{ObjectOpts{Name: "c2test", VersionID: "vid", DeleteMarker: true, OpType: DeleteReplicationType}, cfgs[1], false},             // 13. permanent delete of DeleteMarker version, disallowed by DeleteReplication status

	sseS3 := crypto.S3.IsEncrypted(objInfo.UserDefined)
	if !sseKMS && !sseS3 { // neither sse-s3 nor sse-kms disallowed
		return errInvalidEncryptionParameters
	}
	if sseKMS && r.Encryption.Type == sses3 { // previously encrypted with sse-kms, now sse-s3 disallowed
		return errInvalidEncryptionParameters
	}
	versioned := globalBucketVersioningSys.PrefixEnabled(srcBucket, srcObject)

// path are forwarded to the backend.
message HTTPIngressPath {
  // path is matched against the path of an incoming request. Currently it can
  // contain characters disallowed from the conventional "path" part of a URL
  // as defined by RFC 3986. Paths must begin with a '/' and must be present
  // when using PathType with value "Exact" or "Prefix".
  // +optional
  optional string path = 1;

  //  1. Trust distribution: how trust (CA bundles) are distributed.
  //  2. Permitted subjects: and behavior when a disallowed subject is requested.
  //  3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
  //  4. Required, permitted, or forbidden key usages / extended key usages.

http://ExAmPlE.CoM http://other.com/ s:http p:/ h:example.com

# Spaces should fail
http://example\sexample.com

# This should fail
http://Goo%20\sgoo%7C|.com

# U+3000 is mapped to U+0020 (space) which is disallowed
http://GOO\u00a0\u3000goo.com

# Other types of space (no-break, zero-width, zero-width-no-break) are
# name-prepped away to nothing.
# U+200B, U+2060, and U+FEFF, are ignored

        if ( !selected.atLeast(getConfig().getMinimumVersion()) || !selected.atMost(getConfig().getMaximumVersion()) ) {
            log.error(
                String.format(
                    "Server selected an disallowed dialect version %s (min: %s max: %s)",
                    selected,
                    getConfig().getMinimumVersion(),
                    getConfig().getMaximumVersion()));
            return false;
        }

// path are forwarded to the backend.
message HTTPIngressPath {
  // path is matched against the path of an incoming request. Currently it can
  // contain characters disallowed from the conventional "path" part of a URL
  // as defined by RFC 3986. Paths must begin with a '/' and must be present
  // when using PathType with value "Exact" or "Prefix".
  // +optional
  optional string path = 1;

// mixing different types of rules in a single Ingress is disallowed, so exactly
// one of the following must be set.
message IngressRuleValue {
  // http is a list of http selectors pointing to backends.
  // A path is matched against the path of an incoming request. Currently it can
  // contain characters disallowed from the conventional "path" part of a URL
  // as defined by RFC 3986. Paths must begin with a '/'.

        new SecurityManager() {
          @Override
          public void checkPermission(Permission p) {
            if (readClassPathFiles.implies(p)) {
              throw new SecurityException("Disallowed: " + p);
            }
          }
        };
    System.setSecurityManager(disallowFilesSecurityManager);
    try {
      file.exists();
      fail("Did not get expected SecurityException");

Note that just like with [AWS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html), Delete marker replication is disallowed in MinIO when the replication rule has tags.

To add a replication rule allowing both delete marker replication, versioned delete replication or both specify the --replicate flag with comma separated values as in the example below.