Setting Cross-Origin-* headers

Lesser6895 · April 11, 2024, 9:18pm

Hi
I am trying to setup CryptPad behind traefik.
Officially supported is NGINX, i managed to make it work with secure headers but to enable xlsx import/export it requires setting headers for
Cross-Origin-Resource-Policy
Cross-Origin-Embedder-Policy

is it at all possible in traefik?
under NGINX it would look like that:

add_header Cross-Origin-Resource-Policy cross-origin;
add_header Cross-Origin-Embedder-Policy require-corp;

bluepuma77 · April 12, 2024, 6:09am

You can set headers in request to the target service and in response to the client/browser (doc).

Lesser6895 · April 12, 2024, 8:29pm

So this should work in yml?

http:
  middlewares:
    middleware-cross-origin:
      headers:
        customResponseHeaders:
          Cross-Origin-Resource-Policy: "cross-origin"
          Cross-Origin-Embedder-Policy: "require-corp"

Lesser6895 · April 12, 2024, 8:55pm

ok, that worked, i made a stupid mistake
Sadly this did not solve my issue

bluepuma77 · April 13, 2024, 6:48am

If you think it’s still Traefik related:

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Lesser6895 · April 13, 2024, 12:16pm

Thank you, but I think i understand the problem now.
Thanks to you I can add various required headers, the problem is that the CryptPad requires quite complex header logic that differs depending not only on domain but also on content.
Nginx seems to have ability to work with variables that are analysed and set while the config file is processed in the context of a request.
The nginx CryptPad config is therefore complex but manageable.

I don't think that traefik has this ability.
If I am correct, it would mean that I have to prepare middleware for each of the variances.
Right now I would know how, but that's beyond my ability to force myself to do the work.

Unless you tell me I am wrong.

bluepuma77 · April 13, 2024, 5:53pm

The example nginx config looks simple.

Lesser6895 · April 13, 2024, 6:19pm

unfortunately I am trying to use OnlyOffice, hence talking about this one

github.com

cryptpad/cryptpad/blob/main/docs/example-advanced.nginx.conf

# SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later

#   This file is included strictly as an example of how Nginx can be configured
#   to work with CryptPad. This example WILL NOT WORK AS IS. For best results,
#   compare the sections of this configuration file against a working CryptPad
#   installation (http server by the Nodejs process). If you are using CryptPad
#   in production and require professional support please contact sales@cryptpad.fr

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # Let's Encrypt webroot
    include letsencrypt-webroot;
    # Include mime.types to be able to support .mjs files (see "types" below)
    include mime.types;

    # CryptPad serves static assets over these two domains.

This file has been truncated. show original

unless I misunderstand something again

Topic		Replies	Views
Traefik 2.5 CORS issue with 3 services (fe and api, mysql) Traefik v2 docker	1	1268	November 28, 2021
Problem with headers, probably forwarding Traefik v2 docker	14	9866	May 1, 2020
Traefik not setting Access-Control-Allow-Origin header Traefik v2 docker , middleware	2	15091	September 29, 2023
Traefik does not appear to set X-Forwarded headers correctly for forward auth Traefik v2 docker , middleware	0	410	April 15, 2023
[Solved] Help with header security Traefik v2 docker	0	296	April 20, 2024

Setting Cross-Origin-* headers

Related topics