CORS preflight header double entry

packeteer · November 12, 2020, 1:09am

1. Caddy version (`caddy version`):

2.2.1

2. How I run Caddy:

from systemd, using Caddyfile

a. System environment:

AWS Linux 2

d. My complete Caddyfile or JSON config:

# redirect using 301 as default 308 breaks stuff
http:// {
    redir https://{hostport}{uri} 301
}

# headers block
(headers) {
  header {
#    Location http:// https://
    Access-Control-Allow-Credentials true
    Access-Control-Allow-Origin *
    Access-Control-Allow-Headers *
    Access-Control-Allow-Methods "GET, POST, OPTIONS"
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options nosniff
    Content-Security-Policy upgrade-insecure-requests
    Referrer-Policy no-referrer-when-downgrade
    Cache-Control "public, max-age=3600, must-revalidate"
    Feature-Policy "geolocation 'none'; camera 'none'; microphone 'none'"
    }
}

# Site #
test.redacted.com.au {
  encode gzip
  import headers
  route {
    @subdirs path /one/* /two/* /three/* /four/*
    reverse_proxy @subdirs localhost:8080
    rewrite * /core{uri}
    reverse_proxy localhost:8080
  }
  log {
    output file /var/log/caddy/site.log
  }
}

3. The problem I’m having:

Browser showing:
blocked by CORS policy: Response to preflight request doesn’t pass access control check: The ‘Access-Control-Allow-Origin’ header contains multiple values ‘*, *’, but only one is allowed.

4. Error messages and/or full log output:

I see this in logs:
Date":["Thu, 12 Nov 2020 00:51:44 GMT"],"Access-Control-Allow-Origin":["*","*"],

5. What I already tried:

Removing Access-Control-Allow-Origin’ header, but then the browser complains the header is missing

francislavoie · November 12, 2020, 2:33am

Is that your whole Caddyfile? There’s some syntax issues there. You’re missing a closing } for your http:// site block.

packeteer · November 12, 2020, 3:06am

sorry, my fault. I removed the other site entries

matt · November 12, 2020, 6:12pm

Can you please post your full site config and instructions to reproduce the error? We need things to be exact in order to help.

packeteer · November 25, 2020, 3:43am

we have 30 sites all with identical config as above, so I have removed the extra entries.
note this only happens with Caddy v2, not Caddy v1

packeteer · November 26, 2020, 10:49pm

We’re getting this issue when other sites call the service.
I believe this issue is a bug, but wanted assistance to verify before raising.

Any ideas on how to verify?

francislavoie · November 26, 2020, 11:42pm

We’re lacking information here. We need your full config (or even better, a minimal config that reproduces the problem, i.e. remove bits of the config one at a time until you can’t reproduce it anymore), and full logs.

We can’t help if you redact information, because we can’t verify that something else might be the cause of the issue.

If we can’t replicate the problem, then we have to assume it’s a problem on your end, or a problem with whatever app you’re proxying to.

matt · November 27, 2020, 12:00am

Also the requests (curl commands please) that produce the logs in question. Thanks!

packeteer · November 30, 2020, 4:48am

Ok, I believe this IS a bug…
We are using AWS Cloudfront + S3 to server the front end (Nodejs site), the issue also occurs if we use a different webserver. The front end does a POST to the backend service (served by the config above).
Note: The issue only occurs in a browser, If we call the backend directly via curl / httpie the issue does not happen.

config below:
## Staging server ##

# global options
{
  debug
  email robot@domain.com
}

# headers block
(headers) {
  header {
    Access-Control-Allow-Credentials true
    Access-Control-Allow-Origin *
    Access-Control-Allow-Headers *
    Access-Control-Allow-Methods *
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options nosniff
    Content-Security-Policy upgrade-insecure-requests
    Referrer-Policy no-referrer-when-downgrade
    Cache-Control "public, max-age=3600, must-revalidate"
    Feature-Policy "geolocation 'none'; camera 'none'; microphone 'none'"
    }
}

# redirect block (default 308 breaks redirects)
(redirect) {
  @http {
    protocol http
  }
  redir @http https://{hostport}{uri} 301
}

# site
site.domain.com.au {
  encode gzip
  import headers
  reverse_proxy localhost:8011
  log {
    output file /var/log/caddy/site.log
  }
}

system · December 12, 2020, 1:10am

This topic was automatically closed after 30 days. New replies are no longer allowed.