// the MinIO-internal key derivation.
	MetaIV = "X-Minio-Internal-Server-Side-Encryption-Iv"

	// MetaAlgorithm is the algorithm used to derive internal keys
	// and encrypt the objects.
	MetaAlgorithm = "X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm"

	// MetaSealedKeySSEC is the sealed object encryption key in case of SSE-C.
	MetaSealedKeySSEC = "X-Minio-Internal-Server-Side-Encryption-Sealed-Key"

```sh
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio13
minio server /data
```

#### Site

```
KEY:
site  label the server and its location

ARGS:
name     (string)    name for the site e.g. "cal-rack0"
region   (string)    name of the location of the server e.g. "us-west-1"
comment  (sentence)  optionally add a comment to this setting
```

or environment variables

install --set tls.enabled=true,tls.certSecret=tls-ssl-minio minio/minio ``` ### Installing certificates from third party CAs MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by bundling these certificates into a Kubernetes secret and providing it to Helm via the `trustedCertsSecret` value. If `.Values.tls.enabled` is `true`...

  private lateinit var server: MockWebServer
  private val handshakeCertificates = platform.localhostHandshakeCertificates()
  private var client: OkHttpClient = clientTestRule.newClient()

  @BeforeEach
  fun setUp(server: MockWebServer) {
    this.server = server
  }

  @Test
  fun connectionsAreReused() {
    server.enqueue(MockResponse(body = "a"))
    server.enqueue(MockResponse(body = "b"))

    - [Server Binaries](#server-binaries-12)
    - [Node Binaries](#node-binaries-12)
    - [Container Images](#container-images-12)
  - [Changelog since v1.24.4](#changelog-since-v1244)
  - [Important Security Information](#important-security-information-3)
    - [CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)](#cve-2022-3172-aggregated-api-server-can-cause-clients-to-be-redirected-ssrf)

    with pytest.raises(RuntimeError):
        client.get("/server-error")


def test_override_server_error_exception_response():
    client = TestClient(app, raise_server_exceptions=False)
    response = client.get("/server-error")
    assert response.status_code == 500

    keepalive_timeout  65;

    #gzip  on;

    # include /etc/nginx/conf.d/*.conf;

    upstream minio {
        server minio1:9000;
        server minio2:9000;
        server minio3:9000;
        server minio4:9000;
    }

    # main minio
    server {
        listen       9000;
        listen  [::]:9000;
        server_name  localhost;

         # To allow special characters in headers

  private lateinit var server: MockWebServer
  private val socksProxy = SocksProxy()

  @BeforeEach
  fun setUp(server: MockWebServer) {
    this.server = server
    socksProxy.play()
  }

  @AfterEach
  fun tearDown() {
    socksProxy.shutdown()
  }

  @Test
  fun proxy() {
    server.enqueue(MockResponse.Builder().body("abc").build())
    server.enqueue(MockResponse.Builder().body("def").build())

- `X-Amz-Server-Side-Encryption-Customer-Key`: Base64 encoded new key.
- `X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key`: Base64 encoded current key.

Such a special COPY request is also known as S3 SSE-C key rotation.

### Server-Side Encryption with a KMS

SSE-S3 allows an S3 client to en/decrypt an object at the MinIO server using a KMS. The MinIO
server only assumes that the KMS provides two services:

	// and positive values indicating number of read locks
	lockMap map[string]int64

	// Refresh returns lock not found if set to true
	lockNotFound bool

	// Set to true if you want peers servers to do not respond
	responseDelay int64
}

func (l *lockServer) setRefreshReply(refreshed bool) {
	l.mutex.Lock()
	defer l.mutex.Unlock()
	l.lockNotFound = !refreshed
}