Hi,
I’m running the Tasklist app on self-managed Camunda 8 platform behind a nginx reverse proxy which makes the TLS termination and upstreams to http://tasklist:8080.
I can successfully login with the demo user but nothing is loaded because the POST /graphql returns a 403 with body Invalid CORS request.
Does the Tasklist App recognizes the X-Forwarded-Host, X-Forwarded-Proto, X-Forwarded-Port headers?
Or is there a cors configuration?
Best regards,
Nathanael
Today I remembered how to configure a spring boot app behind a reverse proxy and voilà it works: SERVER_FORWARDHEADERSSTRATEGY=native
This made my day, thank you!
Hi @nathanael, I am facing same issue when trying to login to Tasklist that POST /graphql returns http 403 Invalid CORS request. My cluster is a self-managed instance and I have below Ingres controller for Tasklist. Based on Invalid CORS request, I have tried with highlighted option and annotations but the issue still persists.
tasklist:
ingress:
enabled: true
host: "<tasklist_external_host>"
port: 80
**options:**
**use-forwarded-headers: true**
annotations:
nginx.org/mergeable-ingress-type: minion
ingress.kubernetes.io/rewrite-target: "/"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
**nginx.ingress.kubernetes.io/enable-cors: "true"**
**nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"**
Can you please mention where exactly did you specify SERVER_FORWARDHEADERSSTRATEGY=native to resolve this issue? Thanks.
Hi Hemal,
SERVER_FORWARDHEADERSSTRATEGY=native is a spring boot configuration variable that the X-Forwarded Headers are evaluated by the spring app. You should set it as environment variable at your tasklist container, not ingress.
Regards, Nathanael
Hi @Hemal,
Did setting the “SERVER_FORWARDHEADERSSTRATEGY=native” environment variable on your tasklist container resolve the issue? I am running trying a similar setup behind a nginx reverse proxy which makes the TLS termination and upstreams to the tasklist service. I tried setting the “SERVER_FORWARDHEADERSSTRATEGY=native” environment variable on the tasklist container but continue to get the 403 with body Invalid CORS request .
Hi @slandry , nope it didn’t resolve the issue for me. I have not proceeded from that point due to other issues. In my case, we’re deploying Camunda in an AWS Kubernetes cluster so I know the whole cluster is behind an application load balancer as well where I might need to debug into.
Hi @Hemal,
Thank you for following up. We are also using an AWS kubernetes cluster. There is network load balanacer in front of the app. I am going to try a few more things today. Its only the tasklist application experiencing the issue. I am able to use the operate app without any special configuration.
Hi I have the same issue with the tasklist/graphql returning a 403 with body Invalid CORS request .
I am using the self managed helm charts, using azure appgateway with TLS termination and nginx reverse proxy. I am using version 8.2.11
I have set the environment variable in my helm values file
tasklist:
…
env:
and also set the ingress annotations
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers “X-Forwarded-For $proxy_add_x_forwarded_for”;
more_set_headers “X-Forwarded-Host $host”;
more_set_headers “X-Forwarded-Proto https”;
more_set_headers “X-Real-IP $remote_addr”;
more_set_headers “X-Forwarded-Port $server_port”;
Any help much appreciated
Thanks
Darren