Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Response header modification happens before actual response brings its own headers #51

Open
neumond opened this issue Sep 8, 2023 · 3 comments
Open

Response header modification happens before actual response brings its own headers #51

neumond opened this issue Sep 8, 2023 · 3 comments
Labels
bug/possible Something seems to not work

Comments

@neumond
Copy link

neumond commented Sep 8, 2023

htransformation, while doing nice job of modifying request headers, does meager job of modifying response headers. In my case I just can't do anything with Location header, it simply ignores all rewrites. At the same time, if I set custom headers (X-Foo-Bar) using htransformation, I'm able to rewrite them and they appear in final response. In other words, response header transformation happens too early, and response from proxied server simply writes its headers on top of result of the plugin.

I've looked in source code of several plugins, including standard traefik one. Many of them wrap http.ResponseWriter and wait until WriteHeader call. Examples:

https://github.com/XciD/traefik-plugin-rewrite-headers/blob/c339adea9127f3b555ac63181fed1a2dca6d80ea/rewrite_headers.go#L66-L73
https://github.com/traefik/traefik/blob/4f6c15cc14cdedc34484c697994134959fdff493/pkg/middlewares/headers/header.go#L57-L61
@tomMoulard tomMoulard self-assigned this Sep 20, 2023
@tomMoulard tomMoulard added the bug/possible Something seems to not work label Sep 20, 2023
@bfg100k
Copy link

bfg100k commented Jul 22, 2024

I'm not sure if I'm experiencing the same issue but in my case, I find that this plugin is unable to change or remove a header that is previously set by another middleware before it. Specifically,

I have a default middleware defined that adds X-Frame-Options=SAMEORIGIN (and some other security headers). This setting breaks Jellyfin on WebOS. So instead of having another security-related middleware defined just for webos, I'm hoping to use this as the last middleware in the chain to remove the X-Frame-Options response header. I've tested a few permutations and found that I'm unable to remove ANY header that was set earlier in the chain.

@tomMoulard tomMoulard removed their assignment Sep 6, 2024
@tomMoulard
Copy link
Owner

Indeed the order of middlewares in the chain is important. It defines which order middlewares interact with your request/response. If you want to make sure that your htransformation middleware gets the final say on header manipulation, you need to set it as the first layer in the chain.

@bfg100k
Copy link

bfg100k commented Sep 6, 2024

first in the chain? Should it not be the last in the chain to get the final say?

@tomMoulard tomMoulard mentioned this issue Dec 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug/possible Something seems to not work
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bfg100k @neumond @tomMoulard