search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.28k stars 4.69k forks source link

CORS headers not set for pre-flight request for gRPC #34995

Open cryptaliagy opened 4 days ago

cryptaliagy commented 4 days ago

Title: CORS headers not set for pre-flight request for gRPC

Description:

When using Envoy to proxy gRPC calls from a web frontend to a gRPC backend. Based on the Grpc-Message in the pre-flight response header, it seems that the pre-flight OPTIONS call is being proxied to the gRPC backend and not being handled by Envoy even though the CORS filter is enabled.

When making calls, neither the http.ingress_http.cors.origin_invalid or http.ingress_http.cors.origin_valid increment.

Manually adding in the CORS headers using response_headers_to_add shows the pre-flight OPTIONS call still being forwarded to the proxy, but since the response includes the appropriate CORS headers the client is still able to make the appropriate POST.

Repro steps:

I've created a sample repository to show the issue: https://github.com/cryptaliagy/grpc-web-rs

Reproduction steps are outlined in the README including screenshots of the investigation

Admin and Stats Output:

/clusters:

grpc_backend::observability_name::grpc_backend
grpc_backend::default_priority::max_connections::1024
grpc_backend::default_priority::max_pending_requests::1024
grpc_backend::default_priority::max_requests::1024
grpc_backend::default_priority::max_retries::3
grpc_backend::high_priority::max_connections::1024
grpc_backend::high_priority::max_pending_requests::1024
grpc_backend::high_priority::max_requests::1024
grpc_backend::high_priority::max_retries::3
grpc_backend::added_via_api::false
grpc_backend::172.29.0.2:50051::cx_active::1
grpc_backend::172.29.0.2:50051::cx_connect_fail::0
grpc_backend::172.29.0.2:50051::cx_total::1
grpc_backend::172.29.0.2:50051::rq_active::0
grpc_backend::172.29.0.2:50051::rq_error::0
grpc_backend::172.29.0.2:50051::rq_success::12
grpc_backend::172.29.0.2:50051::rq_timeout::0
grpc_backend::172.29.0.2:50051::rq_total::12
grpc_backend::172.29.0.2:50051::hostname::grpc
grpc_backend::172.29.0.2:50051::health_flags::healthy
grpc_backend::172.29.0.2:50051::weight::1
grpc_backend::172.29.0.2:50051::region::
grpc_backend::172.29.0.2:50051::zone::
grpc_backend::172.29.0.2:50051::sub_zone::
grpc_backend::172.29.0.2:50051::canary::false
grpc_backend::172.29.0.2:50051::priority::0
grpc_backend::172.29.0.2:50051::success_rate::-1
grpc_backend::172.29.0.2:50051::local_origin_success_rate::-1

/server_info: server_info.json

/stats: stats.txt

Note: If there are privacy concerns, sanitize the data prior to sharing.

Config: https://github.com/cryptaliagy/grpc-web-rs/blob/main/envoy.yaml

Logs:

Include the access logs and the Envoy logs.

logs.txt

htuch commented 4 days ago

Just a guess - have you tried putting the CORS filter in front of the gRPC-web filter in the HTTP filter chain?

@fengli79 @wbpcode in case there is a deeper issue.

cryptaliagy commented 4 days ago

Tried it again just now for good measure, but it was originally in front of the gRPC-web filter. I tried moving it behind to see if that would fix anything and it didn't