bug: cors plug-in problem

[zhaomingcheng01]

Current Behavior

The global cross-domain plug-in is enabled, but the request headers returned are inconsistent

===========================
C:\Users\Administrator>curl -iv http://10.129.45.55:9080/k8s-demo/actuator/health/liveness

• Trying 10.129.45.55...
• TCP_NODELAY set
• Connected to 10.129.45.55 (10.129.45.55) port 9080 (#0)

GET /k8s-demo/actuator/health/liveness HTTP/1.1
Host: 10.129.45.55:9080
User-Agent: curl/7.55.1
Accept: /

< HTTP/1.1 200
HTTP/1.1 200
< Content-Type: application/vnd.spring-boot.actuator.v3+json
Content-Type: application/vnd.spring-boot.actuator.v3+json
< Content-Length: 15
Content-Length: 15
< Connection: keep-alive
Connection: keep-alive
< Date: Tue, 11 Feb 2025 10:04:57 GMT
Date: Tue, 11 Feb 2025 10:04:57 GMT
< Server: APISIX/3.2.1
Server: APISIX/3.2.1
< X-APISIX-Upstream-Status: 200
X-APISIX-Upstream-Status: 200
< Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE
< Access-Control-Max-Age: 600
Access-Control-Max-Age: 600
< Access-Control-Expose-Headers: **
Access-Control-Expose-Headers: **
< Access-Control-Allow-Credentials: true
Access-Control-Allow-Credentials: true

<
{"status":"UP"}* Connection #0 to host 10.129.45.55 left intact

C:\Users\Administrator>curl -iv http://10.129.45.55:9080/k8s-demo/actuator/health/liveness

• Trying 10.129.45.55...
• TCP_NODELAY set
• Connected to 10.129.45.55 (10.129.45.55) port 9080 (#0)

GET /k8s-demo/actuator/health/liveness HTTP/1.1
Host: 10.129.45.55:9080
User-Agent: curl/7.55.1
Accept: /

< HTTP/1.1 200
HTTP/1.1 200
< Content-Type: application/vnd.spring-boot.actuator.v3+json
Content-Type: application/vnd.spring-boot.actuator.v3+json
< Content-Length: 15
Content-Length: 15
< Connection: keep-alive
Connection: keep-alive
< Date: Tue, 11 Feb 2025 10:04:58 GMT
Date: Tue, 11 Feb 2025 10:04:58 GMT
< Server: APISIX/3.2.1
Server: APISIX/3.2.1
< X-APISIX-Upstream-Status: 200
X-APISIX-Upstream-Status: 200

<
{"status":"UP"}* Connection #0 to host 10.129.45.55 left intact

< Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE
< Access-Control-Max-Age: 600
Access-Control-Max-Age: 600
< Access-Control-Expose-Headers: **
Access-Control-Expose-Headers: **
< Access-Control-Allow-Credentials: true
Access-Control-Allow-Credentials: true

Some request headers are occasionally lost

===========================
apiVersion: apisix.apache.org/v2
kind: ApisixGlobalRule
metadata:
name: global
namespace: apisix
spec:
plugins:
- config:
allow_credential: true
allow_headers: ''
allow_methods: ''
allow_origins: ''
expose_headers: ''
max_age: 600
enable: true
name: cors

Expected Behavior

No response

Error Logs

No response

Steps to Reproduce

Configure the global cross-domain plug-in

Environment

• APISIX version (3.2.1)

[fearless11]

I also encountered this situation. restart apisix service fixed it.

APISIX version (3.7.0)

--- test ---
curl -X OPTIONS -H 'Origin: http://aaa.xxx.com' -I 'https://bbb.xxx.com/crm/page'
HTTP/1.1 200 OK
Date: Thu, 13 Feb 2025 05:34:01 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/3.7.0
Vary: Origin
Access-Control-Allow-Origin: http://aaa.xxx.com
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE
Access-Control-Max-Age: 5
Access-Control-Expose-Headers: **
Access-Control-Allow-Credentials: true

curl -X OPTIONS -H 'Origin: http://aaa.xxx.com' -I 'https://bbb.xxx.com/crm/page'
HTTP/1.1 200 OK
Date: Thu, 13 Feb 2025 05:34:01 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/3.7.0
Vary: Origin

[juzhiyuan]

I'm following the examples from https://docs.api7.ai/hub/cors and giving it a try, but I am getting the same result as the comments above: the Access-Control-Allow-xxx headers are missing. @kayx23 can you please also have a try?

[zhaomingcheng01]

Here's how I set it. Global cross-domain configuration is enabled

[Baoyuantop]

I'm following the examples from https://docs.api7.ai/hub/cors and giving it a try, but I am getting the same result as the comments above: the Access-Control-Allow-xxx headers are missing. @kayx23 can you please also have a try?

I've tried it without problems and the results are as described in the documentation.

[Baoyuantop]

Hi @zhaomingcheng01, can you organize the description of the issue? I don't understand the problem.

[zhaomingcheng01]

After the cors setting, there will be cross-domain problems from time to time, restart it can be good, and then your ** is not the http protocol that conflict ah, should not be recognized, the http protocol that is not * it

[zhaomingcheng01]

We have this problem again. Let's see if we can solve it

[Baoyuantop]

It would be helpful to provide a minimum reproduction step if we can stabilize the reproduction.

[Baoyuantop]

Hi @zhaomingcheng01, any update?

[Baoyuantop]

If there is still a problem, please open it again.