Istio 1.5 Cors无法正常工作-对预检请求的响应未通过访问控制检查 [英] Istio 1.5 cors not working - Response to preflight request doesn't pass access control check
问题描述
在istio-ingressgateway目标上配置Jwt策略时,Cors预检请求不起作用。
Cors preflight requests do not work when a Jwt Policy is configured on the istio-ingressgateway target.
网关
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: api-gateway
namespace: foo
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "api.example.com"
tls:
httpsRedirect: true # sends 301 redirects for http requests
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "api.example.com"
虚拟服务
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: backend-vs
namespace: foo
spec:
hosts:
- "api.example.com"
gateways:
- api-gateway
http:
- match:
- uri:
prefix: /api/v1/info
route:
- destination:
host: backend.foo.svc.cluster.local
corsPolicy:
allowOrigin:
- "https://app.example.com"
allowMethods:
- POST
- GET
- PUT
- DELETE
- PATCH
- OPTIONS
allowHeaders:
- authorization
- content-type
- accept
- origin
- user-agent
allowCredentials: true
maxAge: 300s
安全性
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-example"
namespace: foo
spec:
selector:
matchLabels:
app: backend
jwtRules:
- issuer: "http://keycloak.foo/auth/realms/example"
jwksUri: "http://keycloak.foo/auth/realms/example/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt-example
namespace: foo
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["http://keycloak.foo/auth/realms/example/http://keycloak.foo/auth/realms/example"]
when:
- key: request.auth.claims[groups]
values: ["group1"]
当我测试网络应用程序时在Firefox中运行正常,但在其他浏览器(如歌剧,chrome,safari)中,失败并显示以下错误:
when I test the web application in firefox it works fine, but in other browsers like opera, chrome, safari, it fails with the following error:
在以下位置访问XMLHttpRequest来源'https://app.example.com'的'https://api.example.com/api/v1/info'已被CORS政策阻止:对预检请求的响应未通过访问控制检查:否所请求的资源上存在 Access-Control-Allow-Origin标头。
让我更加体贴的是,在Firefox中它可以工作很好,但是在其他浏览器中失败了
What makes me more thoughtful is because in firefox it works well but in other browsers it fails
注意::要验证istio中的cors策略正确,我所做的就是在istio并在firefox中进行测试以查看发生了什么,结果是确实出现了cors问题,但是当我在Firefox中重新运行时在istio中重新启用cors时,请求运行正常。
NOTE: To validate that the cors policy was correct in istio, what I did was disable this policy in istio and test in firefox to see what was happening, the result was that a problem with cors did indeed come out, but when I re-enabled the cors in istio when rerunning in firefox the request works fine.
推荐答案
在执行分段测试并查看导致错误的原因之后,我发现d当我创建在同一服务端口(backend.example.com)上运行的keycloak网关(keycloak.example.com)时出现了问题,默认情况下,https为443,http为80。
Good after doing segmented tests and see what was causing the error, I found that the problem appeared when I created the keycloak gateway (keycloak.example.com) that was running on the same service port (backend.example.com) , which by default for https is 443 and for http is 80.
我所做的是将密钥斗篷暴露给网关上的另一个端口( ingressgateway )。通过上面的内容和有角度的应用程序,我不再提出cors问题。
What I did was expose keycloak to another port on the gateway (ingressgateway). with the above and the angular application I stop putting problem of the cors.
这篇关于Istio 1.5 Cors无法正常工作-对预检请求的响应未通过访问控制检查的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
