Add MinIO Quota Enforcement Script - nginx_request_checker.py

2025-04-02 09:59:19 -04:00 · 2025-04-02 09:59:19 -04:00 · 421954a955
commit 421954a955
parent 4ef76acf19
1 changed files with 108 additions and 0 deletions
--- a/nginx_request_checker.py.-.md
+++ b/nginx_request_checker.py.-.md
@ -0,0 +1,108 @@
+# MinIO Quota Enforcement Proxy
+
+## Overview
+This script acts as a middleware between Nginx and MinIO to enforce storage quotas per user. It checks Redis for quota status before proxying requests to MinIO. If a user has exceeded their quota, the script returns an S3-style XML error message.
+
+## Features
+- **Quota Enforcement**: Blocks users who exceed their storage quota.
+- **Configurable Settings**: Reads configurations from environment variables and `/etc/minio_quota.conf`.
+- **Logging**: Always logs to stdout and optionally logs to a file if `LOG_FILE` is set.
+- **Proxying**: Forwards valid requests to MinIO.
+
+## Configuration
+The script prioritizes configuration values in this order:
+1. **Environment Variables**
+2. **Configuration File (`/etc/minio_quota.conf`)**
+3. **Default Values**
+
+### Configurable Parameters
+| Variable         | Default Value | Description |
+|-----------------|--------------|-------------|
+| `REDIS_HOST`    | `127.0.0.1`  | Redis server hostname/IP |
+| `REDIS_PORT`    | `6379`       | Redis server port |
+| `REDIS_DB`      | `2`          | Redis database number |
+| `MINIO_ENDPOINT` | `http://minio-server-vm.int.lhprojects.net` | MinIO server URL |
+| `LOG_FILE`      | None         | Path to log file (logs only if set) |
+
+### Example Configuration File (`/etc/minio_quota.conf`)
+```
+REDIS_HOST=192.168.1.100
+REDIS_PORT=6379
+REDIS_DB=2
+MINIO_ENDPOINT=http://minio.example.com
+LOG_FILE=/var/log/minio_quota.log
+```
+
+## Installation & Usage
+### Prerequisites
+- Python 3.8+
+- `fastapi`, `redis`, `httpx`, and `uvicorn`
+
+Install dependencies:
+```sh
+pip install fastapi redis httpx uvicorn
+```
+
+### Running the Script
+Run the script using `uvicorn`:
+```sh
+uvicorn nginx_request_checker:app --host 0.0.0.0 --port 8000
+```
+
+To run in the background:
+```sh
+nohup uvicorn nginx_request_checker:app --host 0.0.0.0 --port 8000 > nginx_request_checker.log 2>&1 &
+```
+
+### Running as a Systemd Service
+1. Create a systemd service file:
+```sh
+sudo nano /etc/systemd/system/minio_quota_checker.service
+```
+2. Add the following:
+```ini
+[Unit]
+Description=MinIO Quota Checker API
+After=network.target
+
+[Service]
+User=your_user
+WorkingDirectory=/path/to/script
+ExecStart=/usr/bin/uvicorn nginx_request_checker:app --host 0.0.0.0 --port 8000
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+```
+3. Enable and start the service:
+```sh
+sudo systemctl daemon-reload
+sudo systemctl enable minio_quota_checker
+sudo systemctl start minio_quota_checker
+```
+
+## API Behavior
+The script intercepts all requests and performs the following:
+1. Extracts the username from the request path.
+2. Checks Redis for the key `quota_exceeded:<username>`.
+3. If quota is exceeded, it returns a `403 Forbidden` response with an XML error message.
+4. Otherwise, it forwards the request to MinIO.
+
+### Example Error Response
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<Error>
+  <Code>QuotaExceeded</Code>
+  <Message>User has exceeded storage quota.</Message>
+  <Resource>/test-bucket/object</Resource>
+  <RequestId>request-id-12345</RequestId>
+</Error>
+```
+
+## Notes
+- Ensure Redis is running and accessible by the script.
+- Update Nginx to forward requests to this script instead of directly to MinIO.
+
+## License
+MIT License
+