Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Some headers are not supported in the response-rewrite plugin #2190

Open
leandrocostam opened this issue Mar 19, 2024 · 5 comments
Open

bug: Some headers are not supported in the response-rewrite plugin #2190

leandrocostam opened this issue Mar 19, 2024 · 5 comments

Comments

@leandrocostam
Copy link

leandrocostam commented Mar 19, 2024
edited

Current Behavior

I am trying to add some headers using the response-rewrite plugin in APISIXRoute CRD, but I am facing an error in the APISIX controller. The current pattern doesn't allow header value that contain multiples :. A common use case is when you have to add the Content-Security-Policy header with multiple domains using https://.

Expected Behavior

I should be able to define values for the headers using multiples :.

Error Logs

ApisixRoute Resource Events
Source: ApisixIngress


ApisixIngress synced failed, with error: 3 errors occurred: * plugin [response-rewrite] config is invalid * - headers: Must validate at least one schema (anyOf) * - headers.add.6: Does not match pattern '^[^:]+:[^:]+[^/]$'

Steps to Reproduce

  1. Create the following APISIXRoute CRD resource in an existing Kubernetes cluster with the APISIX Ingress Controller installed:
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: httpbin-route
spec:
  http:
 - name: rule1
   match:
     hosts:
     - httpbin.org
     paths:
       - /*
   backends:
   - serviceName: foo
     servicePort: 8080
   plugins:
   - name: response-rewrite
     enable: true
     config:
       headers:
         add: 
           - "Content-Security-Policy: default-src 'self' 'unsafe-inline'; connect-src 'self' https://example.com; img-src 'self' data: blob:"
  1. Deploy the resource and check the events of the ApisixRoute CRD to see the error message.

Environment

  • APISIX version: Apisix Ingress Controller 1.8.0
  • Operating system: GKE cluster running k8s 1.27
@shreemaan-abhishek
Copy link
Contributor

cc: @Revolyssup

@shreemaan-abhishek shreemaan-abhishek transferred this issue from apache/apisix Mar 20, 2024
@skyjacker2005
Copy link

skyjacker2005 commented May 16, 2024
edited

@leandrocostam We had the same issue. To avoid it you can put: "example.com" instead of "https://example.com" in Content-Security-Policy. It works in the same way

@leandrocostam
Copy link
Author

@leandrocostam We had the same issue. To avoid it you can put: "example.com" instead of "https://example.com" in Content-Security-Policy. It works in the same way

Yes, that works when you don't have to restrict the load over HTTPS. It's something that we need right now 😞

@leandrocostam
Copy link
Author

Also, there are cases where you can have the following CSP policy block:

img-src 'self' data: blob:

It also breaks the response-rewrite plugin

@leandrocostam
Copy link
Author

We are using the headers.set as a workaround for now. By checking the code, it's a different validation and it's not breaking the plugin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Apache APISIX backlog
Status: 📋 Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@leandrocostam @shreemaan-abhishek @skyjacker2005