Rclone says AccessDenied: Forbidden: Invalid signature #895
Labels
No labels
action
check-aws
action
discussion-needed
action
for-external-contributors
action
for-newcomers
action
more-info-needed
action
need-funding
action
triage-required
kind
correctness
kind
ideas
kind
improvement
kind
performance
kind
testing
kind
usability
kind
wrong-behavior
prio
critical
prio
low
scope
admin-api
scope
background-healing
scope
build
scope
documentation
scope
k8s
scope
layout
scope
metadata
scope
ops
scope
rpc
scope
s3-api
scope
security
scope
telemetry
No milestone
No project
No assignees
3 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Deuxfleurs/garage#895
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hi, I read all the issues, for example #700 but i am not understanding what's going on
server: 1.0.1
created rclone config:
but I get AccessDenied: Forbidden: Invalid signature
If i change region to something else, the error is different.
I tried to also add those extra parameters but they don't have effect:
Tried also to force on v2 auth, but it replies unsupported authorization method.
With other clients everything works fine. I don't understand if I'm doing something wrong and missed something obvious in the configuration, if it's a bug of rclone v1.68.1, or if it's a bug of garage
@Promotion1877 can you give some data of what garage is logging in response to there requests?
sorry, missed the notification.
Requesting
(in this case i used rclone on my phone but it's the same error when i use it on the desktop with the same config file)
i get in the logs:
Shouldn't the rclone command line specify the bucket name? Ie.
rclone ls garage:xxx -vv
?I get the same result with the bucket name specified
from
x.x.x.x:3903/v1/bucket?list
command
rclone ls garage:pixel7 -vv
in the logs:
edit: also tried to use the id instead of alias but i get
This looks like a misconfiguration somewhere. What does
garage key info <keyname>
say? Does it have access to thepixel7
bucket?yes it looks like it has access. With winscp i can login to this bucket using the same key with no issue
I just noticed this in one of your logs above:
Are you using an https proxy (this could explain signature failure, as the http
host
header is part of it)?I'd suggest that you paste all the configurations here (rclone, proxy if any, eventually
garage.toml
as well), as unmodified/unobfuscated as possible.Hi, I investigated more after you said: I directly connected to port 3900 http (no SSL) and rclone commands worked without this signature problem.
So it might be the issue of the proxy server? I'm using cloudflared in the docker compose as a proxy server
But with aws cli, winscp and cyberduck i don't get any problem with the same config
The signature uses the (http) hostname.
rclone
computes the signature using the hostname in theendpoint
setting ("s3.example.com" in your rclone.conf above). If your proxy server provides a different hostname togarage
(which seems to be "garage" in the above screenshotactually, your screenshot seems to indicate you're explicitly setting the "HTTP Host Header"), thengarage
computes a different signature, resulting in a signature mismatch.I changed to use caddy as a reverse proxy and still get the signature error
Caddyfile (I copy/pasted and used it verbatim from documentation):
garage.toml
I'm not understanding what's wrong
Try adding
header_up Host hostname
to your caddy configuration (withinreverse_proxy {}
block), wherehostname
matches the hostname used in rclone configurationendpoint
directive.