Missing CORS headers · Issue #10057 · traefik/traefik

link管理
链接快照平台
输入网页链接，自动生成快照
标签化管理网页链接
What did you do?

I have config like this:
    http:
      middlewares:
        corswide:
          headers:
            accessControlAllowMethods:
              - GET
              - HEAD
              - OPTIONS
            accessControlAllowHeaders:
              - "*"
            accessControlAllowOriginList:
              - "*"
            accessControlMaxAge: 86400
            addVaryHeader: true
      routers:
        myservice:
          entryPoints:
            - "web"
          middlewares:
            - "corswide@file"
I expect to see response headers as defined above.
What did you see instead?
By curl my site, I got
< access-control-allow-origin: *
access-control-allow-origin: *
I don't understand why I'm seeing only one header, I read carefully about the docs, seems like nothing wrong in the config, please help, thanks.
What version of Traefik are you using?
2.9.10
What is your environment & configuration?
added above.
And we can see configured headers from dashboard:
And the middleware was added to that router:
If applicable, please paste the log output in DEBUG level
No response
          OK, I think I found the cause,
https://github.com/traefik/traefik/blob/master/pkg/middlewares/headers/header.go#L140
According to above logic, seems like cors headers are only used when request method is OPTIONS, and if we need these response headers, we have to add them in customResponseHeaders:
https://github.com/traefik/traefik/blob/master/pkg/middlewares/headers/header.go#L53-L60
So, if I need my expected response headers and let traefik handle preflight requests, I have to use below configs according to https://github.com/traefik/traefik/blob/master/pkg/config/dynamic/middlewares.go#L304-L314:
    http:
      middlewares:
        corswide:
          headers:
            accessControlAllowOriginList:
              - "*"
            customResponseHeaders:
              Access-Control-Allow-Methods: "GET,HEAD,OPTIONS"
              Access-Control-Allow-Headers: "*"
              Access-Control-Allow-Origin: "*"
              Access-Control-Max-Age: "86400"
Does it make sense? Is it by design?
          Hello @yongzhang ,
Thanks for your interest in Traefik,
It seems that your issue is related to a configuration issue and the GitHub issue tracker is dedicated to bug and feature requests.
For help on your configuration, please join our Community Forum and reach out to us on the Traefik v2 section.
We will close this issue accordingly but feel free to re-open it if you think that we missed something.
Hello @yongzhang ,
Thanks for your interest in Traefik,
It seems that your issue is related to a configuration issue and the GitHub issue tracker is dedicated to bug and feature requests.
For help on your configuration, please join our Community Forum and reach out to us on the Traefik v2 section.
We will close this issue accordingly but feel free to re-open it if you think that we missed something.
hmm, I think this one is more than a question, it should at least be well documentated.
Even more, why customResponseHeaders are needed there? Why not just using cors settings in the root of header?
Hello @yongzhang,
When using the customResponseHeaders option you are adding the CORS headers to every response, but the Access-Control-Allow-Methods, for example, is meant to be used only in preflight responses (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods).
I read the docs again and yes you're right, thanks for sharing.