application-gateway-kubernetes-ingress
application-gateway-kubernetes-ingress copied to clipboard
Azure
Add CORS support
We have experience CORS issues when using Application Gateway to service requests between multiple hostnames. For example, a front-end application is hosted under fe.example.com and back-end apis are hosted under api.example.com. Requests between these domains will be blocked by CORS.
This issue is very well documented by Raja at https://techcommunity.microsoft.com/t5/Azure/Application-Gateway-config-issue-with-WAF-V2-quot-CORS-header/td-p/270440
What can be done: In Nignx world, a custom configuration snippet (https://gist.github.com/Stanback/7145487) can be added such that OPTION requests (CORS preflight requests) are responded automatically with customized headers and the response headers of the actual requests are modified to permit CORS.
Ideally, a feature is needed to add necessary headers to the preflight and the actual requests in order to permit CORS. A possible way of doing it using the Application Gateway Rewrite Rules is to add an ingress annotation to bind to a specific Rewrite Rule set and auto-respond when the request is an OPTION request (CORS preflight request)
@terrificsoysauce this looks like an ask for URL/header re-write capabilities in application gateway. I am assuming you are getting a 403 back from WAF since WAF shouldn't block these requests but than browser/server would block these requests?
@asridharan I believe the error code for CORS is 401. You are right that CORS is enforced at the client browser. The URL/Header Re-write capabilities already exist in application gateway and I think we can configure the application gateway using the rewrite to address CORS.
However, when using the application gateway kubernetes ingress controller, any manual config made directly to the application gateway will not persist under CICD redeployment to Kubernetes. In addition, any new Rules created by the controller will not have any rewrite set bidden to it.
That's way we need a way for the application gateway ingress controller to support binding rewrite set in the application gateway.
Hello everyone! - adding my upvote into this request as we're going under the same kind of struggling with CORS.
Hello folks! Is there any update on this? We're struggling with issues that we aren't able to solve because App Gateway as a product supports it, but not AGIC.
Could you please update the customers regarding it?
Thank you! Gutemberg
Hello Guys,
Our production is down due to this issue. We are getting multiple values in Access-Control-Alow-Origin header. Please find the attached error image which we are getting: -
We have deployed the below mentioned configuration: -
` annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/configuration-snippet: | if ($http_origin ~* (https?://(.+.)*(domain1|domain2).(?:net|com)$)) { set $cors "true"; } # Nginx doesn't support nested If statements. This is where things get slightly nasty. # Determine the HTTP request method used if ($request_method = 'OPTIONS') { set $cors "${cors}options"; } if ($request_method = 'GET') { set $cors "${cors}get"; } if ($request_method = 'POST') { set $cors "${cors}post"; }
if ($cors = "true") {
# Catch all incase there's a request method we're not dealing with properly
add_header 'Access-Control-Allow-Origin' "$http_origin";
}
if ($cors = "trueget") {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($cors = "trueoptions") {
add_header 'Access-Control-Allow-Origin' "$http_origin";
#
# Om nom nom cookies
#
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($cors = "truepost") {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
` Please help..!!
It's almost March, 2020. No word from Microsoft on this issue. Microsoft do you have ANY guidance on CORS? I cannot believe that this most mundane issue is not handled well. CORS is fundamental, and seems to be treated as a low priority problem. If that's the case I cannot see how Application Gateway is a mature service for Azure. Please respond with guidance.
This is also an issue for an application we are currently deploying. Support for CORS headers, similar to the nginx ingress controller, would be very useful.
Because of this issue we are not able to use this ingress at all in production. We have opted to use nginx ingress with Application Gateway as a layer on top of the nginx ingress.
Because of this issue we are not able to use this ingress at all in production. We have opted to use nginx ingress with Application Gateway as a layer on top of the nginx ingress.
I guess this is a common situation in many implementations - use NGINX + AGW (with WAF). AGIC is just not a production ready solution. I'd warn people form using it in a real world.
I was able to configure AGIC to include the proper CORS headers in the following way:
- Create a Rewrite Set in Azure within the Application Gateway
- In the Rewrite set, check the origin in the request header and if it matches an allowed origin, update the response header to include that origin - note you can use a value like
{http_req_Origin}to refer to the origin header in the request - Add the following annotation to the appropriate ingress resources to ensure the rewrite set is applied:
appgw.ingress.kubernetes.io/rewrite-rule-set: add-allowed-origins
Where add-allowed-origins is the name of the rewrite rule set I created in Azure.
Note - It is important to add the annotation to the ingress resource, otherwise Application Gateway will overwrite any applied Rewrite rules each time a deployment occurs into the AKS cluster.
https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/docs/annotations.md#rewrite-rule-set
