Problem with CORS configured via HAPROXY_{0}_BACKEND_HEAD

[jonas]

We have a front-end application which fetches data from a GraphQL server. The GraphQL server needs to serve responses with proper CORS headers, which is configured via HAPROXY_0_BACKEND_HEAD in the GraphQL server's Marathon app descriptor. The GraphQL server has HTTP => HTTPS redirects enabled.

Marathon-LB specific labels defined in the GraphQL server's Marathon app descriptor (reformatted to make more readable):

"HAPROXY_GROUP": "external",
"HAPROXY_0_VHOST": "app.example.org",
"HAPROXY_0_REDIRECT_TO_HTTPS": "true",
"HAPROXY_0_MODE": "http",
"HAPROXY_0_BACKEND_HEAD": "
    backend {backend}\n
    balance roundrobin\n
    mode {mode}\n
    rspadd Access-Control-Allow-Origin:\\ *\n
    rspadd Access-Control-Allow-Methods:\\ GET,\\ POST,\\ PUT,\\ OPTIONS,\\ DELETE\n
    rspadd Access-Control-Allow-Headers:\\ Origin,\\ X-Requested-With,\\ Content-Type,\\ Accept,\\ Authorization\n"

Before allowing a request to the GraphQL server the browser will first perform a preflight check by doing an OPTIONS requests. This fails (most of the time) because the CORS headers are not included in the response. The reason seems to be that the request is not always served by the GraphQL server backend.

$ http OPTIONS https://app.example.org/graphql
HTTP/1.1 302 Found
Cache-Control: no-cache
Connection: close
Content-length: 0
Location: https://app.example.org/graphql

GET requests are usually fine, but I've seen issues with that for a previous (unreleased) version of Marathon we were using.

$ http https://app.example.org/graphql
HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS, DELETE
Access-Control-Allow-Origin: *
Content-Length: 3604
Content-Type: text/html; charset=UTF-8
Date: Thu, 10 Mar 2016 14:25:06 GMT
ETag: "287001531335db50"
Last-Modified: Wed, 24 Feb 2016 12:16:50 GMT
Server: akka-http/2.4.2

Our current workaround is the following change to marathon_lb.py, but I am wondering if there is some configuration we are missing.

--- /opt/marathon-lb-1.1.1/marathon_lb.py.bak   2016-03-10 09:27:14.795155222 -0500
+++ /opt/marathon-lb-1.1.1/marathon_lb.py   2016-03-10 09:59:08.433670953 -0500
@@ -133,8 +133,9 @@
       mode {mode}
     ''')

+    # FIXME(fonseca): removed this line
+    #   bind {bindAddr}:80
     HAPROXY_BACKEND_REDIRECT_HTTP_TO_HTTPS = '''\
-  bind {bindAddr}:80
   redirect scheme https if !{{ ssl_fc }}
 '''

System info:

• OS: Ubuntu 14.04.3 LTS
• Marathon-LB version: 1.1.1 (configured as upstart service)

[jonas]

Looks like this is actually fixed by #106. :)