fix: passing correct httpClient, do not use DefaultClients (#3319)

most of our deployments use custom certificates, using DefaultClient
makes it virtually impossible to make share URL feature work.

this PR fixes this behavior in the implementation.

Bonus: re-use transports inside console, will add more changes to
take custom transport inputs in subsequent PR.

api/admin_info.go

@@ -994,8 +994,6 @@ func unmarshalPrometheus(ctx context.Context, httpClnt *http.Client, endpoint st
 }
 
 func testPrometheusURL(ctx context.Context, url string) bool {
-	clientIP := utils.ClientIPFromContext(ctx)
-	httpClnt := GetConsoleHTTPClient(url, clientIP)
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url+"/-/healthy", nil)
 	if err != nil {
 		ErrorWithContext(ctx, fmt.Errorf("error Building Request: (%v)", err))
@@ -1003,11 +1001,13 @@ func testPrometheusURL(ctx context.Context, url string) bool {
 	}
 
 	prometheusBearer := getPrometheusAuthToken()
-
 	if prometheusBearer != "" {
 		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", prometheusBearer))
 	}
 
+	clientIP := utils.ClientIPFromContext(ctx)
+	httpClnt := GetConsoleHTTPClient(clientIP)
+
 	response, err := httpClnt.Do(req)
 	if err != nil {
 		ErrorWithContext(ctx, fmt.Errorf("default Prometheus URL not reachable, trying root testing: (%v)", err))
@@ -1050,7 +1050,7 @@ func getWidgetDetails(ctx context.Context, prometheusURL string, selector string
 		return nil, ErrorWithContext(ctx, errors.New("prometheus URL is unreachable"))
 	}
 	clientIP := utils.ClientIPFromContext(ctx)
-	httpClnt := GetConsoleHTTPClient(prometheusURL, clientIP)
+	httpClnt := GetConsoleHTTPClient(clientIP)
 
 	labelResultsCh := make(chan LabelResults)
 

api/admin_releases.go

@@ -97,7 +97,7 @@ func getReleases(endpoint, repo, currentRelease, search, filter, clientIP string
 	req.URL.RawQuery = q.Encode()
 	req.Header.Set("Content-Type", "application/json")
 
-	client := GetConsoleHTTPClient("", clientIP)
+	client := GetConsoleHTTPClient(clientIP)
 	client.Timeout = time.Second * 5
 
 	resp, err := client.Do(req)

api/admin_subnet.go

@@ -96,7 +96,7 @@ func SubnetRegisterWithAPIKey(ctx context.Context, minioClient MinioAdmin, apiKe
 		return false, err
 	}
 	clientIP := utils.ClientIPFromContext(ctx)
-	registerResult, err := subnet.Register(GetConsoleHTTPClient("", clientIP), serverInfo, apiKey, "", "")
+	registerResult, err := subnet.Register(GetConsoleHTTPClient(clientIP), serverInfo, apiKey, "", "")
 	if err != nil {
 		return false, err
 	}
@@ -199,7 +199,6 @@ func SubnetLoginWithMFA(client xhttp.ClientI, username, mfaToken, otp string) (*
 // GetSubnetHTTPClient will return a client with proxy if configured, otherwise will return the default console http client
 func GetSubnetHTTPClient(ctx context.Context, minioClient MinioAdmin) (*xhttp.Client, error) {
 	clientIP := utils.ClientIPFromContext(ctx)
-	subnetHTTPClient := GetConsoleHTTPClient("", clientIP)
 	subnetKey, err := GetSubnetKeyFromMinIOConfig(ctx, minioClient)
 	if err != nil {
 		return nil, err
@@ -209,18 +208,24 @@ func GetSubnetHTTPClient(ctx context.Context, minioClient MinioAdmin) (*xhttp.Cl
 	if subnetKey.Proxy != "" {
 		proxy = subnetKey.Proxy
 	}
+
+	tr := GlobalTransport.Clone()
 	if proxy != "" {
-		subnetProxyURL, err := url.Parse(proxy)
+		u, err := url.Parse(proxy)
 		if err != nil {
 			return nil, err
 		}
-		subnetHTTPClient.Transport.(*ConsoleTransport).Transport.Proxy = http.ProxyURL(subnetProxyURL)
+		tr.Proxy = http.ProxyURL(u)
 	}
 
-	clientI := &xhttp.Client{
-		Client: subnetHTTPClient,
-	}
-	return clientI, nil
+	return &xhttp.Client{
+		Client: &http.Client{
+			Transport: &ConsoleTransport{
+				Transport: tr,
+				ClientIP:  clientIP,
+			},
+		},
+	}, nil
 }
 
 func GetSubnetLoginWithMFAResponse(session *models.Principal, params subnetApi.SubnetLoginMFAParams) (*models.SubnetLoginResponse, *CodedAPIError) {
@@ -322,7 +327,7 @@ func GetSubnetInfoResponse(session *models.Principal, params subnetApi.SubnetInf
 	defer cancel()
 	clientIP := utils.ClientIPFromContext(ctx)
 	client := &xhttp.Client{
-		Client: GetConsoleHTTPClient("", clientIP),
+		Client: GetConsoleHTTPClient(clientIP),
 	}
 	// license gets seeded to us by MinIO
 	seededLicense := os.Getenv(EnvSubnetLicense)

api/client-admin.go

@@ -24,6 +24,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"regexp"
 	"strings"
 	"time"
 
@@ -213,11 +214,11 @@ func (ac AdminClient) listPolicies(ctx context.Context) (map[string]*iampolicy.P
 
 // implements madmin.ListCannedPolicies()
 func (ac AdminClient) getPolicy(ctx context.Context, name string) (*iampolicy.Policy, error) {
-	praw, err := ac.Client.InfoCannedPolicy(ctx, name)
+	info, err := ac.Client.InfoCannedPolicyV2(ctx, name)
 	if err != nil {
 		return nil, err
 	}
-	return iampolicy.ParseConfig(bytes.NewReader(praw))
+	return iampolicy.ParseConfig(bytes.NewReader(info.Policy))
 }
 
 // implements madmin.RemoveCannedPolicy()
@@ -236,6 +237,7 @@ func (ac AdminClient) addPolicy(ctx context.Context, name string, policy *iampol
 
 // implements madmin.SetPolicy()
 func (ac AdminClient) setPolicy(ctx context.Context, policyName, entityName string, isGroup bool) error {
+	// nolint:staticcheck // ignore SA1019
 	return ac.Client.SetPolicy(ctx, policyName, entityName, isGroup)
 }
 
@@ -468,7 +470,7 @@ func newAdminFromClaims(claims *models.Principal, clientIP string) (*madmin.Admi
 		return nil, err
 	}
 	adminClient.SetAppInfo(globalAppName, pkg.Version)
-	adminClient.SetCustomTransport(GetConsoleHTTPClient(getMinIOServer(), clientIP).Transport)
+	adminClient.SetCustomTransport(PrepareSTSClientTransport(clientIP))
 	return adminClient, nil
 }
 
@@ -487,8 +489,8 @@ func newAdminFromCreds(accessKey, secretKey, endpoint string, tlsEnabled bool) (
 
 // isLocalAddress returns true if the url contains an IPv4/IPv6 hostname
 // that points to the local machine - FQDN are not supported
-func isLocalIPEndpoint(addr string) bool {
-	u, err := url.Parse(addr)
+func isLocalIPEndpoint(endpoint string) bool {
+	u, err := url.Parse(endpoint)
 	if err != nil {
 		return false
 	}
@@ -501,6 +503,9 @@ func isLocalIPAddress(ipAddr string) bool {
 	if ipAddr == "" {
 		return false
 	}
+	if ipAddr == "localhost" {
+		return true
+	}
 	ip := net.ParseIP(ipAddr)
 	return ip != nil && ip.IsLoopback()
 }
@@ -508,43 +513,75 @@ func isLocalIPAddress(ipAddr string) bool {
 // GetConsoleHTTPClient caches different http clients depending on the target endpoint while taking
 // in consideration CA certs stored in ${HOME}/.console/certs/CAs and ${HOME}/.minio/certs/CAs
 // If the target endpoint points to a loopback device, skip the TLS verification.
-func GetConsoleHTTPClient(address string, clientIP string) *http.Client {
-	u, err := url.Parse(address)
-	if err == nil {
-		address = u.Hostname()
-	}
-
-	client := PrepareConsoleHTTPClient(isLocalIPAddress(address), clientIP)
-
-	return client
+func GetConsoleHTTPClient(clientIP string) *http.Client {
+	return PrepareConsoleHTTPClient(clientIP)
 }
 
-func getClientIP(r *http.Request) string {
-	// Try to get the IP address from the X-Real-IP header
-	// If the X-Real-IP header is not present, then it will return an empty string
-	xRealIP := r.Header.Get("X-Real-IP")
-	if xRealIP != "" {
-		return xRealIP
-	}
+var (
+	// De-facto standard header keys.
+	xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For")
+	xRealIP       = http.CanonicalHeaderKey("X-Real-IP")
+)
 
-	// Try to get the IP address from the X-Forwarded-For header
-	// If the X-Forwarded-For header is not present, then it will return an empty string
-	xForwardedFor := r.Header.Get("X-Forwarded-For")
-	if xForwardedFor != "" {
-		// X-Forwarded-For can contain multiple addresses, we return the first one
-		split := strings.Split(xForwardedFor, ",")
-		if len(split) > 0 {
-			return strings.TrimSpace(split[0])
+var (
+	// RFC7239 defines a new "Forwarded: " header designed to replace the
+	// existing use of X-Forwarded-* headers.
+	// e.g. Forwarded: for=192.0.2.60;proto=https;by=203.0.113.43
+	forwarded = http.CanonicalHeaderKey("Forwarded")
+	// Allows for a sub-match of the first value after 'for=' to the next
+	// comma, semi-colon or space. The match is case-insensitive.
+	forRegex = regexp.MustCompile(`(?i)(?:for=)([^(;|,| )]+)(.*)`)
+)
+
+// getSourceIPFromHeaders retrieves the IP from the X-Forwarded-For, X-Real-IP
+// and RFC7239 Forwarded headers (in that order)
+func getSourceIPFromHeaders(r *http.Request) string {
+	var addr string
+
+	if fwd := r.Header.Get(xForwardedFor); fwd != "" {
+		// Only grab the first (client) address. Note that '192.168.0.1,
+		// 10.1.1.1' is a valid key for X-Forwarded-For where addresses after
+		// the first may represent forwarding proxies earlier in the chain.
+		s := strings.Index(fwd, ", ")
+		if s == -1 {
+			s = len(fwd)
+		}
+		addr = fwd[:s]
+	} else if fwd := r.Header.Get(xRealIP); fwd != "" {
+		// X-Real-IP should only contain one IP address (the client making the
+		// request).
+		addr = fwd
+	} else if fwd := r.Header.Get(forwarded); fwd != "" {
+		// match should contain at least two elements if the protocol was
+		// specified in the Forwarded header. The first element will always be
+		// the 'for=' capture, which we ignore. In the case of multiple IP
+		// addresses (for=8.8.8.8, 8.8.4.4, 172.16.1.20 is valid) we only
+		// extract the first, which should be the client IP.
+		if match := forRegex.FindStringSubmatch(fwd); len(match) > 1 {
+			// IPv6 addresses in Forwarded headers are quoted-strings. We strip
+			// these quotes.
+			addr = strings.Trim(match[1], `"`)
 		}
 	}
 
-	// If neither header is present (or they were empty), then fall back to the connection's remote address
-	ip, _, err := net.SplitHostPort(r.RemoteAddr)
-	if err != nil {
-		// In case there's an error, return an empty string
-		return ""
+	return addr
+}
+
+// getClientIP retrieves the IP from the request headers
+// and falls back to r.RemoteAddr when necessary.
+// however returns without bracketing.
+func getClientIP(r *http.Request) string {
+	addr := getSourceIPFromHeaders(r)
+	if addr == "" {
+		addr = r.RemoteAddr
 	}
-	return ip
+
+	// Default to remote address if headers not set.
+	raddr, _, _ := net.SplitHostPort(addr)
+	if raddr == "" {
+		return addr
+	}
+	return raddr
 }
 
 func (ac AdminClient) speedtest(ctx context.Context, opts madmin.SpeedtestOpts) (chan madmin.SpeedTestResult, error) {

api/client.go

@@ -341,7 +341,7 @@ func stsCredentials(minioURL, accessKey, secretKey, location, clientIP string) (
 		DurationSeconds: int(xjwt.GetConsoleSTSDuration().Seconds()),
 	}
 	stsAssumeRole := &credentials.STSAssumeRole{
-		Client:      GetConsoleHTTPClient(minioURL, clientIP),
+		Client:      GetConsoleHTTPClient(clientIP),
 		STSEndpoint: minioURL,
 		Options:     opts,
 	}
@@ -357,7 +357,7 @@ func NewConsoleCredentials(accessKey, secretKey, location, clientIP string) (*cr
 	// LDAP authentication for Console
 	case ldap.GetLDAPEnabled():
 		{
-			creds, err := auth.GetCredentialsFromLDAP(GetConsoleHTTPClient(minioURL, clientIP), minioURL, accessKey, secretKey)
+			creds, err := auth.GetCredentialsFromLDAP(GetConsoleHTTPClient(clientIP), minioURL, accessKey, secretKey)
 			if err != nil {
 				return nil, err
 			}
@@ -414,7 +414,7 @@ func newMinioClient(claims *models.Principal, clientIP string) (*minio.Client, e
 	minioClient, err := minio.New(endpoint, &minio.Options{
 		Creds:     creds,
 		Secure:    secure,
-		Transport: GetConsoleHTTPClient(getMinIOServer(), clientIP).Transport,
+		Transport: GetConsoleHTTPClient(clientIP).Transport,
 	})
 	if err != nil {
 		return nil, err
@@ -426,10 +426,9 @@ func newMinioClient(claims *models.Principal, clientIP string) (*minio.Client, e
 
 // computeObjectURLWithoutEncode returns a MinIO url containing the object filename without encoding
 func computeObjectURLWithoutEncode(bucketName, prefix string) (string, error) {
-	endpoint := getMinIOServer()
-	u, err := xnet.ParseHTTPURL(endpoint)
+	u, err := xnet.ParseHTTPURL(getMinIOServer())
 	if err != nil {
-		return "", fmt.Errorf("the provided endpoint is invalid")
+		return "", fmt.Errorf("the provided endpoint: '%s' is invalid", getMinIOServer())
 	}
 	var p string
 	if strings.TrimSpace(bucketName) != "" {
@@ -438,7 +437,7 @@ func computeObjectURLWithoutEncode(bucketName, prefix string) (string, error) {
 	if strings.TrimSpace(prefix) != "" {
 		p = pathJoinFinalSlash(p, prefix)
 	}
-	return fmt.Sprintf("%s://%s/%s", u.Scheme, u.Host, p), nil
+	return u.String() + "/" + p, nil
 }
 
 // newS3BucketClient creates a new mc S3Client to talk to the server based on a bucket
@@ -479,22 +478,18 @@ func pathJoinFinalSlash(elem ...string) string {
 func newS3Config(endpoint, accessKey, secretKey, sessionToken string, clientIP string) *mc.Config {
 	// We have a valid alias and hostConfig. We populate the/
 	// consoleCredentials from the match found in the config file.
-	s3Config := new(mc.Config)
-
-	s3Config.AppName = globalAppName
-	s3Config.AppVersion = pkg.Version
-	s3Config.Debug = false
-
-	s3Config.HostURL = endpoint
-	s3Config.AccessKey = accessKey
-	s3Config.SecretKey = secretKey
-	s3Config.SessionToken = sessionToken
-	s3Config.Signature = "S3v4"
-
-	insecure := isLocalIPEndpoint(endpoint)
-
-	s3Config.Insecure = insecure
-	s3Config.Transport = PrepareSTSClientTransport(insecure, clientIP).Transport
-
-	return s3Config
+	return &mc.Config{
+		HostURL:      endpoint,
+		AccessKey:    accessKey,
+		SecretKey:    secretKey,
+		SessionToken: sessionToken,
+		Signature:    "S3v4",
+		AppName:      globalAppName,
+		AppVersion:   pkg.Version,
+		Insecure:     isLocalIPEndpoint(endpoint),
+		Transport: &ConsoleTransport{
+			ClientIP:  clientIP,
+			Transport: GlobalTransport,
+		},
+	}
 }

api/client_test.go

@@ -1,5 +1,5 @@
 // This file is part of MinIO Console Server
-// Copyright (c) 2021 MinIO, Inc.
+// Copyright (c) 2024 MinIO, Inc.
 //
 // This program is free software: you can redistribute it and/or modify
 // it under the terms of the GNU Affero General Public License as published by
@@ -80,10 +80,11 @@ func Test_computeObjectURLWithoutEncode(t *testing.T) {
 			got, err := computeObjectURLWithoutEncode(tt.args.bucketName, tt.args.prefix)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("computeObjectURLWithoutEncode() errors = %v, wantErr %v", err, tt.wantErr)
-				return
 			}
-			if got != tt.want {
-				t.Errorf("computeObjectURLWithoutEncode() got = %v, want %v", got, tt.want)
+			if err == nil {
+				if got != tt.want {
+					t.Errorf("computeObjectURLWithoutEncode() got = %v, want %v", got, tt.want)
+				}
 			}
 		})
 	}

api/config.go

@@ -17,10 +17,13 @@
 package api
 
 import (
+	"crypto/tls"
 	"crypto/x509"
 	"net"
+	"net/http"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/minio/console/pkg/auth/idp/oauth2"
 	xcerts "github.com/minio/pkg/v2/certs"
@@ -54,6 +57,31 @@ var (
 	GlobalPublicCerts []*x509.Certificate
 	// GlobalTLSCertsManager custom TLS Manager for SNI support
 	GlobalTLSCertsManager *xcerts.Manager
+	// GlobalTransport is common transport used for all HTTP calls, this is set via
+	// MinIO server to be the correct transport, however we still define some defaults
+	// here just in case.
+	GlobalTransport = &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   10 * time.Second,
+			KeepAlive: 15 * time.Second,
+		}).DialContext,
+		MaxIdleConns:          1024,
+		MaxIdleConnsPerHost:   1024,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 10 * time.Second,
+		DisableCompression:    true, // Set to avoid auto-decompression
+		TLSClientConfig: &tls.Config{
+			// Can't use SSLv3 because of POODLE and BEAST
+			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
+			// Can't use TLSv1.1 because of RC4 cipher usage
+			MinVersion: tls.VersionTLS12,
+			// Console runs in the same pod/node as MinIO this is acceptable.
+			InsecureSkipVerify: true,
+			RootCAs:            GlobalRootCAs,
+		},
+	}
 )
 
 // MinIOConfig represents application configuration passed in from the MinIO

api/license.go

@@ -55,7 +55,7 @@ func getLicenseInfo(client http.Client, license string) (*licverifier.LicenseInf
 }
 
 func fetchLicensePlan() {
-	client := GetConsoleHTTPClient("", "127.0.0.1")
+	client := GetConsoleHTTPClient("127.0.0.1")
 	licenseInfo, err := getLicenseInfo(*client, os.Getenv(EnvSubnetLicense))
 	if err != nil {
 		return

api/public_objects.go

@@ -57,7 +57,9 @@ func getDownloadPublicObjectResponse(params public.DownloadSharedObjectParams) (
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
-	resp, err := http.DefaultClient.Do(req)
+
+	clnt := PrepareConsoleHTTPClient(getClientIP(params.HTTPRequest))
+	resp, err := clnt.Do(req)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}

api/service_accounts_handlers.go

@@ -153,14 +153,15 @@ func getCreateServiceAccountResponse(session *models.Principal, params saApi.Cre
 	// defining the client to be used
 	userAdminClient := AdminClient{Client: userAdmin}
 
-	var parsedExpiry time.Time
+	var expiry *time.Time
 	if params.Body.Expiry != "" {
-		parsedExpiry, err = time.Parse(time.RFC3339, params.Body.Expiry)
+		parsedExpiry, err := time.Parse(time.RFC3339, params.Body.Expiry)
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}
+		expiry = &parsedExpiry
 	}
-	saCreds, err := createServiceAccount(ctx, userAdminClient, params.Body.Policy, params.Body.Name, params.Body.Description, &parsedExpiry, params.Body.Comment)
+	saCreds, err := createServiceAccount(ctx, userAdminClient, params.Body.Policy, params.Body.Name, params.Body.Description, expiry, params.Body.Comment)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
@@ -203,14 +204,15 @@ func getCreateAUserServiceAccountResponse(session *models.Principal, params user
 		return nil, ErrorWithContext(ctx, err)
 	}
 
-	var parsedExpiry time.Time
+	var expiry *time.Time
 	if params.Body.Expiry != "" {
-		parsedExpiry, err = time.Parse(time.RFC3339, params.Body.Expiry)
+		parsedExpiry, err := time.Parse(time.RFC3339, params.Body.Expiry)
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}
+		expiry = &parsedExpiry
 	}
-	saCreds, err := createAUserServiceAccount(ctx, userAdminClient, params.Body.Policy, name, params.Body.Name, params.Body.Description, &parsedExpiry, params.Body.Comment)
+	saCreds, err := createAUserServiceAccount(ctx, userAdminClient, params.Body.Policy, name, params.Body.Name, params.Body.Description, expiry, params.Body.Comment)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
@@ -248,14 +250,15 @@ func getCreateAUserServiceAccountCredsResponse(session *models.Principal, params
 		}
 	}
 
-	var parsedExpiry time.Time
+	var expiry *time.Time
 	if serviceAccount.Expiry != "" {
-		parsedExpiry, err = time.Parse(time.RFC3339, serviceAccount.Expiry)
+		parsedExpiry, err := time.Parse(time.RFC3339, serviceAccount.Expiry)
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}
+		expiry = &parsedExpiry
 	}
-	saCreds, err := createAUserServiceAccountCreds(ctx, userAdminClient, serviceAccount.Policy, user, serviceAccount.AccessKey, serviceAccount.SecretKey, serviceAccount.Name, serviceAccount.Description, &parsedExpiry, serviceAccount.Comment)
+	saCreds, err := createAUserServiceAccountCreds(ctx, userAdminClient, serviceAccount.Policy, user, serviceAccount.AccessKey, serviceAccount.SecretKey, serviceAccount.Name, serviceAccount.Description, expiry, serviceAccount.Comment)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
@@ -289,15 +292,16 @@ func getCreateServiceAccountCredsResponse(session *models.Principal, params saAp
 		}
 	}
 
-	var parsedExpiry time.Time
+	var expiry *time.Time
 	if params.Body.Expiry != "" {
-		parsedExpiry, err = time.Parse(time.RFC3339, params.Body.Expiry)
+		parsedExpiry, err := time.Parse(time.RFC3339, params.Body.Expiry)
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}
+		expiry = &parsedExpiry
 	}
 
-	saCreds, err := createServiceAccountCreds(ctx, userAdminClient, serviceAccount.Policy, serviceAccount.AccessKey, serviceAccount.SecretKey, params.Body.Name, params.Body.Description, &parsedExpiry, params.Body.Comment)
+	saCreds, err := createServiceAccountCreds(ctx, userAdminClient, serviceAccount.Policy, serviceAccount.AccessKey, serviceAccount.SecretKey, params.Body.Name, params.Body.Description, expiry, params.Body.Comment)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
@@ -313,6 +317,25 @@ func getUserServiceAccounts(ctx context.Context, userClient MinioAdmin, user str
 	saList := models.ServiceAccounts{}
 
 	for _, acc := range listServAccs.Accounts {
+		if acc.AccountStatus != "" {
+			// Newer releases of MinIO would support enhanced listServiceAccounts()
+			// we can avoid infoServiceAccount() at that point, this scales well
+			// for 100's of service accounts.
+			expiry := ""
+			if acc.Expiration != nil {
+				expiry = acc.Expiration.Format(time.RFC3339)
+			}
+
+			saList = append(saList, &models.ServiceAccountsItems0{
+				AccountStatus: acc.AccountStatus,
+				Description:   acc.Description,
+				Expiration:    expiry,
+				Name:          acc.Name,
+				AccessKey:     acc.AccessKey,
+			})
+			continue
+		}
+
 		aInfo, err := userClient.infoServiceAccount(ctx, acc.AccessKey)
 		if err != nil {
 			continue
@@ -439,14 +462,14 @@ func getServiceAccountInfo(session *models.Principal, params saApi.GetServiceAcc
 }
 
 // setServiceAccountPolicy sets policy for a service account
-func updateServiceAccountDetails(ctx context.Context, userClient MinioAdmin, accessKey string, policy string, expiry time.Time, name string, description string, status string, secretKey string) error {
+func updateServiceAccountDetails(ctx context.Context, userClient MinioAdmin, accessKey string, policy string, expiry *time.Time, name string, description string, status string, secretKey string) error {
 	req := madmin.UpdateServiceAccountReq{
 		NewPolicy:      json.RawMessage(policy),
 		NewSecretKey:   secretKey,
 		NewStatus:      status,
 		NewName:        name,
 		NewDescription: description,
-		NewExpiration:  &expiry,
+		NewExpiration:  expiry,
 	}
 
 	err := userClient.updateServiceAccount(ctx, accessKey, req)
@@ -471,14 +494,15 @@ func updateSetServiceAccountResponse(session *models.Principal, params saApi.Upd
 	// defining the client to be used
 	userAdminClient := AdminClient{Client: userAdmin}
 
-	var parsedExpiry time.Time
+	var expiry *time.Time
 	if params.Body.Expiry != "" {
-		parsedExpiry, err = time.Parse(time.RFC3339, params.Body.Expiry)
+		parsedExpiry, err := time.Parse(time.RFC3339, params.Body.Expiry)
 		if err != nil {
 			return ErrorWithContext(ctx, err)
 		}
+		expiry = &parsedExpiry
 	}
-	err = updateServiceAccountDetails(ctx, userAdminClient, accessKey, policy, parsedExpiry, params.Body.Name, params.Body.Description, params.Body.Status, params.Body.SecretKey)
+	err = updateServiceAccountDetails(ctx, userAdminClient, accessKey, policy, expiry, params.Body.Name, params.Body.Description, params.Body.Status, params.Body.SecretKey)
 	if err != nil {
 		return ErrorWithContext(ctx, err)
 	}

api/tls.go

@@ -17,65 +17,35 @@
 package api
 
 import (
-	"crypto/tls"
-	"net"
 	"net/http"
-	"time"
 )
 
 type ConsoleTransport struct {
-	Transport *http.Transport
+	Transport http.RoundTripper
 	ClientIP  string
 }
 
 func (t *ConsoleTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	req.Header.Add("X-Forwarded-For", t.ClientIP)
-	resp, err := t.Transport.RoundTrip(req)
-	return resp, err
+	if t.ClientIP != "" {
+		// Do not set an empty x-forwarded-for
+		req.Header.Add(xForwardedFor, t.ClientIP)
+	}
+	return t.Transport.RoundTrip(req)
 }
 
 // PrepareSTSClientTransport :
-func PrepareSTSClientTransport(insecure bool, remoteAddress string) *ConsoleTransport {
-	// This takes github.com/minio/madmin-go/v3/transport.go as an example
-	//
-	// DefaultTransport - this default transport is similar to
-	// http.DefaultTransport but with additional param  DisableCompression
-	// is set to true to avoid decompressing content with 'gzip' encoding.
-	DefaultTransport := &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		DialContext: (&net.Dialer{
-			Timeout:   10 * time.Second,
-			KeepAlive: 15 * time.Second,
-		}).DialContext,
-		MaxIdleConns:          1024,
-		MaxIdleConnsPerHost:   1024,
-		IdleConnTimeout:       90 * time.Second,
-		TLSHandshakeTimeout:   10 * time.Second,
-		ExpectContinueTimeout: 10 * time.Second,
-		DisableCompression:    true,
-		TLSClientConfig: &tls.Config{
-			// Can't use SSLv3 because of POODLE and BEAST
-			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
-			// Can't use TLSv1.1 because of RC4 cipher usage
-			MinVersion:         tls.VersionTLS12,
-			InsecureSkipVerify: insecure,
-			RootCAs:            GlobalRootCAs,
-		},
+func PrepareSTSClientTransport(clientIP string) *ConsoleTransport {
+	return &ConsoleTransport{
+		Transport: GlobalTransport,
+		ClientIP:  clientIP,
 	}
-	t := &ConsoleTransport{
-		Transport: DefaultTransport,
-		ClientIP:  remoteAddress,
-	}
-	return t
 }
 
 // PrepareConsoleHTTPClient returns an http.Client with custom configurations need it by *credentials.STSAssumeRole
 // custom configurations include the use of CA certificates
-func PrepareConsoleHTTPClient(insecure bool, clientIP string) *http.Client {
-	transport := PrepareSTSClientTransport(insecure, clientIP)
+func PrepareConsoleHTTPClient(clientIP string) *http.Client {
 	// Return http client with default configuration
-	c := &http.Client{
-		Transport: transport,
+	return &http.Client{
+		Transport: PrepareSTSClientTransport(clientIP),
 	}
-	return c
 }

api/user_log_search.go

@@ -98,7 +98,7 @@ func getLogSearchResponse(session *models.Principal, params logApi.LogSearchPara
 }
 
 func logSearch(endpoint string, clientIP string) (*models.LogSearchResponse, error) {
-	httpClnt := GetConsoleHTTPClient(endpoint, clientIP)
+	httpClnt := GetConsoleHTTPClient(clientIP)
 	resp, err := httpClnt.Get(endpoint)
 	if err != nil {
 		return nil, fmt.Errorf("the Log Search API cannot be reached. Please review the URL and try again %v", err)

api/user_login.go

@@ -191,8 +191,7 @@ func getLoginDetailsResponse(params authApi.LoginDetailParams, openIDProviders o
 	for name, provider := range openIDProviders {
 		// initialize new oauth2 client
 
-		oauth2Client, err := provider.GetOauth2Provider(name, nil, r, GetConsoleHTTPClient("", getClientIP(params.HTTPRequest)),
-			GetConsoleHTTPClient(getMinIOServer(), getClientIP(params.HTTPRequest)))
+		oauth2Client, err := provider.GetOauth2Provider(name, nil, r, GetConsoleHTTPClient(getClientIP(params.HTTPRequest)))
 		if err != nil {
 			continue
 		}
@@ -281,8 +280,8 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams, openIDProv
 		}
 
 		// Initialize new identity provider with new oauth2Client per IDPName
-		oauth2Client, err := providerCfg.GetOauth2Provider(IDPName, nil, r, GetConsoleHTTPClient("", getClientIP(params.HTTPRequest)),
-			GetConsoleHTTPClient(getMinIOServer(), getClientIP(params.HTTPRequest)))
+		oauth2Client, err := providerCfg.GetOauth2Provider(IDPName, nil, r,
+			GetConsoleHTTPClient(getClientIP(params.HTTPRequest)))
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}

api/user_logout.go

@@ -18,7 +18,6 @@ package api
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"net/http"
@@ -103,11 +102,7 @@ func logoutFromIDPProvider(r *http.Request, state string) error {
 		params.Add("client_secret", providerCfg.ClientSecret)
 		params.Add("refresh_token", refreshToken.Value)
 		client := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{
-					RootCAs: GlobalRootCAs,
-				},
-			},
+			Transport: GlobalTransport,
 		}
 		_, err := client.PostForm(providerCfg.EndSessionEndpoint, params)
 		if err != nil {