pomerium icon indicating copy to clipboard operation
pomerium copied to clipboard

Published 20 hours ago verified publisher icon pomerium

IC: `disable: true` doesn't work for the `set_response_headers` config file key as described in the documentation.

Open ssveta7ak opened this issue 2 years ago • 9 comments

What happened?

Ingress Controller: disable: true doesn't work for the set_response_headers config file key as described in the documentation. https://www.pomerium.com/docs/reference/set-response-headers

What did you expect to happen?

What's your config?

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.pomerium.io/set_response_headers: '{"x-frame-options":"DENY", "hello":"there"}'

What did you see in the logs?

# Paste your logs here.
# Be sure to scrub any sensitive values

Additional context

Add any other context about the problem here.

ssveta7ak avatar Feb 24 '23 19:02 ssveta7ak

  1. setting to "disable": true is incompatible with the fact that it's a map[string]string, so it should be {"disable":"anything really"}

https://github.com/pomerium/pomerium/blob/88915a79c1c612cbca5db5a2633f4a673afe7c8f/pkg/grpc/config/config.proto#L97

  1. the docs in https://www.pomerium.com/docs/reference/set-response-headers are not very helpful to elaborate what does disable mean, looking at the code, it disables adding default headers.

https://github.com/pomerium/pomerium/blob/88915a79c1c612cbca5db5a2633f4a673afe7c8f/config/options.go#L1011-L1026

wasaga avatar Feb 24 '23 19:02 wasaga

currently it results in disable:true appear in the response headers, and default headers are still present.

image

wasaga avatar Feb 24 '23 19:02 wasaga

the docs in https://www.pomerium.com/docs/reference/set-response-headers are not very helpful to elaborate what does disable mean, looking at the code, it disables adding default headers.

Are you asking to change the behavior or the docs?

calebdoxsey avatar Feb 24 '23 19:02 calebdoxsey

  1. currently, disable: true does not seem to work, despite the code is there, maybe they're also set elsewhere
  2. I couldn't understand the expected outcome from reading the docs, had to look at the code.
  3. probably having a separate option like disable_default_request_headers: true makes it more accessible?

wasaga avatar Feb 24 '23 19:02 wasaga

currently, disable: true does not seem to work, despite the code is there, maybe they're also set elsewhere

Confirmed locally that the option works. This is an ingress controller issue.

calebdoxsey avatar Feb 24 '23 19:02 calebdoxsey

this bug describes a per-route option and not a global one. IC sets https://github.com/pomerium/pomerium/blob/88915a79c1c612cbca5db5a2633f4a673afe7c8f/pkg/grpc/config/config.proto#L97 via annotation.

https://www.pomerium.com/docs/reference/routes/set-response-headers

wasaga avatar Feb 24 '23 21:02 wasaga

Oh. Yeah you can't disable globally added headers with a per-route option. This is a new requirement.

calebdoxsey avatar Feb 24 '23 22:02 calebdoxsey

Currently the behavior is additive. We set response headers at the virtual host level, then add the per-route set response headers at the route level.

To support remove the global headers, we will need to only set the per-route response headers and implement the logic in the go code. There is some trickiness related to non-route pages that get handled by Pomerium that also need to get handled (userinfo, 404 pages, etc).

calebdoxsey avatar Feb 27 '23 16:02 calebdoxsey

This should be fixed.

calebdoxsey avatar Jan 29 '24 16:01 calebdoxsey