I ve got a web service going up behind a load balancer that kotlinlang #ktor

I've got a web service going up behind a load bala...

gotwalt

12/14/2017, 6:08 PM

I've got a web service going up behind a load balancer that handles SSL for me, and struggling to get CORS to work correctly. All requests are authenticated using an oauth2 Authorization header. I'm configured as below, but not receiving an Access-Control-Allow-Origin in the OPTIONS response. Any ideas?

Copy code

install(CORS) {
        method(HttpMethod.Options)
        method(HttpMethod.Put)
        method(HttpMethod.Delete)
        header(HttpHeaders.Authorization)
        allowCredentials = true
        host("*", schemes = listOf("http", "https"))
      }

gotwalt

12/14/2017, 6:09 PM

Is it that adding Options to the whitelist of http verbs prevents the preflight interception from happening?

orangy

12/14/2017, 6:14 PM

@cy

gotwalt

12/14/2017, 6:15 PM

I've also read the test & source for it, but don't have a clear idea if I need to explicitly whitelist the https scheme. I'm sorta swinging blindly and then deploying to test it out

gotwalt

12/14/2017, 6:35 PM

beginning to think this is due to the lb rewriting the request and changing the hostname

gotwalt

12/14/2017, 6:35 PM

https://gist.github.com/gotwalt/9945a8599aa3e309df9acb1863ef021a

gotwalt

12/14/2017, 6:35 PM

that's a header dump on the options request

gotwalt

12/14/2017, 6:36 PM

the thing i note is that the request_uri is the internal port number & hostname, not what the browser requested