search

apache / apisix-ingress-controller

APISIX Ingress Controller for Kubernetes
https://apisix.apache.org/
Apache License 2.0
983 stars 338 forks source link

bug: Some headers are not supported in the response-rewrite plugin #2190

Open leandrocostam opened 4 months ago

leandrocostam commented 4 months ago

Current Behavior

I am trying to add some headers using the response-rewrite plugin in APISIXRoute CRD, but I am facing an error in the APISIX controller. The current pattern doesn't allow header value that contain multiples :. A common use case is when you have to add the Content-Security-Policy header with multiple domains using https://.

Expected Behavior

I should be able to define values for the headers using multiples :.

Error Logs

ApisixRoute Resource Events Source: ApisixIngress


ApisixIngress synced failed, with error: 3 errors occurred: * plugin [response-rewrite] config is invalid * - headers: Must validate at least one schema (anyOf) * - headers.add.6: Does not match pattern '^[^:]+:[^:]+[^/]$'

Steps to Reproduce

  1. Create the following APISIXRoute CRD resource in an existing Kubernetes cluster with the APISIX Ingress Controller installed: 
    apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpbin-route
spec:
http:
- name: rule1
match:
 hosts:
 - httpbin.org
 paths:
   - /*
backends:
- serviceName: foo
 servicePort: 8080
plugins:
- name: response-rewrite
 enable: true
 config:
   headers:
     add: 
       - "Content-Security-Policy: default-src 'self' 'unsafe-inline'; connect-src 'self' https://example.com; img-src 'self' data: blob:"
  2. Deploy the resource and check the events of the ApisixRoute CRD to see the error message.

Environment

shreemaan-abhishek commented 4 months ago

cc: @Revolyssup

skyjacker2005 commented 2 months ago

@leandrocostam We had the same issue. To avoid it you can put: "example.com" instead of "https://example.com" in Content-Security-Policy. It works in the same way

leandrocostam commented 2 months ago

@leandrocostam We had the same issue. To avoid it you can put: "example.com" instead of "https://example.com" in Content-Security-Policy. It works in the same way

Yes, that works when you don't have to restrict the load over HTTPS. It's something that we need right now 😞

leandrocostam commented 2 months ago

Also, there are cases where you can have the following CSP policy block:

img-src 'self' data: blob:

It also breaks the response-rewrite plugin

leandrocostam commented 2 months ago

We are using the headers.set as a workaround for now. By checking the code, it's a different validation and it's not breaking the plugin.