CORS Middleware not working

rp346 · February 19, 2024, 5:57pm

Hello,

I have created following middleware for API endpoint

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: cors-api
  namespace: api-staging
spec:
  headers:
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
      - "POST"
      - "DELETE"
    accessControlAllowHeaders:
      - "*"
    accessControlAllowOriginList:
      - "https://*.example.com"
    accessControlMaxAge: 100
    addVaryHeader: true

& attached it to IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: api-external-0
  namespace: api-staging
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - kind: Rule
      match: Host(`api.staging.example.com`)
      services:
        - name: nginx
          port: 80
          strategy: RoundRobin
          sticky:
            cookie:
              httpOnly: true
      middlewares:
        - name: cors-api
          namespace: api-staging
        - name: https-redirect
          namespace: api-staging
  tls:
    secretName: staging-cert

But following request is going through

% curl -v --request OPTIONS 'https://api.staging.example.com' -H 'Origin: http://fake.origin.com' -H 'Access-Control-Request-Method: GET'
*   Trying x.x.x.x:443...
* Connected to api.staging.example.com (x.x.x.x) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.staging.example.com
*  start date: Jan 11 02:15:45 2024 GMT
*  expire date: Apr 10 02:15:44 2024 GMT
*  subjectAltName: host "api.staging.example.com" matched cert's "*.staging.example.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://api.staging.example.com/
* [HTTP/2] [1] [:method: OPTIONS]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: api.staging.example.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [origin: http://fake.origin.com]
* [HTTP/2] [1] [access-control-request-method: GET]
> OPTIONS / HTTP/2
> Host: api.staging.example.com
> User-Agent: curl/8.4.0
> Accept: */*
> Origin: http://fake.origin.com
> Access-Control-Request-Method: GET
>
< HTTP/2 200
< access-control-allow-headers: *
< access-control-allow-methods: GET,OPTIONS,PUT,POST,DELETE
< access-control-max-age: 100
< content-length: 0
< date: Mon, 19 Feb 2024 17:54:27 GMT
<
* Connection #0 to host api.staging.example.com left intact

Any thoughts on what is happening here ?

bluepuma77 · February 19, 2024, 8:47pm

Hmm, you are setting a header, so that sends info for the client to not load scrips from other sites. But I don’t think it will have an effect on curl requests.

rp346 · February 19, 2024, 9:22pm

Do I need to fix anything in CROS Middleware

rp346 · February 23, 2024, 7:34pm

I tried following option as well but no luck

accessControlAllowOriginListRegex:
  - "(.*?)\\.example\\.com"

bluepuma77 · February 24, 2024, 7:53am

Can you explain again what you are trying to achieve and what you expect to see when using curl?

rp346 · February 27, 2024, 10:53pm

I want to use CORS to block curl request if its not using approved Origin in a request. Only requests with predefined Origin should pass through or conects.

bluepuma77 · February 28, 2024, 6:45am

CORS is not used on server to actively block requests. The server sends CORS headers, but the client browser needs to enforce it.

From ChatGPT:

CORS (Cross-Origin Resource Sharing) is a security feature implemented on web servers to specify who can access the resources on the server. It works by adding specific headers to HTTP responses. Although the rules are set on the server, the enforcement of these rules occurs on the client side. Browsers read the CORS headers in responses from the server and decide whether to allow or block the resource from being accessed by the web page, based on the origin of the page making the request.

So with a single request tool like curl you won’t see any effect. You could try lynx on the command line, which is a full terminal browser.

Topic		Replies	Views
Trying to enable CORS Traefik v2 docker , middleware	8	5714	May 31, 2020
CORS Syntax Not Working? Traefik v2 kubernetes-crd , kubernetes-ingress , middleware	1	1204	October 14, 2022
Can't setting CORS Traefik V2 Traefik v2 kubernetes-ingress	2	1771	April 20, 2021
Traefik 2.2.5 CORS middleware does not exist error Traefik v2 kubernetes-crd , kubernetes-ingress , middleware	4	2341	October 3, 2023
[SOLVED] Getting error 500 with CORS middleware while using OPTIONS method Traefik v2 kubernetes-crd	2	1808	May 7, 2021

CORS Middleware not working

Related topics