traefik-forward-auth icon indicating copy to clipboard operation
traefik-forward-auth copied to clipboard
verified publisher icon thomseddon

Option to allow CORS/OPTIONS

Open abarthol opened this issue 5 years ago • 9 comments

Is it possible to add "Access-Control-Allow-Origin" in header on the redirect?

I get Access to fetch at 'https://some-url' from origin 'https://some-other-url' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Traefik headers middleware (https://docs.traefik.io/middlewares/headers/) seems not to work together with forward auth.

abarthol avatar Sep 22 '20 14:09 abarthol

I think you could work around this by creating a rule:

rule.allow-cors.action = allow
rule.allow-cors.rule = Method(`OPTIONS`)

This will forward the OPTIONS request through to your app, could you test if something like that would work?

If may make sense to add a built in option to allow something like this

thomseddon avatar Sep 23 '20 14:09 thomseddon

That's sounds like it could work for me.

I'll try.

abarthol avatar Sep 25 '20 11:09 abarthol

Leaving this open to track the possible enhancement

thomseddon avatar Oct 15 '20 19:10 thomseddon

@thomseddon , could you please help me understand in which file these rules needs to be added?

muly avatar Jan 25 '21 11:01 muly

You can either add a configuration file, which you point to with the --config parameter or $CONFIG env var (as documented in README)

Alternatively, you can specify rules as parameters like this: https://github.com/thomseddon/traefik-forward-auth/blob/6c6f75e80dcea7e4d5bd3fcdf638a0b016544f19/internal/config_test.go#L51-L54

thomseddon avatar Feb 01 '21 20:02 thomseddon

Same problem here! i think OPTIONS request should not be authenticated. I think, by default should be disabled and enabled if desired.

davidbayo10 avatar Jun 21 '21 14:06 davidbayo10

I currently fixed this as mentioned. Here you have my piece of code for a kubernetes deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-sso
  labels:
    app: traefik-sso
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-sso
  template:
    metadata:
      labels:
        name: traefik-sso
        app: traefik-sso
    spec:
      containers:
      - name: traefik-sso
        image: thomseddon/traefik-forward-auth:2
        args:
          - "--rule.http-options-requests.action=allow"
          - "--rule.http-options-requests.rule=Method(`OPTIONS`)"

davidbayo10 avatar Jun 24 '21 09:06 davidbayo10

Correspondingly, for a Docker {Swarm,Compose} deployment:

  forward-auth:
    image: "thomseddon/traefik-forward-auth:2"
    command:
      - "--rule.http-options-requests.action=allow"
      - "--rule.http-options-requests.rule=Method(`OPTIONS`)"

We use traefik-forward-auth to put our staging environment behind an access control layer so only employees can access it. In there, we deploy feature branches on subdomains like foo.staging.bar.com, which still talk to the staging API at staging.bar.com - so now CORS is involved. When including credentials with the requests, things will mostly work, except for preflight requests - which are sent without credentials per the spec, thus forward-auth won't accept them. Configuring this exception solves the issue.

Maybe it would be good to add a paragraph to the Readme? I spent a while before landing here...

Radiergummi avatar Mar 02 '23 07:03 Radiergummi