在入口 nginx 中启用 tls 时没有“Access-Control-Allow-Origin”

Question

I know that it seems that my question has a lot of answers already but bear with me.

I have a Django application running on k8s cluster with nginx ingress setup with letsencrypt staging tls certificate (the problem occurs with production certificate also).

I don't know if it matters but application uses Basic Authentication to authorize users which is setup with drf build-in authentication system.

I've setup CORS as follows:

### ingress.yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: app-routing
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, PATCH, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://example.com"
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-CSRFToken"
spec:
  tls:
  - hosts:
      - api.example.com
    secretName: app-ingress-tls
  rules:
    - host: api.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: service-backend
              servicePort: 80

and in Django application:

### settings.py
...
MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

CORS_ORIGIN_ALLOW_ALL = True
# I also tried setting:
# CORS_ORIGIN_WHITELIST = [
#     "https://example.com",
#     "https://www.example.com"
# ]
#

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.BasicAuthentication'
    ],
}

...

But still when I send request from my frontend app I'm getting error

Access to XMLHttpRequest at 'https://api.example.com/somepath' from origin 'https://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The weird thing is that when I disable tls in ingress the issue is gone. Tho with tls enabled, if I send request using postman or curl like that:

curl -i -k -H "Authorization: Basic token" https://api.example.com/somepath

I'm getting response with headers as expected:

HTTP/2 200
server: nginx/1.17.7
date: Mon, 06 Jul 2020 18:58:50 GMT
content-type: application/json
content-length: 9
vary: Accept, Origin
allow: GET, HEAD, OPTIONS
x-frame-options: DENY
x-content-type-options: nosniff
strict-transport-security: max-age=15724800; includeSubDomains
access-control-allow-origin: https://example.com
access-control-allow-credentials: true
access-control-allow-methods: PUT, GET, POST, PATCH, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-CSRFToken

I presume that headers are there because ingress itself added them (?)

I'm pretty new to whole devops world so I would appreciate any tip on where to look or what to check. Most of answers to this questions suggests to properly set CORS_ORIGIN_ALLOW_ALL and/or CORS_ORIGIN_WHITELIST which I already tried.

Answer 1

The issue you ran into is not related to configuration. Bottom line is that you try to send requests across different subdomains (which CORS is preventing). You need either set nginx.ingress.kubernetes.io/cors-allow-origin to "https://api.example.com" or serve API from the same domain - eg. https://example.com/api .