs/ngx_http_xslt_filter_module.so /etc/nginx/modules
Then you can load the module with this configMap. Don't forget to restart deployment after applying the ConfigMap:
apiVersion: v1
data:
main-snippet: |
load_module /etc/nginx/modules/ngx_http_xslt_filter_module.so;
kind: ConfigMap
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
And finally, you can use the XSLT module inside your ingresses:
metadata:
annotations:
...
nginx.ingress.kubernetes.io/configuration-snippet: |
xslt_types application/xml;
xslt_stylesheet /tmp/files/minio.xslt;
to mount volume you can use configmaps like this:
k -n ingress-nginx create configmap minio-xslt --from-file=</path/to/your/xslt-containing-folder>
Don't forget to update your deployment YAML file:
# k -n ingress-nginx edit deployments.apps ingress-nginx-controller
spec:
...
template:
...
spec:
...
volumeMounts:
...
- mountPath: /tmp/files
name: minio-xslt
...
volumes:
...
- configMap:
name: minio-xslt
name: minio-xslt

Related

HERE GET batch geocoding response 403 but job is complete

I successfully submitted a batch geocoding request...
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:SearchBatch xmlns:ns2="http://www.navteq.com/lbsp/Search-Batch/1">
<Response>
<MetaInfo>
<RequestId>CAOxHo4SFaj17sSB2UyTxeoDKHZR77f9</RequestId>
</MetaInfo>
<Status>accepted</Status>
<TotalCount>0</TotalCount>
<ValidCount>0</ValidCount>
<InvalidCount>0</InvalidCount>
<ProcessedCount>0</ProcessedCount>
<PendingCount>0</PendingCount>
<SuccessCount>0</SuccessCount>
<ErrorCount>0</ErrorCount>
</Response>
</ns2:SearchBatch>
And when I GET status, the job is completed....
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:SearchBatch xmlns:ns2="http://www.navteq.com/lbsp/Search-Batch/1">
<Response>
<MetaInfo>
<RequestId>CAOxHo4SFaj17sSB2UyTxeoDKHZR77f9</RequestId>
</MetaInfo>
<Status>completed</Status>
<JobStarted>2019-10-31T00:11:58.000Z</JobStarted>
<JobFinished>2019-10-31T00:12:26.000Z</JobFinished>
<TotalCount>13291</TotalCount>
<ValidCount>13291</ValidCount>
<InvalidCount>0</InvalidCount>
<ProcessedCount>13291</ProcessedCount>
<PendingCount>0</PendingCount>
<SuccessCount>13291</SuccessCount>
<ErrorCount>0</ErrorCount>
</Response>
However, when I then go to get the response, I get 403 forbidden
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body>
</html>
I am using the endpoint outlined here: https://developer.here.com/documentation/batch-geocoder/topics/example-get-results.html
In this case you need to pass correct apikey to download the result.
https://batch.geocoder.ls.hereapi.com/6.2/jobs/CAOxHo4SFaj17sSB2UyTxeoDKHZR77f9/result?apiKey={}
Also refer https://developer.here.com/documentation/batch-geocoder/dev_guide/topics/example-get-results.html

Handle frontend login and authentication via LDAP

I've created a MPGW policy to add a front page to authenticate before go to backside :
Requests Rules:
Rule1 : Matchrule: /favicon.ico
Rule2: Matchrule: /loginpage.html Transform: xsl stylesheet to dispaly a html loginpage and add the login & password at the query params in the URL
Rule3: Matchrule: /wps/portal/Home Transform: xsl stylesheet to extract login/passwrd from URL and authenticate user with a LDAP (dp:ldap-authen()) and write result in a context variable
and here is my problem:
Response Rules:
Rule4: Matchrule: "/" Transform : xsl stylesheet " i want to do: if context variable is OK nothing to do else display an error page html " !!!??
i've written in the response stylesheet something like :
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:dp="http://www.datapower.com/extensions" xmlns:re="http://exslt.org/regular-expressions"
extension-element-prefixes="dp re"
exclude-result-prefixes="dp re">
<xsl:output method="html"/>
<xsl:template match="/">
<xsl:if test="string-length(dp:variable('var://context/LDAP_Auth_Status')) = 0">
<!--ERROR-->
<html>
<head>
<title> Error Page</title>
</head>
<body>
<h2> Error USER VALIDITY </h2>
<strong>doom!!</strong>
</body>
</html>
</xsl:if>
</xsl:template>
</xsl:stylesheet>
First, Rule4: Matchrule: "*" should be an asterisk if you want it to match anything.
Secondly, is there a backside response?
Else you have to add a var://service/skip-backside=1 if the Response rule should be run. It wil go to Error rule otherwise.
Also it is good practice to not add values into the context. You should use context variables, e.g.:
var://context/LDAPInfo/LDAP_Auth_Status
You can use <xsl:message pd:priority="debug"> to add information into the logs for easier way to find values. Also use the Probe to find Context variable values and see how the flow runs.

EasyAdminBundle entities labels translations

I'm unable to configure translations. My config.yml has (among others) this entry:
easy_admin:
entities:
Blog:
label: app.blog
class: AppBundle\Entity\Blog
I've also created a translation resorce: messages.es.xliff with this entry:
<?xml version="1.0" encoding="utf-8"?>
<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
<file source-language="es" target-language="es" datatype="plaintext" original="file.ext">
<body>
<trans-unit id="app.blog">
<source>app.blog</source>
<target>Blog</target>
</trans-unit>
</body>
</file>
</xliff>
but the translated literal doesn't appear in the left menu.
Thank you very much for your help.
At last I've changed the name of translation ressource to EasyAdminBundle.es.yml and now everything works fine.
Ensure you have the translator service enabled. In app/config/config.yml:
framework:
translator: { fallbacks: ["en"] }

Gitlab Atom feed entries link configuration

I just find out my Gitlab's Atom feed does not serve public URL for entries links.
My Atom feed URL is at http://MY_PUBLIC_URL.ltd/dashboard.atom?private_token=XXXXXXXX
By generated entries are like:
<entry>
<id>tag:192.168.0.105,2014-06-03:189</id>
<link href="http://192.168.0.105/team/project/issues/2"/>
<title>User commented on issue #16 at My project / my repo</title>
<updated>2014-06-03T05:46:26Z</updated>
<media:thumbnail width="40" height="40" url="http://www.gravatar.com/avatar/7fe0e43839bea9ad3e28344e6f9306bb?s=40&d=mm"/>
<author>
<name>Author's name</name>
<email>user#bMY_PUBLIC_DOMAIN.ltd</email>
</author>
<summary type="xhtml">
</summary>
</entry>
So as you can see, it uses 192.168.0.105 instead of MY_PUBLIC_URL, even though gitlab.yml is defined so:
production: &base
gitlab:
host: MY_PUBLIC_URL
port: 80

Symfony2 - "Invalid Resource Exception" when translating twig template

I am trying to translate labels in my twig template located in Resources/views/User/ folder:
<label for="username">{% trans %}Username{% endtrans %} </label>
And the following is a section from my login.ka.xliff file located in my project under "translations" folder:
<?xml version="1.0"?>
<xliff version="1.2" xmlns="urn:oasis:names:tc:xliff:document:1.2">
<file source-language="en" datatype="plaintext" original="file.ext">
<body>
<trans-unit id="1">
<source>Username</source>
<target>მომხმარებელი</target>
</trans-unit>
</body>
</file>
</xliff>
and this is my route to the login page:
login:
path: /login/{_locale}
defaults: { _controller: ExampleBundle:LogIn:login }
requirements:
_locale: en|ka
I have two problems:
When I try to open the login page with a locale (say, ka) I get the:
500 Internal Server Error - Twig_Error_Runtime
1 linked Exception:
InvalidResourceException »
I know I can get the locale from request using $request->getLocale(); but how do I specify that login page should use login.ka.xliff file for translations?
Ok, I seem to have provided not enough info, so here it is:
I put my translation file in Example:MyBundle:Resources:translations (this is what I meant above "in my project").
I get exception when rending my login view and the following is the full version of the exception I get:
"An exception has been thrown during the rendering of a template ("") in ExampleMyBundle:User:login.html.twig at line 32.
500 Internal Server Error - Twig_Error_Runtime
1 linked Exception:
InvalidResourceException »"
And yes, I did try clearing cache each time I made changes, but it didn't help.
And also, I added the complete version of my login.ka.xliff file.
Thanks again!
Your xliff file seems to be invalid - it should look like this: ( containing the xml-namespace, body, ... ).
<!-- messages.ka.xliff -->
<?xml version="1.0"?>
<xliff version="1.2" xmlns="urn:oasis:names:tc:xliff:document:1.2">
<file source-language="en" datatype="plaintext" original="file.ext">
<body>
<trans-unit id="1">
<source>Username</source>
<target>მომხმარებელი</target>
</trans-unit>
</body>
</file>
</xliff>
The file should be named messages.ka.xliff if you haven't actually specified a different translation domain in your template!
{{ 'Username'|trans({}, "login") }}
... or configured a different default translation-domain in your template ...
{% trans_default_domain "login" %}
<trans-unit id="1">
<source>Username</source>
<target>მომხმარებელი</target>
</trans-unit>
... is an invalid xliff-file.

Resources