coop-cloud/traefik
7
1
Fork 12
Code Issues 11 Pull Requests 1 Releases Wiki Activity

potential issue with cors handling #58

New Issue
Closed
opened 2025-09-10 03:23:38 +00:00 by Brooke · 7 comments
Brooke commented 2025-09-10 03:23:38 +00:00
Owner
Copy Link

I'm attempting to use Stelvia CMS that authorizes with a Forgejo account using their oauth system. The CMS does authentication client side as it's made for static sites. Using a personal access token resolves as "failed to fetch" and seems to be related to how Traefik responds to the request:

admin/:1 Access to fetch at 'https://git.example.com/api/v1/user' from origin 'https://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
git.example.com/api/v1/user:1  Failed to load resource: net::ERR_FAILED
auth.js:69 Error Failed to send the request TypeError: Failed to fetch
    at Ad (networking.js:43:22)
    at Xn (api.js:112:10)
    at Nq (user.js:35:49)
    at Object.Dq [as signIn] (auth.js:55:10)
    at o0 (auth.js:204:28)
    at Proxy.onOk (sign-in.svelte:132:11)
    at y (modal.svelte:122:18)
Zg @ auth.js:69
I'm attempting to use Stelvia CMS that authorizes with a Forgejo account using their oauth system. The CMS does authentication client side as it's made for static sites. Using a personal access token resolves as "failed to fetch" and seems to be related to how Traefik responds to the request: ``` admin/:1 Access to fetch at 'https://git.example.com/api/v1/user' from origin 'https://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. git.example.com/api/v1/user:1 Failed to load resource: net::ERR_FAILED auth.js:69 Error Failed to send the request TypeError: Failed to fetch at Ad (networking.js:43:22) at Xn (api.js:112:10) at Nq (user.js:35:49) at Object.Dq [as signIn] (auth.js:55:10) at o0 (auth.js:204:28) at Proxy.onOk (sign-in.svelte:132:11) at y (modal.svelte:122:18) Zg @ auth.js:69 ```
Brooke changed title from potential issues with cors handling to potential issue with cors handling 2025-09-10 03:23:51 +00:00
3wordchant commented 2025-09-10 04:10:00 +00:00
Owner
Copy Link

@Brooke I ran into this with toolshed/recipes.coopcloud.tech – what worked for me was setting the (apparently undocumented 😳) CORS_ALLOW_DOMAIN setting in the Gitea recipe.

Basically yes Traefik seems to need this label to respond correctly to CORS requests:

- "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolalloworiginlist=https://${GITEA_CORS_ALLOW_DOMAIN}"
@Brooke I ran into this with toolshed/recipes.coopcloud.tech – what worked for me was setting the (apparently undocumented 😳) [`CORS_ALLOW_DOMAIN` setting in the Gitea recipe](https://git.coopcloud.tech/coop-cloud/gitea/src/branch/master/compose.yml#L87). Basically yes Traefik seems to need this label to respond correctly to CORS requests: ```yml - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolalloworiginlist=https://${GITEA_CORS_ALLOW_DOMAIN}" ```
Brooke commented 2025-09-10 07:24:45 +00:00
Author
Owner
Copy Link

Hm I tried setting that and I'm getting the same error, will test more in the morning tomorrow.

Hm I tried setting that and I'm getting the same error, will test more in the morning tomorrow.
Brooke commented 2025-09-10 19:20:21 +00:00
Author
Owner
Copy Link

So far I've tested setting traefik labels and forgejo's cors environment variables to no avail. I found a related issue on the forgejo codeberg and that ended with just forcing nginx to send the right headers so it leads me to believe it's still something that can be solved with the right combination of traefik labels. Honestly I'm still too unfamiliar with traefik in general to know where I'm doing something wrong.

So far I've tested setting [traefik labels](https://doc.traefik.io/traefik/reference/routing-configuration/http/middlewares/headers/#cors-headers) and [forgejo's cors](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#cors-cors) environment variables to no avail. I found a related issue on the [forgejo codeberg](https://codeberg.org/forgejo/forgejo/issues/1803) and that ended with just forcing nginx to send the right headers so it leads me to believe it's still something that can be solved with the right combination of traefik labels. Honestly I'm still too unfamiliar with traefik in general to know where I'm doing something wrong.
3wordchant commented 2025-09-11 00:58:12 +00:00
Owner
Copy Link

@Brooke I wonder if it was somehow that both the traefik label, and the Gitea setting, was required when I set it up before?

It appears to be still working here anyway:

$ curl -H "Origin: https://recipes.coopcloud.tech" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: X-Requested-With" \
  -X OPTIONS \ 
  -i  \
  https://git.coopcloud.tech/coop-cloud/gitea/raw/branch/master/README.md

What Forgejo variable did you set, and did you add it to compose.forgejo.yml?

@Brooke I wonder if it was somehow that _both_ the traefik label, and the Gitea setting, was required when I set it up before? It appears to be still working here anyway: ```bash $ curl -H "Origin: https://recipes.coopcloud.tech" \ -H "Access-Control-Request-Method: POST" \ -H "Access-Control-Request-Headers: X-Requested-With" \ -X OPTIONS \ -i \ https://git.coopcloud.tech/coop-cloud/gitea/raw/branch/master/README.md ``` What Forgejo variable did you set, and did you add it to `compose.forgejo.yml`?
Brooke commented 2025-09-12 18:38:13 +00:00
Author
Owner
Copy Link

Ah ok I think I don't totally understand how sveltiacms is handling this then. Because I do get the same result when I curl git.coopcloud.tech and fung.uy (my git instance). I eventually migrated the repo to codeberg, sveltia is no longer throwing an error. Sorry, I feel totally lost trying to learn how all this is supposed to work.

local @ secureblue in ~ |14:23:46  
$ curl -H "Origin: https://recipes.coopcloud.tech"   -H "Access-Control-Request-Method: POST"   -H "Access-Control-Request-Headers: X-Requested-With"   -X OPTIONS -i https://fung.uy/api/v1/user
HTTP/2 200 
access-control-allow-methods: GET,OPTIONS,PUT
access-control-allow-origin: *
access-control-max-age: 100
content-length: 0
date: Fri, 12 Sep 2025 18:00:15 GMT

local @ secureblue in ~ |14:24:51  
$ curl -H "Origin: https://recipes.coopcloud.tech"   -H "Access-Control-Request-Method: POST"   -H "Access-Control-Request-Headers: X-Requested-With"   -X OPTIONS -i https://git.coopcloud.tech/coop-cloud/gitea/raw/branch/master/README.md
HTTP/2 200 
access-control-allow-methods: GET,OPTIONS,PUT
access-control-allow-origin: https://recipes.coopcloud.tech
access-control-max-age: 100
content-length: 0
date: Fri, 12 Sep 2025 18:25:28 GMT

local @ secureblue in ~ |14:27:31  
$ curl -H "Origin: https://recipes.coopcloud.tech"   -H "Access-Control-Request-Method: POST"   -H "Access-Control-Request-Headers: X-Requested-With"   -X OPTIONS -i https://codeberg.org/api/v1/user
HTTP/2 200 
alt-svc: h3=":443"; ma=2592000,h3=":443"; ma=2592000
date: Fri, 12 Sep 2025 18:27:47 GMT
permissions-policy: interest-cohort=()
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
via: 1.1 Caddy
x-content-type-options: nosniff
content-length: 0

I ended up not actually having to change anything with traefik and just set the following variables in the forgejo config. I'm so lost here but I feel like I can potentially conclude this as either being a forgejo issue or sveltia issue but not related to traefik. So, maybe the issue should be moved.

#GITEA_CORS_ALLOW_DOMAIN=*

FORGEJO__cors__ENABLED=true
FORGEJO__cors__ALLOW_DOMAIN=*
FORGEJO__cors__HEADERS=Access-Control-Allow-Origin,Content-Type,User-Agent
FORGEJO__cors__ALLOW_CREDENTIALS=true
Ah ok I think I don't totally understand how sveltiacms is handling this then. Because I do get the same result when I curl git.coopcloud.tech and fung.uy (my git instance). I eventually migrated the repo to codeberg, sveltia is no longer throwing an error. Sorry, I feel totally lost trying to learn how all this is supposed to work. ``` local @ secureblue in ~ |14:23:46 $ curl -H "Origin: https://recipes.coopcloud.tech" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS -i https://fung.uy/api/v1/user HTTP/2 200 access-control-allow-methods: GET,OPTIONS,PUT access-control-allow-origin: * access-control-max-age: 100 content-length: 0 date: Fri, 12 Sep 2025 18:00:15 GMT local @ secureblue in ~ |14:24:51 $ curl -H "Origin: https://recipes.coopcloud.tech" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS -i https://git.coopcloud.tech/coop-cloud/gitea/raw/branch/master/README.md HTTP/2 200 access-control-allow-methods: GET,OPTIONS,PUT access-control-allow-origin: https://recipes.coopcloud.tech access-control-max-age: 100 content-length: 0 date: Fri, 12 Sep 2025 18:25:28 GMT local @ secureblue in ~ |14:27:31 $ curl -H "Origin: https://recipes.coopcloud.tech" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS -i https://codeberg.org/api/v1/user HTTP/2 200 alt-svc: h3=":443"; ma=2592000,h3=":443"; ma=2592000 date: Fri, 12 Sep 2025 18:27:47 GMT permissions-policy: interest-cohort=() strict-transport-security: max-age=63072000; includeSubDomains; preload vary: Origin vary: Access-Control-Request-Method vary: Access-Control-Request-Headers via: 1.1 Caddy x-content-type-options: nosniff content-length: 0 ``` I ended up not actually having to change anything with traefik and just set the following variables in the forgejo config. I'm so lost here but I feel like I can potentially conclude this as either being a forgejo issue or sveltia issue but not related to traefik. So, maybe the issue should be moved. ``` #GITEA_CORS_ALLOW_DOMAIN=* FORGEJO__cors__ENABLED=true FORGEJO__cors__ALLOW_DOMAIN=* FORGEJO__cors__HEADERS=Access-Control-Allow-Origin,Content-Type,User-Agent FORGEJO__cors__ALLOW_CREDENTIALS=true ```
3wordchant commented 2025-09-15 02:36:56 +00:00
Owner
Copy Link

I ended up not actually having to change anything with traefik and just set the following variables in the forgejo config.

Amazing! Yes, this is what I was expecting. Maybe you could add these in compose.forgejo.yml if you have a spare moment?

> I ended up not actually having to change anything with traefik and just set the following variables in the forgejo config. Amazing! Yes, this is what I was expecting. Maybe you could add these in `compose.forgejo.yml` if you have a spare moment?
Brooke commented 2025-09-26 19:59:26 +00:00
Author
Owner
Copy Link

moved #46

moved [#46](https://git.coopcloud.tech/coop-cloud/gitea/issues/46)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
3wordchant aadil abra-bot ammaratef45 Apfelwurm appletalk arjan basebuilder Brooke carla cas codegod100 coopcloud cyrnel decentral1se fauno flancian Frando iexos jade javielico jmakdah2 joe-irving kawaiipunk knoflook kolaente lambdabundesverband linnealovespie marlon mayel mirsal moritz nicksellen notplants p4u1 pau pharaohgraphy renovate-bot ripclap rix rscmbbng sef simon sixsmith stevensting tobias trav val virtualboys wolcen wykwit xynosis yksflip
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: coop-cloud/traefik#58
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?