search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
25.07k stars 4.82k forks source link

Need help with the CORS filter #31242

Closed danilaladner closed 9 months ago

danilaladner commented 11 months ago

Hello this is our envoy config:

`

      node: { id: 'envoynode', cluster: 'envoycluster' }
      # This section tells envoy what servers are available to load balance to.  In the case of deephaven
      # there is a single controller listening on port 8124 (or whatever you configure it to)

      # This configuration assumes the web_api_service is running on the same host as Envoy.
      # If envoy is instead running within a docker container, or another host the address should
      # be updated.
      static_resources:
           clusters:
                - name: "mainapi"
                  type: "LOGICAL_DNS"
                  connect_timeout: "5s"
                  transport_socket:
                     name: "envoy.transport_sockets.tls"
                     typed_config:
                          '@type': "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext"
                          common_tls_context:
                               alpn_protocols:
                                    - "h2,http/1.1"
                  load_assignment:
                      cluster_name: "mainapi"
                      endpoints:
                           - lb_endpoints:
                                - endpoint:
                                     address:
                                          socket_address:
                                               address: "webapi"
                                               port_value: 8123

           # This section tells envoy to listen for incoming connections on port 8000 from anywhere
           # and discover routes via a V3 GRPC interface
           listeners:
                - address:
                       socket_address:
                            # This address and port is the port to which clients will connect.
                            # 0.0.0.0 indicates that Envoy should listen for -all- connections on the configured port
                            # from any interface
                            address: 0.0.0.0
                            port_value: 8000
                  filter_chains:
                       - filters:
                              - name: envoy.filters.network.http_connection_manager
                                typed_config:
                                     '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                                     codec_type: AUTO
                                     generate_request_id: true
                                     route_config:
                                            name: local_route
                                            virtual_hosts:
                                            - name: local_service
                                              domains: ["*"]
                                              typed_per_filter_config:
                                                envoy.filters.http.cors:
                                                  "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.CorsPolicy
                                                  allow_origin_string_match:
                                                  - safe_regex:
                                                      regex: \*
                                                  allow_methods: "GET,POST,PUT,PATCH,DELETE,OPTIONS"
                                                  allow_headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,Access-Control-Allow-Origin"
                                                  allow_credentials: true
                                                  max_age: "1728000"
                                              routes:
                                              - match: { prefix: "/" }
                                                route:
                                                    cluster: "mainapi"
                                                    upgrade_configs:
                                                    - upgrade_type: "websocket"
                                                      enabled: true
                                     stat_prefix: egress_http
                                     request_timeout: 0s
                                     stream_idle_timeout: 600s
                                     # DH rds has both websocket routes and gRPC routes.  Some of the websocket routes include
                                     # redirections, and there is no way to configure a websocket upgrade_config for redirections,
                                     # so we need a default for it.  gRPC routes explicitly disable the websocket upgrade.
                                     upgrade_configs:
                                          - upgrade_type: websocket
                                     access_log:
                                          - name: envoy.file_access_log
                                            typed_config:
                                                 '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                                                 path: '/tmp/envoy-rds.log'
                                     http_filters:
                                          - name: envoy.filters.http.cors
                                            typed_config:
                                              "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
                                          - name: envoy.filters.http.router
                                            typed_config:
                                                 '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
      admin:
           access_log_path: '/tmp/envoy-admin.log'
           # Setting these will allow a sysadmin to dump Envoy configurations from localhost of the envoy
           # host.  We suggest you disable this in production, as the admin interface can be used to
           # modify the running configuration.
           address:
                socket_address:
                     address: 0.0.0.0
                     port_value: 8001`

But the issue is that CORS filter isn't working. When I enable trace logs i see:

2023-12-08 17:34:20.094][14][trace][http] [source/common/http/http1/codec_impl.cc:1421] [C389] Client: onHeadersComplete size=7
[2023-12-08 17:34:20.094][14][trace][router] [source/common/router/upstream_request.cc:221] [C388][S18399840040243329431] upstream response headers:
':status', '200'
'date', 'Fri, 08 Dec 2023 17:34:20 GMT'
'last-modified', 'Wed, 05 Jul 2023 16:41:50 GMT'
'content-type', 'text/html'
'etag', 'W/"Zt7Ck1HamfwZt7DGnc06+c"'
'accept-ranges', 'bytes'
'content-length', '2731'
'server', 'Jetty(9.4.53.v20231009)'

[2023-12-08 17:34:20.094][14][debug][router] [source/common/router/router.cc:1371] [C388][S18399840040243329431] upstream headers complete: end_stream=false
[2023-12-08 17:34:20.094][14][trace][misc] [source/common/event/scaled_range_timer_manager_impl.cc:60] enableTimer called on 0x560cff35bc00 for 600000ms, min is 600000ms
[2023-12-08 17:34:20.094][14][trace][http] [source/common/http/filter_manager.cc:1065] [C388][S18399840040243329431] encode headers called: filter=envoy.filters.http.cors status=0
[2023-12-08 17:34:20.094][14][debug][http] [source/common/http/conn_manager_impl.cc:1559] [C388][S18399840040243329431] encoding headers via codec (end_stream=false):
':status', '200'
'date', 'Fri, 08 Dec 2023 17:34:20 GMT'
'last-modified', 'Wed, 05 Jul 2023 16:41:50 GMT'
'content-type', 'text/html'
'etag', 'W/"Zt7Ck1HamfwZt7DGnc06+c"'
'accept-ranges', 'bytes'
'content-length', '2731'
'server', 'envoy'
'x-envoy-upstream-service-time', '3'

[2023-12-08 17:34:20.094][14][trace][connection] [source/common/network/connection_impl.cc:478] [C388] writing 254 bytes, end_stream false
[2023-12-08 17:34:20.094][14][trace][http] [source/common/http/http1/codec_impl.cc:922] [C389] message complete
[2023-12-08 17:34:20.094][14][trace][misc] [source/common/event/scaled_range_timer_manager_impl.cc:60] enableTimer called on 0x560cff35bc00 for 600000ms, min is 600000ms
[2023-12-08 17:34:20.094][14][trace][http] [source/common/http/filter_manager.cc:1228] [C388][S18399840040243329431] encode data called: filter=envoy.filters.http.cors status=0
[2023-12-08 17:34:20.094][14][trace][http] [source/common/http/conn_manager_impl.cc:1569] [C388][S18399840040243329431] encoding data via codec (size=2731 end_stream=false)
[2023-12-08 17:34:20.094][14][trace][connection] [source/common/network/connection_impl.cc:478] [C388] writing 2731 bytes, end_stream false
[2023-12-08 17:34:20.094][14][trace][http] [source/common/http/http1/codec_impl.cc:1492] [C389] message complete
[2023-12-08 17:34:20.094][14][debug][client] [source/common/http/codec_client.cc:126] [C389] response complete
[2023-12-08 17:34:20.094][14][trace][main] [source/common/event/dispatcher_impl.cc:250] item added to deferred deletion list (size=1)
[2023-12-08 17:34:20.094][14][trace][main] [source/common/event/dispatcher_impl.cc:250] item added to deferred deletion list (size=2)
[2023-12-08 17:34:20.094][14][trace][main] [source/common/event/dispatcher_impl.cc:250] item added to deferred deletion list (size=3)
[2023-12-08 17:34:20.094][14][trace][misc] [source/common/event/scaled_range_timer_manager_impl.cc:60] enableTimer called on 0x560cff35bc00 for 600000ms, min is 600000ms
[2023-12-08 17:34:20.094][14][trace][http] [source/common/http/filter_manager.cc:1228] [C388][S18399840040243329431] encode data called: filter=envoy.filters.http.cors status=0
[2023-12-08 17:34:20.094][14][trace][http] [source/common/http/conn_manager_impl.cc:1569] [C388][S18399840040243329431] encoding data via codec (size=0 end_stream=true)
[2023-12-08 17:34:20.094][14][trace][main] [source/common/event/dispatcher_impl.cc:250] item added to deferred deletion list (size=4)
[2023-12-08 17:34:20.094][14][trace][main] [source/common/event/dispatcher_impl.cc:250] item added to deferred deletion list (size=5)
[2023-12-08 17:34:20.094][14][trace][misc] [source/common/event/scaled_range_timer_manager_impl.cc:60] enableTimer called on 0x560cff545800 for 3600000ms, min is 3600000ms
[2023-12-08 17:34:20.094][14][debug][pool] [source/common/http/http1/conn_pool.cc:53] [C389] response complete
[2023-12-08 17:34:20.094][14][debug][pool] [source/common/conn_pool/conn_pool_base.cc:214] [C389] destroying stream: 0 remaining
[2023-12-08 17:34:20.094][14][trace][http] [source/common/http/http1/codec_impl.cc:676] [C389] parsed 2969 bytes
[2023-12-08 17:34:20.094][14][trace][main] [source/common/event/dispatcher_impl.cc:125] clearing deferred deletion list (size=5)
[2023-12-08 17:34:20.094][14][trace][connection] [source/common/network/connection_impl.cc:563] [C388] socket event: 2
[2023-12-08 17:34:20.094][14][trace][connection] [source/common/network/connection_impl.cc:674] [C388] write ready
[2023-12-08 17:34:20.094][14][trace][connection] [source/common/network/raw_buffer_socket.cc:67] [C388] write returns: 2985
[2023-12-08 17:34:20.095][14][trace][connection] [source/common/network/connection_impl.cc:563] [C388] socket event: 3
[2023-12-08 17:34:20.095][14][trace][connection] [source/common/network/connection_impl.cc:674] [C388] write ready
[2023-12-08 17:34:20.095][14][trace][connection] [source/common/network/connection_impl.cc:603] [C388] read ready. dispatch_buffered_data=0
[2023-12-08 17:34:20.095][14][trace][connection] [source/common/network/raw_buffer_socket.cc:24] [C388] read returns: 0
[2023-12-08 17:34:20.095][14][debug][connection] [source/common/network/connection_impl.cc:651] [C388] remote close
[2023-12-08 17:34:20.095][14][debug][connection] [source/common/network/connection_impl.cc:250] [C388] closing socket: 0
[2023-12-08 17:34:20.095][14][trace][connection] [source/common/network/connection_impl.cc:418] [C388] raising connection event 0
[2023-12-08 17:34:20.095][14][trace][conn_handler] [source/server/active_stream_listener_base.cc:111] [C388] connection on event 0
[2023-12-08 17:34:20.095][14][debug][conn_handler] [source/server/active_stream_listener_base.cc:120] [C388] adding to cleanup list
[2023-12-08 17:34:20.095][14][trace][main] [source/common/event/dispatcher_impl.cc:250] item added to deferred deletion list (size=1)
[2023-12-08 17:34:20.095][14][trace][main] [source/common/event/dispatcher_impl.cc:125] clearing deferred deletion list (size=1)
[2023-12-08 17:34:21.075][1][debug][main] [source/server/server.cc:252] flushing stats
[2023-12-08 17:34:22.087][1][trace][connection] [source/common/network/connection_impl.cc:563] [C248] socket event: 3
[2023-12-08 17:34:22.087][1][trace][connection] [source/common/network/connection_impl.cc:674] [C248] write ready
[2023-12-08 17:34:22.087][1][trace][connection] [source/common/network/connection_impl.cc:603] [C248] read ready. dispatch_buffered_data=0
[2023-12-08 17:34:22.087][1][trace][connection] [source/common/network/raw_buffer_socket.cc:24] [C248] read returns: 0
[2023-12-08 17:34:22.087][1][debug][connection] [source/common/network/connection_impl.cc:651] [C248] remote close
[2023-12-08 17:34:22.087][1][debug][connection] [source/common/network/connection_impl.cc:250] [C248] closing socket: 0
[2023-12-08 17:34:22.087][1][trace][connection] [source/common/network/connection_impl.cc:418] [C248] raising connection event 0
[2023-12-08 17:34:22.087][1][trace][conn_handler] [source/server/active_stream_listener_base.cc:111] [C248] connection on event 0
[2023-12-08 17:34:22.087][1][debug][conn_handler] [source/server/active_stream_listener_base.cc:120] [C248] adding to cleanup list
[2023-12-08 17:34:22.087][1][trace][main] [source/common/event/dispatcher_impl.cc:250] item added to deferred deletion list (size=1)
[2023-12-08 17:34:22.087][1][trace][main] [source/common/event/dispatcher_impl.cc:250] item added to deferred deletion list (size=2)
[2023-12-08 17:34:22.087][1][trace][main] [source/common/event/dispatcher_impl.cc:125] clearing deferred deletion list (size=2)
[2023-12-08 17:34:24.777][1][debug][upstream] [source/common/upstream/logical_dns_cluster.cc:108] starting async DNS resolution for webapi
[2023-12-08 17:34:24.777][1][debug][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:354] dns resolution for webapi started
[2023-12-08 17:34:24.777][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:24.780][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:24.781][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:24.782][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:24.786][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:24.793][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:24.794][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:24.794][1][debug][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:275] dns resolution for webapi completed with status 0
[2023-12-08 17:34:24.794][1][debug][upstream] [source/common/upstream/logical_dns_cluster.cc:116] async DNS resolution complete for webapi
[2023-12-08 17:34:24.794][1][debug][upstream] [source/common/upstream/logical_dns_cluster.cc:167] DNS refresh rate reset for webapi, refresh rate 5000 ms
[2023-12-08 17:34:26.075][1][debug][main] [source/server/server.cc:252] flushing stats
[2023-12-08 17:34:29.794][1][debug][upstream] [source/common/upstream/logical_dns_cluster.cc:108] starting async DNS resolution for webapi
[2023-12-08 17:34:29.794][1][debug][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:354] dns resolution for webapi started
[2023-12-08 17:34:29.794][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:29.796][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:29.797][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:29.797][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:29.801][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:29.804][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:29.805][1][trace][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:317] Setting DNS resolution timer for 5000 milliseconds
[2023-12-08 17:34:29.806][1][debug][dns] [source/extensions/network/dns_resolver/cares/dns_impl.cc:275] dns resolution for webapi completed with status 0
[2023-12-08 17:34:29.806][1][debug][upstream] [source/common/upstream/logical_dns_cluster.cc:116] async DNS resolution complete for webapi
[2023-12-08 17:34:29.806][1][debug][upstream] [source/common/upstream/logical_dns_cluster.cc:167] DNS refresh rate reset for webapi, refresh rate 5000 ms
[2023-12-08 17:34:31.076][1][debug][main] [source/server/server.cc:252] flushing stats

So I see that encode there does not seem to include it: encode headers called: filter=envoy.filters.http.cors status=0 And obviously in the web browser I see: from origin 'https://my-host.domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. and I see no headers Am I doing something wrong, just trying to follow the doc, can someone please help? Thank you.

wbpcode commented 11 months ago

This filter will be used to respond to preflight OPTIONS requests. Any legal OPTIONS requests will be responded directly by the filter and will not be passed to the next filter in the filter chain. Other requests will not be responded directly but if they are accepted cors requests, the filter will add the related headers to the response. In addition, this filter will be bypassed if a direct response or route redirect is configured for the route.

See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/cors_filter

Please ensure you request is a legal cors request first. I didn't see your request in your log. And could you check your regex in your cors configuration. I think it should be .* rather than \* if you want allow all origins.

github-actions[bot] commented 10 months ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] commented 9 months ago

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.