Kubernetes nginx-ingress 入口 controller CORS 由应用程序处理

Question

I am struggling to get NGINX to proxy the CORS headers back and forth from my application. The allowed origins are specified by my ASP.NET Web Application and I would like to proxy these headers back to the client. The application runnning outside of Kubernetes handles CORS headers perfectly so it appears that the application has CORS configured correctly. The Kubernetes NGINX ingress controller doesn't seem to allow me to do this as far as I can tell.

I would like to continue to allow my applicaiton to handle the allowed origins and therefore I just need to configure the NGINX reverse proxy to pass all headers. Looking at the documentation proxy_pass_request_headers is set to on by default. My previous understanding of NGINX is that this config setting is what is required when proxying to another server in order for headers to be passed backwards and forwards.

The annotations enable-cors and the various configration options around CORS outlined in the documentation are of little use to me as they assume that the Ingress Controller is the source of truth on the allowed origins. Which in my case it is not.

I would have expected this to be a common request to allow the application to handle CORS but I am struggling to find any soltions to this issue.

Many thanks in advance for any help anyone can provide!

UPDATE - Add Diagram

I have created a little diagram with my understanding of the topology here. This may well be an oversimplification of the process but hopefully you can understand what I am trying to achieve more easily.

Answer 1

So this was actually related to a few other issues I was having. CORS headers were not being stripped after all. I had suspicions that the CORS module wasnt configured in a typical IIS container after doing a significant amount of debugging. This was the first issue. https://github.com/microsoft/dotnet-framework-docker/issues/625

For those that are interested here is the DockerFile lines for adding in CORS with Chocolatey:

RUN Set-ExecutionPolicy Bypass -Scope Process -Force; `
    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; `
    iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')); `
    choco install iis-cors-module -y

The Kubernetes NGINX wasnt stripping headers and was indeed proxying all headers as normal.

A few other interesting tidbits if anyone else experiences similar issues in future:

• ASP.NET Applications really dont like being behind reverse proxies. There may be other issues that will raise their head later but to start with they check a property called IsSecureConnection when returning a WebForms page (presumably something similar happens with MVC). Scripts are often set to match what it presumes the scheme is (http not https). This then causes errors in modern browsers. Refer to the following SO posts for this: Why am I suddenly getting a "Blocked loading mixed active content" issue in Firefox? How to add meta tag to ASP.Net content page
• After you have done this we then have some lovely Telerik nonsense if you were unlucky enough to have these controls embedded in your site. Telerik (Progress) in their infinite wisdom use a different URL for their HTTPS CDN links. Which dont nicely upgrade. The following forums helped me out here: https://www.telerik.com/forums/cdn-not-pulling-from-the-right-location-under-ssl