compress midddleware: dont encode content if Accept-Encoding header is missing

[robin-moser]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

I enabled content encoding with the new (3.0.0-beta2) compress middleware. When including a request header, for example Accept-Encoding: br, gzip, the content gets encoded properly by the new brotli compression.

When omitting the header, the content unexpectedly gets encoded by brotli, too.

RFC9110 (accept-encoding) states, that "If no Accept-Encoding header field is in the request, any content coding is considered acceptable by the user agent." So technically, the new implementation from traefik is correct. But in practice, this is really uncommon beahviour and could break many applications out there.

The problem with this behaviour is, that tools like curl often don't send any header by default but can't deal with compression by themself. Given a tool with a webui and an api, the use wants the webui to compress the content, but some scripts or cli tools may use the api and fail so because of the compression. So usually, a site doesn't compress the content if no header is present to ensure compatibility.

Examples: (all three sites support brotli compression)

# with the header

curl --silent --output /dev/null --dump-header /dev/stdout  -H 'Accept-Encoding: gzip,br' https://www.google.com | grep encoding
content-encoding: gzip
curl --silent --output /dev/null --dump-header /dev/stdout  -H 'Accept-Encoding: gzip,br' https://www.facebook.com | grep encoding
content-encoding: br
curl --silent --output /dev/null --dump-header /dev/stdout -H 'Accept-Encoding: gzip,br' https://www.docker.com | grep encoding
content-encoding: br
curl --silent --output /dev/null --dump-header /dev/stdout -H 'Accept-Encoding: gzip,br' https://<traefik-v3-with-compress> | grep encoding
content-encoding: br

#now without the header

curl --silent --output /dev/null --dump-header /dev/stdout https://www.google.com | grep encoding
curl --silent --output /dev/null --dump-header /dev/stdout https://www.facebook.com | grep encoding
curl --silent --output /dev/null --dump-header /dev/stdout https://www.docker.com | grep encoding
curl --silent --output /dev/null --dump-header /dev/stdout https://<traefik-v3-with-compress> | grep encoding
content-encoding: br

# this is the stated problem

curl https://<traefik-v3-with-compress>
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.

I would suggest to omit compression if no Accept-Encoding header is present.

What version of Traefik are you using?

v3.0.0 beta2

What is your environment & configuration?

middlewares.yml

http:
  middlewares:
    compression:
      compress: {}

traefik.yml

entrypoints:
  websecure:
    address: :443
    http:
      middlewares:
        - compression@file

If applicable, please paste the log output in DEBUG level

No response

[mpl]

Hi @robin-moser ,

we will of course have to double-check a few things, but that sounds fair enough.

FYI, you probably already know, but you should be able to get an uncompressed response with curl if you specify an empty Accept-Encoding value.

[kimdre]

@mpl traefik at the moment only returns proper output when you specify Accept-Encoding: identity. Empty Accept-Encoding: does not work.

[mpl]

@kimdre it works for me. Are you sure you're using the correct curl syntax?

mbp:9688 mpl$ curl -v -H "Host: whoami.localhost" http://localhost
*   Trying ::1:80...
* Connected to localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: whoami.localhost
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Encoding: br
< Content-Type: text/plain; charset=utf-8
< Date: Tue, 28 Feb 2023 16:43:20 GMT
< Vary: Accept-Encoding
< Content-Length: 220
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failure writing output to destination
* Closing connection 0
mbp:9688 mpl$
mbp:9688 mpl$
mbp:9688 mpl$
mbp:9688 mpl$ curl -v -H "Host: whoami.localhost" -H "Accept-Encoding;" http://localhost
*   Trying ::1:80...
* Connected to localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: whoami.localhost
> User-Agent: curl/7.77.0
> Accept: */*
> Accept-Encoding:
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Length: 360
< Content-Type: text/plain; charset=utf-8
< Date: Tue, 28 Feb 2023 16:43:31 GMT
<
Hostname: 3cb9511dc1ae
IP: 127.0.0.1
IP: 172.17.0.2
RemoteAddr: 172.17.0.1:59572
GET / HTTP/1.1
Host: whoami.localhost
User-Agent: curl/7.77.0
Accept: */*
Accept-Encoding:
Accept-Encoding: gzip
X-Forwarded-For: ::1
X-Forwarded-Host: whoami.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: mbp.granivo.re
X-Real-Ip: ::1

* Connection #0 to host localhost left intact

[kimdre]

@mpl Yes, I'm sure. Just tested it again with v3.0.0-beta2

kdr@web:~# curl --silent --output /dev/null --dump-header /dev/stdout -H 'Accept-Encoding: gzip,br' https://drechsel.xyz | grep encoding
content-encoding: br
kdr@web:~# curl https://drechsel.xyz
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.

kdr@web:~# curl -L -H 'Accept-Encoding:' https://drechsel.xyz
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.

kdr@web:~# curl -L -H 'Accept-Encoding: ' https://drechsel.xyz
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.

kdr@web:~# curl -L -H 'Accept-Encoding: identity' https://drechsel.xyz
<!doctype html><html lang=en-us><head><title>Kim's IT Blog</title><meta charset=utf-8>...

This also messed up my monitoring because it can't check for specific strings anymore unless I specify the header I mentioned earlier.

[mpl]

@kimdre That is not how one sends an empty valued header with curl, which is why I asked if you were using the correct syntax.

[kimdre]

@mpl Ok yes you are right it does work if you specify the empty Header correctly (Accept-Encoding;)

[s4v4g3]

FYI we were bitten by this and had to quickly revert back to traefik v2. It can be argued that this is buggy behavior in curl but at least there should be a config option in traefik to disable this behavior. Also, this is not mentioned in the migration guide.
https://doc.traefik.io/traefik/master/migration/v2-to-v3/

[dani]

yum/dnf is another example where this new "compress with brotli when no Accept-Encoding" behaviour breaks things. I host an rpm repo behind Traefik, and used to compress. Upgrading to Traefik v3 makes my repo unusable, eg

Daniel Berteaud RPM                                                                                                                                                                                            22 kB/s | 679  B     00:00    
Cleaning up.
Plugins were unloaded.

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/dnf/repo.py", line 573, in load
    ret = self._repo.load()
  File "/usr/lib64/python3.6/site-packages/libdnf/repo.py", line 397, in load
    return _repo.Repo_load(self)
libdnf._error.Error: Failed to download metadata for repo 'dbd': repomd.xml parser error: Parse error at line: 1 (Document is empty
)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 67, in main
    return _main(base, args, cli_class, option_parser_class)
  File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 106, in _main
    return cli_run(cli, base)
  File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 122, in cli_run
    cli.run()
  File "/usr/lib/python3.6/site-packages/dnf/cli/cli.py", line 1038, in run
    self._process_demands()
  File "/usr/lib/python3.6/site-packages/dnf/cli/cli.py", line 741, in _process_demands
    load_available_repos=self.demands.available_repos)
  File "/usr/lib/python3.6/site-packages/dnf/base.py", line 405, in fill_sack
    self._add_repo_to_sack(r)
  File "/usr/lib/python3.6/site-packages/dnf/base.py", line 140, in _add_repo_to_sack
    repo.load()
  File "/usr/lib/python3.6/site-packages/dnf/repo.py", line 580, in load
    raise dnf.exceptions.RepoError(str(e))
dnf.exceptions.RepoError: Failed to download metadata for repo 'dbd': repomd.xml parser error: Parse error at line: 1 (Document is empty
)
Error: Failed to download metadata for repo 'dbd': repomd.xml parser error: Parse error at line: 1 (Document is empty
)

I have to either revert to Traefik v2 or disable the compression middleware for things to work again

[robin-moser]

@mpl
Do you accept pull requests for these type of changes?
Thanks for having a look into it!