all: initial files

.config/example.env

@@ -0,0 +1,19 @@
+## obs-access-signer
+#
+HTTP_ADDR=0.0.0.0:9002
+OBS_ENDPOINT=minio:9000
+OBS_BUCKET_NAME=test-bucket
+OBS_SECURE=false
+LOG_LEVEL=DEBUG
+AWS_ACCESS_KEY=example-minio-access
+AWS_SECRET_KEY=example-minio-secret
+# AWS_SESSION_TOKEN
+
+# accessible S3 gateway
+OBS_HOST_REDIRECT=127.0.0.1:9000
+
+
+## Infra
+# minio, mc
+MINIO_ACCESS_KEY=example-minio-access
+MINIO_SECRET_KEY=example-minio-secret

.dockerignore

@@ -0,0 +1 @@
+.git/

.drone.yml

@@ -0,0 +1,5 @@
+kind: pipeline
+type: docker
+name: default
+
+steps: []

.env.example

@@ -0,0 +1,13 @@
+## obs-access-signer
+#
+HTTP_ADDR=127.0.0.1:9003
+OBS_ENDPOINT=127.0.0.1:9000
+OBS_BUCKET_NAME=test-bucket
+OBS_SECURE=false
+LOG_LEVEL=DEBUG
+AWS_ACCESS_KEY=example-minio-access
+AWS_SECRET_KEY=example-minio-secret
+# AWS_SESSION_TOKEN
+
+# accessible S3 gateway
+OBS_HOST_REDIRECT=127.0.0.1:9000

.gitignore

@@ -0,0 +1 @@
+.env

.vscode/launch.json

@@ -0,0 +1,22 @@
+{
+    "configurations": [
+        {
+            "name": "Launch server on external",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}",
+            "host": "127.0.0.1",
+            "port": 10500,
+            "showGlobalVariables": true,
+        },
+        {
+            "name": "Launch server",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}",
+            "showGlobalVariables": true,
+        }
+    ]
+}

.vscode/tasks.json

@@ -0,0 +1,11 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Run dlv",
+            "type": "shell",
+            "command": "dlv dap --check-go-version --listen 127.0.0.1:10500",
+            "group": "build",
+        },
+    ],
+}

Dockerfile

@@ -0,0 +1,18 @@
+FROM ii64/golang-zig:go1.18-alpine3.15-zig AS builder
+
+WORKDIR /build
+COPY . /build
+
+RUN apk add --no-cache \
+    make
+
+RUN --mount=type=cache,mode=0755,target=/go/pkg/mod make dep
+RUN make build
+
+
+FROM gcr.io/distroless/static-debian11
+
+WORKDIR /app
+COPY --from=builder /build/obs-access-signer /app/obs-access-signer
+
+ENTRYPOINT [ "/app/obs-access-signer" ]

LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

Makefile

@@ -0,0 +1,24 @@
+all: build
+
+export DOCKER_BUILDKIT=1
+
+IMAGE := obs-access-signer:dev
+
+# use zig cc/c++ to statically link deps
+TARGET_TRIPLE := x86_64-linux
+
+CFLAGS ?=
+CFLAGS += -target $(TARGET_TRIPLE)
+CXXFLAGS ?=
+CXXFLAGS += -target $(TARGET_TRIPLE)
+GOFLAGS ?=
+GOFLAGS += -x -trimpath
+
+dep:
+	go mod download
+
+build:
+	CGO_ENABLED=0 CC="zig cc $(CFLAGS)" CXX="zig c++ $(CXXFLAGS)" go build $(GOFLAGS) .
+
+build.docker:
+	"docker" build --progress=plain -t $(IMAGE) .

README.md

@@ -0,0 +1,16 @@
+# obs-access-signer
+
+S3 Object Storage access signer.
+
+Run `obs-access-signer` behind a gateway/cache proxy is preferred as the response is static.
+
+There's an example of using it with Varnish Cache, you can see [here](docker/docker-compose.yaml).
+
+## Why?
+
+Some S3-compatible gateway might not support ACL endpoints but they are support presigned access. Currently, the behavior of `obs-access-signer` is similar to `public-read` ACL where clients can access objects anonymously and redirect them (permanently) to presigned url with `Expires` set to the max signed value of `int64` which has roughly 250yrs lifetime since unix time started.
+
+
+## License
+
+Apache-2.0

docker/Makefile

@@ -0,0 +1,4 @@
+
+
+gen-minio-access:
+	docker compose run --rm minio 

docker/default.vcl

@@ -0,0 +1,113 @@
+#
+# This is an example VCL file for Varnish.
+#
+# It does not do anything by default, delegating control to the
+# builtin VCL. The builtin VCL is called when there is no explicit
+# return statement.
+#
+# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
+# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.
+
+# Marker to tell the VCL compiler that this VCL has been adapted to the
+# new 4.0 format.
+vcl 4.0;
+
+# Default backend definition. Set this to point to your content server.
+backend default {
+    .host = "obs-access-signer";
+    .port = "9002";
+    .connect_timeout = 300s;
+    .first_byte_timeout = 300s;
+    .between_bytes_timeout = 300s;
+    .max_connections = 800;
+}
+
+sub vcl_hash {
+    hash_data(req.url);
+    if (req.http.Host) {
+        hash_data(req.http.Host);
+    } else {
+        hash_data(server.ip);
+    }
+}
+
+sub vcl_recv {
+    # Happens before we check if we have this in cache already.
+    #
+    # Typically you clean up the request here, removing cookies you don't need,
+    # rewriting the request, etc.
+    
+    if (req.method == "PRI") {
+        /* We do not support SPDY or HTTP/2.0 */
+        return (synth(405));
+    }
+
+    # remove port from Host
+    set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");
+
+    /* Backend accept HEAD and GET only */
+    if (req.method != "GET" && req.method != "HEAD") {
+        return (synth(405));
+    }
+
+    # Ignore the query string
+    set req.url = regsub(req.url, "\?.*$", "");
+
+    return (hash);
+}
+
+sub vcl_backend_response {
+    # Happens after we have read the response headers from the backend.
+    #
+    # Here you clean the response headers, removing silly Set-Cookie headers
+    # and other mistakes your backend does.
+
+    # Don't cache 400s
+    if (beresp.status >= 400) {
+        set beresp.uncacheable = true;
+        set beresp.http.X-Cacheable = "NO: beresp.status";
+        set beresp.ttl = 0s;
+        return (deliver);
+    }
+
+    # keep last content in case backend goes down.
+    set beresp.grace = 6h;
+
+    # cache timeout
+    set beresp.ttl = 1h;
+
+    return (deliver);
+}
+
+sub vcl_deliver {
+    # Happens when we have all the pieces we need, and are about to send the
+    # response to the client.
+    #
+    # You can do accounting or modifying the final object here.
+
+    set resp.http.Via = regsuball(resp.http.Via, "\s\([a-zA-Z0-9\/.]+\)", "");
+    set resp.http.Server = "VOAS";
+
+    # Debug header to see if it's a HIT/MISS and the number of hits
+    if (obj.hits > 0) {
+        set resp.http.X-Cache = "HIT";
+    } else {
+        set resp.http.X-Cache = "MISS";
+    }
+
+    # Please note that obj.hits behaviour changed in 4.0, now it counts per objecthead, not per object
+    # and obj.hits may not be reset in some cases where bans are in use. See bug 1492 for details.
+    # So take hits with a grain of salt
+    set resp.http.X-Cache-Hits = obj.hits;
+
+    unset resp.http.Date;
+    unset resp.http.Age;
+    # unset resp.http.Server;
+    # unset resp.http.Via;
+
+    return (deliver);
+}
+
+sub vcl_backend_error {
+    return (retry);
+}

docker/docker-compose.yaml

@@ -0,0 +1,62 @@
+version: '3'
+
+services:
+  # obs access signer
+  obs-access-signer:
+    image: obs-access-signer:dev
+    networks:
+      - obs
+    build:
+      context: ..
+    env_file:
+      - ../.config/example.env
+    ports:
+      - "127.0.0.1:9002:9002"
+
+  # Varnish cache proxy
+  varnish:
+    image: varnish:stable
+    networks:
+      - obs
+    volumes:
+      - ./default.vcl:/etc/varnish/default.vcl:ro
+    ports:
+      - "127.0.0.1:8080:80"
+      - "127.0.0.1:8443:8443"
+
+  # intended as S3-compatible gateway test
+  minio:
+    image: quay.io/minio/minio
+    networks:
+      - obs
+    env_file:
+      - ../.config/example.env
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    ports:
+      - "127.0.0.1:9000:9000"
+      - "127.0.0.1:9001:9001"
+  
+  # setup minio bucket
+  mc-create-bucket:
+    image: minio/mc
+    networks:
+      - obs
+    env_file:
+      - ../.config/example.env
+    entrypoint:
+      - sh
+      - -c
+      - |
+        mc config host add min http://minio:9000 $$MINIO_ACCESS_KEY $$MINIO_SECRET_KEY
+        mc rm -r --force min/$$OBS_BUCKET_NAME
+        mc mb min/$$OBS_BUCKET_NAME
+        mc policy download min/$$OBS_BUCKET_NAME
+    depends_on:
+      - minio
+
+networks:
+  obs: {}

go.mod

@@ -0,0 +1,34 @@
+module github.com/ii64/obs-access-signer
+
+go 1.19
+
+require (
+	github.com/joho/godotenv v1.4.0
+	github.com/minio/minio-go/v7 v7.0.45
+	github.com/valyala/fasthttp v1.43.0
+	go.uber.org/zap v1.24.0
+)
+
+require (
+	github.com/andybalholm/brotli v1.0.4 // indirect
+	github.com/dustin/go-humanize v1.0.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.1.0 // indirect
+	github.com/minio/md5-simd v1.1.2 // indirect
+	github.com/minio/sha256-simd v1.0.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/rs/xid v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/goleak v1.1.12 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
+	golang.org/x/net v0.0.0-20220906165146-f3363e06e74c // indirect
+	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	gopkg.in/ini.v1 v1.66.6 // indirect
+)

go.sum

@@ -0,0 +1,107 @@
+github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
+github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
+github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=
+github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/klauspost/compress v1.15.9 h1:wKRjX6JRtDdrE9qwa4b/Cip7ACOshUI4smpCQanqjSY=
+github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
+github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.1.0 h1:eyi1Ad2aNJMW95zcSbmGg7Cg6cq3ADwLpMAP96d8rF0=
+github.com/klauspost/cpuid/v2 v2.1.0/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
+github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
+github.com/minio/minio-go/v7 v7.0.45 h1:g4IeM9M9pW/Lo8AGGNOjBZYlvmtlE1N5TQEYWXRWzIs=
+github.com/minio/minio-go/v7 v7.0.45/go.mod h1:nCrRzjoSUQh8hgKKtu3Y708OLvRLtuASMg2/nvmbarw=
+github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g=
+github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rs/xid v1.4.0 h1:qd7wPTDkN6KQx2VmMBLrpHkiyQwgFXRnkOLacUiaSNY=
+github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
+github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasthttp v1.43.0 h1:Gy4sb32C98fbzVWZlTM1oTMdLWGyvxR03VhM6cBIU4g=
+github.com/valyala/fasthttp v1.43.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY=
+github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA=
+go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
+go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
+go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
+go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220906165146-f3363e06e74c h1:yKufUcDwucU5urd+50/Opbt4AYpqthk7wHpHok8f1lo=
+golang.org/x/net v0.0.0-20220906165146-f3363e06e74c/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
+golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/ini.v1 v1.66.6 h1:LATuAqN/shcYAOkv3wl2L4rkaKqkcgTBQjOyYDvcPKI=
+gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

main.go

@@ -0,0 +1,88 @@
+package main
+
+import (
+	"flag"
+	"os"
+	"strconv"
+
+	_ "github.com/joho/godotenv/autoload"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+)
+
+var (
+	httpAddr string
+	logLevel string
+	// obsSignedUrlExpiry time.Duration
+	zapLogLevel   zapcore.Level
+	postFlagParse = []func(){}
+)
+
+func init() {
+	var err error
+	_ = err
+
+	// app
+	flag.StringVar(&httpAddr, "addr", os.Getenv("HTTP_ADDR"), "Server address")
+
+	// log
+	flag.StringVar(&logLevel, "log-level", os.Getenv("LOG_LEVEL"), "Log level")
+	qpostFlagParse(func() {
+		err := zapLogLevel.UnmarshalText([]byte(logLevel))
+		if err != nil {
+			zapLogLevel = zapcore.InfoLevel
+		}
+	})
+
+	// OBS
+	flag.StringVar(&defaultObsOpts.Endpoint, "obs-endpoint", os.Getenv("OBS_ENDPOINT"), "OBS host")
+	flag.StringVar(&defaultObsOpts.Region, "obs-region", os.Getenv("OBS_REGION"), "OBS region")
+	flag.BoolVar(&defaultObsOpts.Secure, "obs-secure", ok1(strconv.ParseBool(os.Getenv("OBS_SECURE"))), "OBS secure transport")
+	flag.StringVar(&defaultObsOpts.BucketName, "obs-bucket", os.Getenv("OBS_BUCKET_NAME"), "OBS bucket name")
+
+	flag.StringVar(&defaultObsOpts.HostRedirect, "obs-host-redirect", os.Getenv("OBS_HOST_REDIRECT"), "OBS host redirect")
+
+	// obsSignedUrlExpiry, err = time.ParseDuration(os.Getenv("OBS_SIGNED_URL_EXPIRY"))
+	// if err != nil {
+	// 	// max signed value
+	// 	obsSignedUrlExpiry = time.Duration(^uint64(0) / 2)
+	// }
+	// flag.DurationVar(&obsSignedUrlExpiry, "obs-signed-url-expiry", obsSignedUrlExpiry, "OBS ")
+}
+
+func qpostFlagParse(f func()) {
+	postFlagParse = append(postFlagParse, f)
+}
+func qpostFlagParseInvoke() {
+	for _, f := range postFlagParse {
+		f()
+	}
+}
+
+func main() {
+	flag.Parse()
+	qpostFlagParseInvoke()
+
+	zcfg := zap.NewProductionConfig()
+	zcfg.Level = zap.NewAtomicLevelAt(zapLogLevel)
+
+	logger := unwrap1(zcfg.Build())
+	defer logger.Sync()
+
+	sug := logger.Named("main").Sugar()
+	sug.Infow("starting",
+		"log_level", zapLogLevel,
+		"obs_endpoint", defaultObsOpts.Endpoint,
+		"obs_host_redirect", defaultObsOpts.HostRedirect,
+	)
+
+	client := unwrap1(newObsClient(defaultObsOpts))
+	srv.Init(serverOptions{
+		Addr:   httpAddr,
+		Logger: logger.Named("server"),
+		OBS:    &defaultObsOpts,
+		S3:     client,
+	})
+
+	srv.Run()
+}

obs.go

@@ -0,0 +1,102 @@
+package main
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/url"
+	"reflect"
+	"unsafe"
+
+	"github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7/pkg/credentials"
+
+	_ "unsafe"
+)
+
+type obsOptions struct {
+	Endpoint   string
+	Region     string
+	Secure     bool
+	BucketName string
+
+	HostRedirect string
+}
+
+var defaultObsOpts obsOptions
+
+func newObsClient(opts obsOptions) (*minio.Client, error) {
+	client, err := minio.New(opts.Endpoint, &minio.Options{
+		Creds:        credentials.NewEnvAWS(),
+		BucketLookup: minio.BucketLookupAuto, // vhost / path
+		Region:       opts.Region,
+		Secure:       opts.Secure,
+	})
+	if err != nil {
+		return nil, err
+	}
+	setOverrideSignerType(client, credentials.SignatureV2)
+	return client, nil
+}
+
+var (
+	offsetCredsProvider      uintptr
+	offsetOverrideSignerType uintptr
+)
+
+func init() {
+	vt := reflect.TypeOf(minio.Client{})
+	if field, ok := vt.FieldByName("credsProvider"); ok {
+		offsetCredsProvider = field.Offset
+	} else {
+		panic("cannot find credsProvider field")
+	}
+
+	if field, ok := vt.FieldByName("overrideSignerType"); ok {
+		offsetOverrideSignerType = field.Offset
+	} else {
+		panic("cannot find overrideSignerType field")
+	}
+}
+
+func getCredsProvider(client *minio.Client) *credentials.Credentials {
+	return *(**credentials.Credentials)(unsafe.Add(unsafe.Pointer(client), offsetCredsProvider))
+}
+
+func setOverrideSignerType(client *minio.Client, signerType credentials.SignatureType) {
+	ptr := (*credentials.SignatureType)(unsafe.Add(unsafe.Pointer(client), offsetOverrideSignerType))
+	*ptr = signerType
+}
+
+//go:linkname isVirtualHostStyleRequest github.com/minio/minio-go/v7.(*Client).isVirtualHostStyleRequest
+func isVirtualHostStyleRequest(client *minio.Client, url url.URL, bucketName string) bool
+
+//go:linkname makeTargetURL github.com/minio/minio-go/v7.(*Client).makeTargetURL
+func makeTargetURL(client *minio.Client, bucketName, objectName, bucketLocation string, isVirtualHostStyle bool, queryValues url.Values) (*url.URL, error)
+
+// requestMetadata - is container for all the values to make a request.
+type requestMetadata struct {
+	// If set newRequest presigns the URL.
+	presignURL bool
+
+	// User supplied.
+	bucketName         string
+	objectName         string
+	queryValues        url.Values
+	customHeader       http.Header
+	extraPresignHeader http.Header
+	expires            int64
+
+	// Generated by our internal code.
+	bucketLocation   string
+	contentBody      io.Reader
+	contentLength    int64
+	contentMD5Base64 string // carries base64 encoded md5sum
+	contentSHA256Hex string // carries hex encoded sha256sum
+	streamSha256     bool
+	addCrc           bool
+	trailer          http.Header // (http.Request).Trailer. Requires v4 signature.
+}
+
+//go:linkname newRequest github.com/minio/minio-go/v7.(*Client).newRequest
+func newRequest(client *minio.Client, ctx context.Context, method string, metadata requestMetadata) (req *http.Request, err error)

obs_test.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+	"testing"
+
+	"github.com/minio/minio-go/v7/pkg/s3utils"
+	"github.com/minio/minio-go/v7/pkg/signer"
+)
+
+func TestObsSignerV2(t *testing.T) {
+	req, err := http.NewRequest(http.MethodGet, "/test/mk/603d83c0-5083-44b0-87cb-7030ef28c43f.jpg", nil)
+	if err != nil {
+		t.Fail()
+	}
+
+	exp := strconv.FormatInt(int64(^uint64(0)/2), 10) // ~250years
+	req.Header.Set("Expires", exp)
+	req.URL.RawQuery = ""
+	reqVal := signer.PreSignV2(*req, "asd", "asdasd", 0, true)
+	query := reqVal.URL.Query()
+	query.Set("Expires", exp)
+	reqVal.URL.RawQuery = s3utils.QueryEncode(query)
+
+	fmt.Println(reqVal.URL)
+
+}

server.go

@@ -0,0 +1,146 @@
+package main
+
+import (
+	"bytes"
+	"net/http"
+	"net/url"
+	"strconv"
+	"time"
+
+	"github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7/pkg/s3utils"
+	"github.com/minio/minio-go/v7/pkg/signer"
+	"github.com/valyala/fasthttp"
+	"go.uber.org/zap"
+)
+
+var (
+	MethodGet  = []byte(http.MethodGet)
+	MethodHead = []byte(http.MethodHead)
+)
+
+type serverOptions struct {
+	Addr   string
+	Logger *zap.Logger
+	OBS    *obsOptions
+
+	ObjectExpiry time.Duration
+
+	S3 *minio.Client
+}
+
+type server struct {
+	opts   serverOptions
+	logger *zap.SugaredLogger
+}
+
+var srv server
+
+func (s *server) Init(opts serverOptions) {
+	s.opts = opts
+	s.logger = opts.Logger.Sugar()
+}
+
+func (s *server) reportError(ctx *fasthttp.RequestCtx, errType string, err any) {
+	s.logger.Errorw("handler error",
+		"kind", errType,
+		"err", err)
+	ctx.Response.Header.Set("x-error-code", errType)
+	switch errVal := err.(type) {
+	case []byte:
+		ctx.Response.Header.Set("x-error-message", unsafeByteSliceToString(errVal))
+	case string:
+		ctx.Response.Header.Set("x-error-message", errVal)
+	case error:
+		ctx.Response.Header.Set("x-error-message", errVal.Error())
+	default:
+		ctx.Response.Header.Set("x-error-message", "unknown error")
+	}
+}
+
+var (
+	ErrKind_ResourceNotFound = "OBS_RESOURCE_NOT_FOUND"
+	ErrKind_MethodNotAllowed = "OBS_METHOD_NOT_ALLOWED"
+	ErrKind_S3ComposeRequest = "S3_COMPOSE_REQUEST"
+	ErrKind_S3CredsProvider  = "S3_CREDS_PROVIDER"
+)
+
+func (s *server) handle(ctx *fasthttp.RequestCtx) {
+	ctx.Response.Header.Set("server", "obs-access-signer")
+	isMethodGet := bytes.Equal(ctx.Method(), MethodGet)
+	isMethodHead := bytes.Equal(ctx.Method(), MethodHead)
+	if !isMethodGet && !isMethodHead {
+		ctx.SetStatusCode(http.StatusMethodNotAllowed)
+		s.reportError(ctx, ErrKind_MethodNotAllowed, "")
+		return
+	}
+
+	if isMethodHead {
+		// Doc: https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.2-1
+		ctx.Response.Header.Set("Content-Length", "0")
+	}
+
+	bucketName := s.opts.OBS.BucketName
+	isVirtualHostStyle := isVirtualHostStyleRequest(s.opts.S3, *s.opts.S3.EndpointURL(), bucketName)
+
+	path := ctx.Path()
+	_path := bytes.TrimLeft(path, "/")
+	objectName := unsafeByteSliceToString(_path)
+	if _, _objectName, found := bytes.Cut(_path, []byte(bucketName)); !isVirtualHostStyle &&
+		bytes.HasPrefix(_path, []byte(bucketName)) &&
+		found {
+		_objectName = bytes.TrimLeft(_objectName, "/")
+		objectName = unsafeByteSliceToString(_objectName)
+	}
+
+	// check if we had acess to the object
+	if _, err := s.opts.S3.StatObject(ctx, bucketName, objectName, minio.GetObjectOptions{}); err != nil {
+		ctx.SetStatusCode(http.StatusNotFound)
+		s.reportError(ctx, ErrKind_ResourceNotFound, err)
+		return
+	}
+
+	// compose initial request
+	req, err := newRequest(s.opts.S3, ctx, http.MethodGet, requestMetadata{
+		presignURL:  true,
+		bucketName:  bucketName,
+		objectName:  objectName,
+		expires:     1, // to trigger presigned generator
+		queryValues: url.Values{},
+	})
+	if err != nil {
+		ctx.SetStatusCode(http.StatusInternalServerError)
+		s.reportError(ctx, ErrKind_S3ComposeRequest, err)
+		return
+	}
+
+	// grab creds from provider
+	value, err := getCredsProvider(s.opts.S3).Get()
+	if err != nil {
+		ctx.SetStatusCode(http.StatusInternalServerError)
+		s.reportError(ctx, ErrKind_S3CredsProvider, err)
+		return
+	}
+
+	// clear given params, set max signed value for expire, and re-presign.
+	exp := strconv.FormatInt(int64(^uint64(0)/2), 10) // ~250years
+	req.Header.Set("Expires", exp)
+	req.URL.RawQuery = ""
+	req = signer.PreSignV2(*req, value.AccessKeyID, value.SecretAccessKey, 0, isVirtualHostStyle)
+
+	// re-encode query string with Expires hack.
+	query := req.URL.Query()
+	query.Set("Expires", exp)
+	req.URL.RawQuery = s3utils.QueryEncode(query)
+	if hostRedirect := s.opts.OBS.HostRedirect; hostRedirect != "" {
+		req.URL.Host = hostRedirect
+	}
+
+	ctx.Redirect(req.URL.String(), http.StatusMovedPermanently)
+}
+
+func (s *server) Run() {
+	s.logger.Infow("running server",
+		"addr", s.opts.Addr)
+	fasthttp.ListenAndServe(s.opts.Addr, s.handle)
+}

util.go

@@ -0,0 +1,25 @@
+package main
+
+import "unsafe"
+
+func ok1[T any](res T, err error) T {
+	return res
+}
+
+func option1[T any](res T, err error) (T, bool) {
+	return res, err != nil
+}
+
+func unwrap0(err error) {
+	if err != nil {
+		panic(err)
+	}
+}
+func unwrap1[T any](res T, err error) T {
+	unwrap0(err)
+	return res
+}
+
+func unsafeByteSliceToString(b []byte) string {
+	return *(*string)(unsafe.Pointer(&b))
+}

util_test.go

@@ -0,0 +1,13 @@
+package main
+
+import "testing"
+
+func TestUnsafeByteSliceToString(t *testing.T) {
+	exp := "foo bar"
+	act := unsafeByteSliceToString([]byte(exp))
+	if exp != act { // cmp str
+		t.Fail()
+	}
+	println(&exp, &act)
+	println(exp, act)
+}