Traefik 2 & Docker - CORS error on ElasticSearch api

Question

I use Docker & Traefik to manage a ReactJS app calling an ElasticSearch API.

Here is my elasticsearch.yml config :

cluster.name: "docker-cluster"
network.host: 0.0.0.0
http.cors.enabled : true
http.cors.allow-origin: "*"
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: X-Requested-With,X-Auth-Token,Content-Type,Content-Length
http.cors.allow-credentials: true
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true

And here the entry in docker-compose for my Elasticsearch service :

elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.12.0
    restart: always
    volumes:
      - ${DATA_FOLDER_ELASTICHSEARCH}:/usr/share/elasticsearch/data
      - ./infra/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
    environment:
      - discovery.type=single-node      
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.elasticsearch.rule=Host(`myElastic.domain.com`)"
      - "traefik.http.routers.elasticsearch.entrypoints=websecure"
      - "traefik.http.routers.elasticsearch.middlewares=testHeader"   
      - "traefik.http.middlewares.testHeader.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
      - "traefik.http.middlewares.testHeader.headers.accesscontrolalloworiginlist=*"
      - "traefik.http.middlewares.testHeader.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.testHeader.headers.addvaryheader=true"
    networks:
      - myNetwork

If I call my ElasticSearch API (like a simple POST on /myIndex/_search using Postman for example, I have my response headers :

Access-Control-Allow-Origin : *
Vary : Origin

But I still have the CORS issue on my React app using fetch (for now I use directly the ElasticSearch API from my react).

Do I need to change anything from the fetch api ?

EDIT

Looking at CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true, it seems I can't use * to define my allowed domains, so I put :

- "traefik.http.middlewares.testHeader.headers.accesscontrolalloworiginlist=https://reactApp.domain.com"

But no success ... in my Chrome console, I have this message :

preflight wildcard origin not allowed

Answer 1

@vincent-decaux

A few months late but if you, or anyone, needs to get this working, I was able to get Traefik2 + authorization headers working with a "wildcard" for allowed origin by including this label:

traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginListRegex=(.*?)

See: https://doc.traefik.io/traefik/middlewares/headers/#accesscontrolalloworiginlistregex

Instead of using the accessControlAllowOrigin="hostname", it allows a regex expression for evaluating a valid origin. Not a good idea for a production environment, if you can avoid it, but great for our development environment where the developers might be tinkering with our UI locally against our dev/test environment "public" API. For production I have a regex that restricts allowed origins to a small set of acceptable domains/hosts.