Page MenuHomePhorge

Minio over HTTP (without SSL) as an S3 backend
OpenPublic

Asked by alufers2 on Aug 31 2023, 11:07.

Details

Hello,
I have installed Phorge in a docker container and I want to use minio in another container as an S3 backend (it is compatible with AWS S3, but allows self-hosting). I have set set amazon-s3.endpoint and friends to point to my minio docker container. And when trying to migrate or do anything that uses S3, I get this error:

Failed! HTTPFutureCURLResponseStatus: [cURL/35] (https://minio:9000/phorgeXXXXXXXXXXXXXX) <CURLE_SSL_CONNECT_ERROR> There was an error negotiating the SSL connection. This usually indicates that the remote host has a bad SSL certificate, or your local host has some sort of SSL misconfiguration which prevents it from accepting the CA. If you are using a self-signed certificate, see instructions in "arcanist/resources/ssl/README". in /var/www/phorge/arcanist/src/future/http/HTTPSFuture.php:520<LF>Stack trace:<LF>#0 /var/www/phorge/arcanist/src/future/Future.php(63): HTTPSFuture->isReady()<LF>#1 /var/www/phorge/arcanist/src/future/FutureProxy.php(35): Future->updateFuture()<LF>#2 /var/www/phorge/arcanist/src/future/Future.php(63): FutureProxy->isReady()<LF>#3 /var/www/phorge/arcanist/src/future/FutureIterator.php(224): Future->updateFuture()<LF>#4 /var/www/phorge/arcanist/src/future/FutureIterator.php(190): FutureIterator->next()<LF>#5 [internal function]: FutureIterator->rewind()<LF>#6 /var/www/phorge/arcanist/src/future/FutureIterator.php(84): iterator_to_array(Object(FutureIterator))<LF>#7 /var/www/phorge/arcanist/src/future/Future.php(47): FutureIterator->resolveAll()<LF>#8 /var/www/phorge/phorge/src/applications/files/engine/PhabricatorS3FileStorageEngine.php(80): Future->resolve()<LF>#9 /var/www/phorge/phorge/src/applications/files/storage/PhabricatorFile.php(553): PhabricatorS3FileStorageEngine->writeFile('BEGIN:VCALENDAR...', Array)<LF>#10 /var/www/phorge/phorge/src/applications/files/storage/PhabricatorFile.php(467): PhabricatorFile->writeToEngine(Object(PhabricatorS3FileStorageEngine), 'BEGIN:VCALENDAR...', Array)<LF>#11 /var/www/phorge/phorge/src/applications/files/management/PhabricatorFilesManagementMigrateWorkflow.php(214): PhabricatorFile->migrateToEngine(Object(PhabricatorS3FileStorageEngine), false)<LF>#12 /var/www/phorge/arcanist/src/parser/argument/PhutilArgumentParser.php(492): PhabricatorFilesManagementMigrateWorkflow->execute(Object(PhutilArgumentParser))<LF>#13 /var/www/phorge/arcanist/src/parser/argument/PhutilArgumentParser.php(377): PhutilArgumentParser->parseWorkflowsFull(Array)<LF>#14 /var/www/phorge/phorge/scripts/files/manage_files.php(21): PhutilArgumentParser->parseWorkflows(Array)<LF>#15 {main}
[2023-08-31 12:57:36] EXCEPTION: (HTTPFutureCURLResponseStatus) [cURL/35] (https://minio:9000/phorge/phabricator/fq/d3/oxaatgoymygkl3xd) <CURLE_SSL_CONNECT_ERROR> There was an error negotiating the SSL connection. This usually indicates that the remote host has a bad SSL certificate, or your local host has some sort of SSL misconfiguration which prevents it from accepting the CA. If you are using a self-signed certificate, see instructions in "arcanist/resources/ssl/README". at [<arcanist>/src/future/http/HTTPSFuture.php:520]
arcanist(), phorge()
  #0 Future::updateFuture() called at [<arcanist>/src/future/FutureProxy.php:35]
  #1 FutureProxy::isReady() called at [<arcanist>/src/future/Future.php:63]
  #2 Future::updateFuture() called at [<arcanist>/src/future/FutureIterator.php:224]
  #3 FutureIterator::next() called at [<arcanist>/src/future/FutureIterator.php:190]
  #4 FutureIterator::rewind()
  #5 iterator_to_array(FutureIterator) called at [<arcanist>/src/future/FutureIterator.php:84]
  #6 FutureIterator::resolveAll() called at [<arcanist>/src/future/Future.php:47]
  #7 Future::resolve() called at [<phorge>/src/applications/files/engine/PhabricatorS3FileStorageEngine.php:80]
  #8 PhabricatorS3FileStorageEngine::writeFile(string, array) called at [<phorge>/src/applications/files/storage/PhabricatorFile.php:553]
  #9 PhabricatorFile::writeToEngine(PhabricatorS3FileStorageEngine, string, array) called at [<phorge>/src/applications/files/storage/PhabricatorFile.php:467]
  #10 PhabricatorFile::migrateToEngine(PhabricatorS3FileStorageEngine, boolean) called at [<phorge>/src/applications/files/management/PhabricatorFilesManagementMigrateWorkflow.php:214]
  #11 PhabricatorFilesManagementMigrateWorkflow::execute(PhutilArgumentParser) called at [<arcanist>/src/parser/argument/PhutilArgumentParser.php:492]
  #12 PhutilArgumentParser::parseWorkflowsFull(array) called at [<arcanist>/src/parser/argument/PhutilArgumentParser.php:377]
  #13 PhutilArgumentParser::parseWorkflows(array) called at [<phorge>/scripts/files/manage_files.php:21]
root@ecfd341f27dd:/var/www/phorge/phorge#

It stems from the fact that Phorge expects the s3 endpoint to be HTTPS, but minio exposes it's API over plain HTTP. Due to the fact that they communicate over the local docker network encryption seems unnecessary, and would add more pain points related to certificate management - for no apparent benefit.

After some investigation I have found that the HTTPS part is hardcoded into PhutilAWSFuture https://we.phorge.it/source/arcanist/browse/master/src/future/aws/PhutilAWSFuture.php$101 , so no HTTP communication would be impossible regardless of any configuration. Would phorge accept a patch that adds another configuration option for selecting between http/https in the S3 storage backend (I think I could contribute one)?

Best regards and many thanks for maintaining such a good piece of software,
Albert

Answers

avivey
Updated 470 Days Ago

Maybe not in the form of "another config", but replacing/changing the existing "host" config with something that includes a schema - http or https - I don't see why not...

New Answer