Headers not sent if a redirect middleware is also triggered

[p4block]

Do you want to request a feature or report a bug?

Bug

What did you do?

We moved our API endpoint to another url. The API sends cors headers so it's accessible from other domains.

On the old URL, which also has a web server hosting content, I set up a router with two middlewares, a redirectRegex to the new URL and one with the headers set.

I also tried the chain middleware with the same result.

What did you expect to see?

The 301 redirect has the headers.

What did you see instead?

The 301 redirect has no extra headers.

The Traefik web interface shows everything working as it should. Headers are sent on URLs that do not trigger the regexredirect.

Output of traefik version: (What version of Traefik are you using?)

2.2.1

What is your environment & configuration (arguments, toml, provider, platform, ...)?

      - "traefik.enable=true"
      - "traefik.http.routers.faf-content.rule=Host(`content.${DOMAINNAME}`) 
      - "traefik.http.routers.faf-content.entryPoints=web-secure"
      - "traefik.http.routers.faf-content.tls.certresolver=default"
      - "traefik.http.routers.faf-content.middlewares=chainthing"
      - "traefik.http.middlewares.chainthing.chain.middlewares=allow-cors,redirect-replay-subdomain,redirect-replay-php"
      - "traefik.http.middlewares.redirect-replay-subdomain.redirectregex.regex=^(http|https)://replay.${DOMAINNAME}/(.*)"
      - "traefik.http.middlewares.redirect-replay-subdomain.redirectregex.replacement=$${1}://api.${DOMAINNAME}/game/$${2}/replay"
      - "traefik.http.middlewares.redirect-replay-php.redirectregex.regex=^(http|https)://content.${DOMAINNAME}/faf/vault/replay_vault/replay.php\\?id=(.*)"
      - "traefik.http.middlewares.redirect-replay-php.redirectregex.replacement=$${1}://api.${DOMAINNAME}/game/$${2}/replay"
      - "traefik.http.middlewares.allow-cors.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
      - "traefik.http.middlewares.allow-cors.headers.accesscontrolalloworigin=*"
      - "traefik.http.middlewares.allow-cors.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.allow-cors.headers.addvaryheader=true"

[HeavenVolkoff]

Hello this issue seems to be the same as reported in #4273 and #7003.

IMHO I think the priority of this should be higher due to:

• Can cause the removal of a website from Chrome's HSTS preload list (as described in #4273 and #7003)
• Breakage of redirected CORS endpoints (as described here)
• Possible security implications due to configured security headers not being sent

[traefiker]

Closed by #7230.