Traefik turns a `302 Found` response into `200 OK` for HTTP2 clients with compression enabled

[mrnugget]

Do you want to request a feature or report a bug?

Bug

What did you do?

The configured backend responds to a GET request with a server side redirect: 302 Found and a Location Header. Traefik is configured to use compression. The client is a HTTP2 client.

What did you expect to see?

The 302 Found response code.

What did you see instead?

A 200 OK response, which results in browsers not following the redirect URL in the Location header.

Reproduction Repository

I prepared a repository that contains the most minimal setup to reproduce the bug: https://github.com/mrnugget/traefik_redirect_http2_compression

To reproduce the bug, check out the README. The TL;DR is this:

1. git clone https://github.com/mrnugget/traefik_redirect_http2_compression
2. cd traefik_redirect_http2_compression
3. docker-compose up
4. Send a HTTP2 request with Accept-Encoding: gzip that should result in a 302 redirect:

$ curl -v -k --http2 -H 'Accept-Encoding: gzip' -H 'Host: redirectwebapp.docker.localhost' https://localhost/redirect`
< HTTP/2 200
< content-type: text/html; charset=utf-8
< date: Thu, 02 Nov 2017 06:54:09 GMT
< location: https://redirectwebapp.docker.localhost/end
< vary: Accept-Encoding
< content-length: 109
<
* Connection #0 to host localhost left intact
<html><body>You are being <a href="https://redirectwebapp.docker.localhost/end">redirected</a>.</body></html>% 

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.4.1
Codename:     roquefort
Go version:   go1.9.1
Built:        2017-10-24_05:25:28PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

debug = true
logLevel = "DEBUG"

defaultEntryPoints = ["http", "https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  compress = true
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/traefik/selfsigned.crt"
      keyFile = "/etc/traefik/selfsigned.key"

[traefikLog]

[accessLog]

[web]
address = ":8080"

[docker]
domain = "docker.localhost"

If applicable, please paste the log output in debug mode (--debug switch)

Attaching to traefikredirecthttp2compression_proxy_1, traefikredirecthttp2compression_redirectwebapp_1
proxy_1           | time="2017-11-02T06:40:45Z" level=info msg="Using TOML configuration file /etc/traefik/traefik.toml"
proxy_1           | time="2017-11-02T06:40:45Z" level=info msg="Traefik version v1.4.1 built on 2017-10-24_05:25:28PM"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Global configuration loaded {"GraceTimeOut":10000000000,"Debug":true,"CheckNewVersion":true,"AccessLogsFile":"","AccessLog":{"format":"common"},"TraefikLogsFile":"","LogLevel":"DEBUG","EntryPoints":{"http":{"Network":"","Address":":80","TLS":null,"Redirect":{"EntryPoint":"https","Regex":"","Replacement":""},"Auth":null,"WhitelistSourceRange":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}},"https":{"Network":"","Address":":443","TLS":{"MinVersion":"","CipherSuites":null,"Certificates":[{"CertFile":"/etc/traefik/selfsigned.crt","KeyFile":"/etc/traefik/selfsigned.key"}],"ClientCAFiles":null},"Redirect":null,"Auth":null,"WhitelistSourceRange":null,"Compress":true,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}}},"Cluster":null,"Constraints":[],"ACME":null,"DefaultEntryPoints":["http","https"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeout":0,"InsecureSkipVerify":false,"RootCAs":null,"Retry":null,"HealthCheck":{"Interval":30000000000},"RespondingTimeouts":null,"ForwardingTimeouts":null,"Docker":{"Watch":true,"Filename":"","Constraints":null,"Trace":false,"DebugLogGeneratedTemplate":false,"Endpoint":"unix:///var/run/docker.sock","Domain":"docker.localhost","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":false},"File":null,"Web":{"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"/","Auth":null,"Debug":false,"CurrentConfigurations":null,"Stats":null,"StatsRecorder":null},"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null}"
proxy_1           | time="2017-11-02T06:40:45Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc4204f86c0 Redirect:<nil> Auth:<nil> WhitelistSourceRange:[] Compress:true ProxyProtocol:<nil> ForwardedHeaders:0xc4201b3460} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
proxy_1           | time="2017-11-02T06:40:45Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:0xc420603a10 Auth:<nil> WhitelistSourceRange:[] Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc4201b3480} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s"
proxy_1           | time="2017-11-02T06:40:45Z" level=info msg="Starting provider *docker.Provider {"Watch":true,"Filename":"","Constraints":null,"Trace":false,"DebugLogGeneratedTemplate":false,"Endpoint":"unix:///var/run/docker.sock","Domain":"docker.localhost","TLS":null,"ExposedByDefault":true,"UseBindPortIP":false,"SwarmMode":false}"
proxy_1           | time="2017-11-02T06:40:45Z" level=info msg="Starting server on :443"
proxy_1           | time="2017-11-02T06:40:45Z" level=info msg="Starting provider *web.Provider {"Address":":8080","CertFile":"","KeyFile":"","ReadOnly":false,"Statistics":null,"Metrics":null,"Path":"/","Auth":null,"Debug":true,"CurrentConfigurations":{},"Stats":{"Uptime":"2017-11-02T06:40:45.776601213Z","Pid":1,"ResponseCounts":{},"TotalResponseCounts":{},"TotalResponseTime":"0001-01-01T00:00:00Z"},"StatsRecorder":null}"
proxy_1           | time="2017-11-02T06:40:45Z" level=info msg="Starting server on :80"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Provider connection established with docker 17.09.0-ce (API 1.32)"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Validation of load balancer method for backend backend-proxy-traefikredirecthttp2compression failed: invalid load-balancing method ''. Using default method wrr."
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Configuration received from provider docker: {"backends":{"backend-proxy-traefikredirecthttp2compression":{"servers":{"server-traefikredirecthttp2compression_proxy_1":{"url":"http://172.22.0.3:80","weight":0}},"loadBalancer":{"method":"wrr"}}},"frontends":{"frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost":{"entryPoints":["http","https"],"backend":"backend-proxy-traefikredirecthttp2compression","routes":{"route-frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost":{"rule":"Host:proxy.traefikredirecthttp2compression.docker.localhost"}},"passHostHeader":true,"priority":0,"basicAuth":[],"headers":{}}}}"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Last docker config received more than 2s, OK"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Creating frontend frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Wiring frontend frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost to entryPoint http"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Creating route route-frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost Host:proxy.traefikredirecthttp2compression.docker.localhost"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Creating entryPoint redirect http -> https : ^(?:https?:\/\/)?([\w\._-]+)(?::\d+)?(.*)$ -> https://$1:443$2"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Creating backend backend-proxy-traefikredirecthttp2compression"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Creating load-balancer wrr"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Creating server server-traefikredirecthttp2compression_proxy_1 at http://172.22.0.3:80 with weight 0"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Wiring frontend frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost to entryPoint https"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Creating route route-frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost Host:proxy.traefikredirecthttp2compression.docker.localhost"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Creating backend backend-proxy-traefikredirecthttp2compression"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Creating load-balancer wrr"
proxy_1           | time="2017-11-02T06:40:45Z" level=debug msg="Creating server server-traefikredirecthttp2compression_proxy_1 at http://172.22.0.3:80 with weight 0"
proxy_1           | time="2017-11-02T06:40:45Z" level=info msg="Server configuration reloaded on :443"
proxy_1           | time="2017-11-02T06:40:45Z" level=info msg="Server configuration reloaded on :80"
proxy_1           | time="2017-11-02T06:40:46Z" level=debug msg="Provider event received {Status:start ID:c63e8d74c02a364f74191b08bfc68a23ee0ca69d6ceb871464f9627fec1814de From:redirectwebapp Type:container Action:start Actor:{ID:c63e8d74c02a364f74191b08bfc68a23ee0ca69d6ceb871464f9627fec1814de Attributes:map[com.docker.compose.container-number:1 image:redirectwebapp name:traefikredirecthttp2compression_redirectwebapp_1 traefik.frontend.rule:Host:redirectwebapp.docker.localhost com.docker.compose.config-hash:28964e0e6349fd74892156ecb1a37c9f2cf1bb8f725edbb48464bf1445a7185b com.docker.compose.project:traefikredirecthttp2compression com.docker.compose.service:redirectwebapp com.docker.compose.version:1.16.1 traefik.backend:redirectwebapp com.docker.compose.oneoff:False]} Scope:local Time:1509604846 TimeNano:1509604846641687040}"
proxy_1           | time="2017-11-02T06:40:46Z" level=debug msg="Validation of load balancer method for backend backend-redirectwebapp failed: invalid load-balancing method ''. Using default method wrr."
proxy_1           | time="2017-11-02T06:40:46Z" level=debug msg="Validation of load balancer method for backend backend-proxy-traefikredirecthttp2compression failed: invalid load-balancing method ''. Using default method wrr."
proxy_1           | time="2017-11-02T06:40:46Z" level=debug msg="Configuration received from provider docker: {"backends":{"backend-proxy-traefikredirecthttp2compression":{"servers":{"server-traefikredirecthttp2compression_proxy_1":{"url":"http://172.22.0.3:80","weight":0}},"loadBalancer":{"method":"wrr"}},"backend-redirectwebapp":{"servers":{"server-traefikredirecthttp2compression_redirectwebapp_1":{"url":"http://172.22.0.2:3000","weight":0}},"loadBalancer":{"method":"wrr"}}},"frontends":{"frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost":{"entryPoints":["http","https"],"backend":"backend-proxy-traefikredirecthttp2compression","routes":{"route-frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost":{"rule":"Host:proxy.traefikredirecthttp2compression.docker.localhost"}},"passHostHeader":true,"priority":0,"basicAuth":[],"headers":{}},"frontend-Host-redirectwebapp-docker-localhost":{"entryPoints":["http","https"],"backend":"backend-redirectwebapp","routes":{"route-frontend-Host-redirectwebapp-docker-localhost":{"rule":"Host:redirectwebapp.docker.localhost"}},"passHostHeader":true,"priority":0,"basicAuth":[],"headers":{}}}}"
proxy_1           | time="2017-11-02T06:40:46Z" level=debug msg="Last docker config received less than %!s(flaeg.Duration=2000000000), waiting..."
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Waited for docker config, OK"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating frontend frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Wiring frontend frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost to entryPoint http"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating route route-frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost Host:proxy.traefikredirecthttp2compression.docker.localhost"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating entryPoint redirect http -> https : ^(?:https?:\/\/)?([\w\._-]+)(?::\d+)?(.*)$ -> https://$1:443$2"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating backend backend-proxy-traefikredirecthttp2compression"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating load-balancer wrr"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating server server-traefikredirecthttp2compression_proxy_1 at http://172.22.0.3:80 with weight 0"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Wiring frontend frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost to entryPoint https"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating route route-frontend-Host-proxy-traefikredirecthttp2compression-docker-localhost Host:proxy.traefikredirecthttp2compression.docker.localhost"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating backend backend-proxy-traefikredirecthttp2compression"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating load-balancer wrr"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating server server-traefikredirecthttp2compression_proxy_1 at http://172.22.0.3:80 with weight 0"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating frontend frontend-Host-redirectwebapp-docker-localhost"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Wiring frontend frontend-Host-redirectwebapp-docker-localhost to entryPoint http"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating route route-frontend-Host-redirectwebapp-docker-localhost Host:redirectwebapp.docker.localhost"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating backend backend-redirectwebapp"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating load-balancer wrr"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating server server-traefikredirecthttp2compression_redirectwebapp_1 at http://172.22.0.2:3000 with weight 0"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Wiring frontend frontend-Host-redirectwebapp-docker-localhost to entryPoint https"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating route route-frontend-Host-redirectwebapp-docker-localhost Host:redirectwebapp.docker.localhost"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating backend backend-redirectwebapp"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating load-balancer wrr"
proxy_1           | time="2017-11-02T06:40:48Z" level=debug msg="Creating server server-traefikredirecthttp2compression_redirectwebapp_1 at http://172.22.0.2:3000 with weight 0"
proxy_1           | time="2017-11-02T06:40:48Z" level=info msg="Server configuration reloaded on :443"
proxy_1           | time="2017-11-02T06:40:48Z" level=info msg="Server configuration reloaded on :80"
proxy_1           | time="2017-11-02T06:41:00Z" level=debug msg="Round trip: http://172.22.0.2:3000, code: 302, duration: 4.199673ms tls:version: 303, tls:resume:false, tls:csuite:c02f, tls:server:localhost"
proxy_1           | 172.22.0.1 - - [02/Nov/2017:06:41:00 +0000] "GET /redirect HTTP/2.0" 302 109 - "curl/7.56.1" 1 "Host-redirectwebapp-docker-localhost" "http://172.22.0.2:3000" 4ms

[chr4]

I can reproduce the problem. I've also noticed, that this error seems to be introduced with v1.4.1 as the redirect works as expected when using image: traefik:1.4.0 in docker-compose.yml.

[mrnugget]

After some further investigation I think I can pinpoint the problem: v1.4.0...v1.4.1#diff-f16a80eae23d5b298c2652448ec420cfR484

The update of oxy resulted in this regression. With a locally built version of Traefik that uses the old version of oxy I cannot reproduce the bug.

[mrnugget]

@chr4 and me found the commit that causes this issue: containous/oxy@aa79b5c (PR: containous/oxy#33)
The issue that was the reason for the commit and the PR: #2264

[kachkaev]

I'm also facing this. After upgrading to 1.4.1 and going to traefik.example.com to see the dashboard, I saw HTTP/2 200 in response headers, while the body still said 401 Unauthorized. This confused Chrome and did not let it show the auth popup. Downgrading to 1.4.0 resolved the issue.

Interestingly, the headers appear to be incorrect only for HTTP/2. When I crawl the dashboard with httpie that uses HTTP 1, 401 does show up in headers even in traefik 1.4.1.

My provider is k8s and I'm using the official helm chart.

[thuandt]

I faced same problem with @kachkaev in my k8s cluster running traefik 1.4.1, revert back to 1.4.0 is ok

[jacksgt]

I can also confirm this. I'm running Gitea (which returns a 302 for / to /explore/repos) behind Traefik 1.4.1 with compression enabled, and Traefik shows a white page with "Found" and HTTP Status Code 200.

[RRAlex]

I only see references to 1.4.1, but I confirm 1.4.2 is also affected.

[ldez]

We work on this topic.