diff --git a/docs/configuration/storage.md b/docs/configuration/storage.md index d76a9bed4..539898e11 100644 --- a/docs/configuration/storage.md +++ b/docs/configuration/storage.md @@ -30,11 +30,42 @@ storage-local-base-path: "/gotosocial/storage" # Default: "" storage-s3-endpoint: "" -# Bool. If data stored in S3 should be proxied through GoToSocial instead of redirecting to a presigned URL. +# Bool. Set this to true if data stored in S3 should be proxied through +# GoToSocial instead of forwarding the request to a presigned URL. +# +# In most cases you won't need to touch this setting, but it might be useful +# if it's not possible for your bucket provider to generate presigned URLs, +# or if your bucket is not able to exposed to the wider internet. # # Default: false storage-s3-proxy: false +# String. URL to use a base for redirecting incoming media requests to. +# +# Must start with "http://" or "https://" and end without a trailing slash. +# +# DON'T SET THIS VALUE UNLESS YOU HAVE GOOD REASON TO! It's not necessary for +# "normal" s3 usage, and most admins can happily just ignore this setting. +# +# If set, then media fileserver requests to your instance will be redirected +# to this URL instead of your bucket URL, preserving relevant path parts. +# +# This is useful if you are using a CDN proxy in front of your S3 bucket, and you +# want to serve media from the CDN rather than serving from your S3 bucket directly. +# +# For example, if you have your storage-s3-endpoint value set to "s3.my-storage.example.org", +# and you have a CDN set up to proxy your bucket, serving from "cdn.some-fancy-host.org", +# then you should set storage-s3-redirect-url to "https://cdn.some-fancy-host.org". +# +# This will allow your GoToSocial instance to *upload* data to "s3.my-storage.example.org", +# but direct callers to *download* that data from "https://cdn.some-fancy-host.org". +# +# This value is ignored if storage-backend is not s3, or if storage-s3-proxy is true. +# +# Examples: ["https://cdn.some-fancy-host.org"] +# Default: "" +storage-s3-redirect-url: "" + # Bool. Use SSL for S3 connections. # # Only set this to 'false' when testing locally. @@ -76,7 +107,7 @@ storage-s3-bucket: "" GoToSocial by default creates signed URL's which means we don't need to change anything major on the policies of the bucket. 1. Login to AWS -> select S3 as service. -2. click Create Bucket +2. Click Create Bucket 3. Provide a unique name and avoid adding "." in the name 4. Do not change the public access settings (Let them be on "block public access" mode) @@ -110,6 +141,14 @@ GoToSocial by default creates signed URL's which means we don't need to change a * `storage-s3-secret-key` -> Secret key you obtained for the user created above * `storage-s3-bucket` -> The `` that you created just now +### `storage-s3-redirect-url` + +If you are using a CDN in front of your S3 bucket, and you want to serve media from the CDN rather than serving from your S3 bucket directly, you should set the `storage-s3-redirect-url` to the CDN URL. + +For example, if you have your `storage-s3-endpoint` value set to "s3.my-storage.example.org", and you have a CDN set up to proxy your bucket, serving from "cdn.some-fancy-host.org", then you should set `storage-s3-redirect-url` to "https://cdn.some-fancy-host.org". + +This will allow your GoToSocial instance to *upload* data to "s3.my-storage.example.org", but direct callers to *download* that data from "https://cdn.some-fancy-host.org". + ## Storage migration Migration between backends is freely possible. To do so, you only have to move the directories (and their contents) between the different implementations. diff --git a/example/config.yaml b/example/config.yaml index 75d0587cf..60fdd88cc 100644 --- a/example/config.yaml +++ b/example/config.yaml @@ -551,11 +551,42 @@ storage-local-base-path: "/gotosocial/storage" # Default: "" storage-s3-endpoint: "" -# Bool. If data stored in S3 should be proxied through GoToSocial instead of redirecting to a presigned URL. +# Bool. Set this to true if data stored in S3 should be proxied through +# GoToSocial instead of forwarding the request to a presigned URL. +# +# In most cases you won't need to touch this setting, but it might be useful +# if it's not possible for your bucket provider to generate presigned URLs, +# or if your bucket is not able to exposed to the wider internet. # # Default: false storage-s3-proxy: false +# String. URL to use a base for redirecting incoming media requests to. +# +# Must start with "http://" or "https://" and end without a trailing slash. +# +# DON'T SET THIS VALUE UNLESS YOU HAVE GOOD REASON TO! It's not necessary for +# "normal" s3 usage, and most admins can happily just ignore this setting. +# +# If set, then media fileserver requests to your instance will be redirected +# to this URL instead of your bucket URL, preserving relevant path parts. +# +# This is useful if you are using a CDN proxy in front of your S3 bucket, and you +# want to serve media from the CDN rather than serving from your S3 bucket directly. +# +# For example, if you have your storage-s3-endpoint value set to "s3.my-storage.example.org", +# and you have a CDN set up to proxy your bucket, serving from "cdn.some-fancy-host.org", +# then you should set storage-s3-redirect-url to "https://cdn.some-fancy-host.org". +# +# This will allow your GoToSocial instance to *upload* data to "s3.my-storage.example.org", +# but direct callers to *download* that data from "https://cdn.some-fancy-host.org". +# +# This value is ignored if storage-backend is not s3, or if storage-s3-proxy is true. +# +# Examples: ["https://cdn.some-fancy-host.org"] +# Default: "" +storage-s3-redirect-url: "" + # Bool. Use SSL for S3 connections. # # Only set this to 'false' when testing locally. diff --git a/internal/config/config.go b/internal/config/config.go index a6499d822..bba284d56 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -110,6 +110,7 @@ type Configuration struct { StorageS3UseSSL bool `name:"storage-s3-use-ssl" usage:"Use SSL for S3 connections. Only set this to 'false' when testing locally"` StorageS3BucketName string `name:"storage-s3-bucket" usage:"Place blobs in this bucket"` StorageS3Proxy bool `name:"storage-s3-proxy" usage:"Proxy S3 contents through GoToSocial instead of redirecting to a presigned URL"` + StorageS3RedirectURL string `name:"storage-s3-redirect-url" usage:"Custom URL to use for redirecting S3 media links. If set, this will be used instead of the S3 bucket URL."` StatusesMaxChars int `name:"statuses-max-chars" usage:"Max permitted characters for posted statuses, including content warning"` StatusesPollMaxOptions int `name:"statuses-poll-max-options" usage:"Max amount of options permitted on a poll"` diff --git a/internal/config/defaults.go b/internal/config/defaults.go index 835841c84..d16df6802 100644 --- a/internal/config/defaults.go +++ b/internal/config/defaults.go @@ -85,6 +85,7 @@ var Defaults = Configuration{ StorageLocalBasePath: "/gotosocial/storage", StorageS3UseSSL: true, StorageS3Proxy: false, + StorageS3RedirectURL: "", StatusesMaxChars: 5000, StatusesPollMaxOptions: 6, diff --git a/internal/config/helpers.gen.go b/internal/config/helpers.gen.go index 587fba364..7523f17ad 100644 --- a/internal/config/helpers.gen.go +++ b/internal/config/helpers.gen.go @@ -1500,6 +1500,31 @@ func GetStorageS3Proxy() bool { return global.GetStorageS3Proxy() } // SetStorageS3Proxy safely sets the value for global configuration 'StorageS3Proxy' field func SetStorageS3Proxy(v bool) { global.SetStorageS3Proxy(v) } +// GetStorageS3RedirectURL safely fetches the Configuration value for state's 'StorageS3RedirectURL' field +func (st *ConfigState) GetStorageS3RedirectURL() (v string) { + st.mutex.RLock() + v = st.config.StorageS3RedirectURL + st.mutex.RUnlock() + return +} + +// SetStorageS3RedirectURL safely sets the Configuration value for state's 'StorageS3RedirectURL' field +func (st *ConfigState) SetStorageS3RedirectURL(v string) { + st.mutex.Lock() + defer st.mutex.Unlock() + st.config.StorageS3RedirectURL = v + st.reloadToViper() +} + +// StorageS3RedirectURLFlag returns the flag name for the 'StorageS3RedirectURL' field +func StorageS3RedirectURLFlag() string { return "storage-s3-redirect-url" } + +// GetStorageS3RedirectURL safely fetches the value for global configuration 'StorageS3RedirectURL' field +func GetStorageS3RedirectURL() string { return global.GetStorageS3RedirectURL() } + +// SetStorageS3RedirectURL safely sets the value for global configuration 'StorageS3RedirectURL' field +func SetStorageS3RedirectURL(v string) { global.SetStorageS3RedirectURL(v) } + // GetStatusesMaxChars safely fetches the Configuration value for state's 'StatusesMaxChars' field func (st *ConfigState) GetStatusesMaxChars() (v int) { st.mutex.RLock() diff --git a/internal/config/validate.go b/internal/config/validate.go index d79d83b9d..723d5c931 100644 --- a/internal/config/validate.go +++ b/internal/config/validate.go @@ -19,6 +19,8 @@ package config import ( "fmt" + "net/url" + "strings" "github.com/miekg/dns" "github.com/superseriousbusiness/gotosocial/internal/gtserror" @@ -118,6 +120,28 @@ func Validate() error { errf("%s must be set", WebAssetBaseDirFlag()) } + // `storage-s3-redirect-url` + if s3RedirectURL := GetStorageS3RedirectURL(); s3RedirectURL != "" { + if strings.HasSuffix(s3RedirectURL, "/") { + errf( + "%s must not end with a trailing slash", + StorageS3RedirectURLFlag(), + ) + } + + if url, err := url.Parse(s3RedirectURL); err != nil { + errf( + "%s invalid: %w", + StorageS3RedirectURLFlag(), err, + ) + } else if url.Scheme != "https" && url.Scheme != "http" { + errf( + "%s scheme must be https or http", + StorageS3RedirectURLFlag(), + ) + } + } + // Custom / LE TLS settings. // // Only one of custom certs or LE can be set, diff --git a/internal/storage/storage.go b/internal/storage/storage.go index 5d5baf283..f3cb814f1 100644 --- a/internal/storage/storage.go +++ b/internal/storage/storage.go @@ -79,6 +79,7 @@ type Driver struct { Proxy bool Bucket string PresignedCache *ttl.Cache[string, PresignedURL] + RedirectURL string } // Get returns the byte value for key in storage. @@ -163,12 +164,27 @@ func (d *Driver) URL(ctx context.Context, key string) *PresignedURL { return &e.Value } - u, err := s3.Client().PresignedGetObject(ctx, d.Bucket, key, urlCacheTTL, url.Values{ - "response-content-type": []string{mime.TypeByExtension(path.Ext(key))}, - }) - if err != nil { - // If URL request fails, fallback is to fetch the file. So ignore the error here - return nil + var ( + u *url.URL + err error + ) + + if d.RedirectURL != "" { + u, err = url.Parse(d.RedirectURL + "/" + key) + if err != nil { + // If URL parsing fails, fallback is to + // fetch the file. So ignore the error here + return nil + } + } else { + u, err = s3.Client().PresignedGetObject(ctx, d.Bucket, key, urlCacheTTL, url.Values{ + "response-content-type": []string{mime.TypeByExtension(path.Ext(key))}, + }) + if err != nil { + // If URL request fails, fallback is to + // fetch the file. So ignore the error here + return nil + } } psu := PresignedURL{ @@ -204,6 +220,14 @@ func (d *Driver) ProbeCSPUri(ctx context.Context) (string, error) { return "", nil } + // If an S3 redirect URL is set, just + // return this URL without probing; we + // likely don't have write access on it + // anyway since it's probs a CDN bucket. + if d.RedirectURL != "" { + return d.RedirectURL + "/", nil + } + const cspKey = "gotosocial-csp-probe" // Create an empty file in S3 storage. @@ -273,6 +297,7 @@ func NewS3Storage() (*Driver, error) { secret := config.GetStorageS3SecretKey() secure := config.GetStorageS3UseSSL() bucket := config.GetStorageS3BucketName() + redirectURL := config.GetStorageS3RedirectURL() // Open the s3 storage implementation s3, err := s3.Open(endpoint, bucket, &s3.Config{ @@ -300,5 +325,6 @@ func NewS3Storage() (*Driver, error) { Bucket: config.GetStorageS3BucketName(), Storage: s3, PresignedCache: presignedCache, + RedirectURL: redirectURL, }, nil } diff --git a/test/envparsing.sh b/test/envparsing.sh index 281bf7405..3855c372f 100755 --- a/test/envparsing.sh +++ b/test/envparsing.sh @@ -173,6 +173,7 @@ EXPECT=$(cat << "EOF" "storage-s3-bucket": "gts", "storage-s3-endpoint": "localhost:9000", "storage-s3-proxy": true, + "storage-s3-redirect-url": "", "storage-s3-secret-key": "miniostorage", "storage-s3-use-ssl": false, "syslog-address": "127.0.0.1:6969", @@ -253,6 +254,7 @@ GTS_STORAGE_S3_SECRET_KEY='miniostorage' \ GTS_STORAGE_S3_ENDPOINT='localhost:9000' \ GTS_STORAGE_S3_USE_SSL='false' \ GTS_STORAGE_S3_PROXY='true' \ +GTS_STORAGE_S3_REDIRECT_URL='' \ GTS_STORAGE_S3_BUCKET='gts' \ GTS_STATUSES_MAX_CHARS=69 \ GTS_STATUSES_CW_MAX_CHARS=420 \