Hi, I am running Kong with declarative configuration. I have service called api. All it returns is just headers received in request. This is my configuration:
_format_version: '1.1'
plugins:
- config:
credentials: true
exposed_headers:
- X-Auth-Token
headers:
- Accept
- Accept-Version
- Authorization
- Content-Length
- Content-MD5
- Content-Type
- Date
- X-Auth-Token
max_age: 3600
methods:
- POST
origins:
- '*'
name: cors
services:
- name: api
routes:
- name: api
paths:
- /api
strip_path: true
url: http://api:8000
I am using cors plugin to restrict methods and I find out, GET works even when I do not have it in my configuration. I receive no errors, just response from my api application.
$ curl -s localhost:8000/api | jq .
{
"host": "api:8000",
"connection": "keep-alive",
"x-forwarded-for": "10.0.0.2",
"x-forwarded-proto": "http",
"x-forwarded-host": "localhost",
"x-forwarded-port": "8000",
"x-forwarded-path": "/api",
"x-forwarded-prefix": "/api",
"x-real-ip": "10.0.0.2",
"user-agent": "curl/7.84.0",
"accept": "*/*"
}
I see in plugin CORS documentation that plugin is define in root key plugin as I have, but there is also service key inside configuration. It is quiet misleading, my configuration works and from doc, I do not understand correctly how should I configure it for multiple services. Can somebody make it clear with some examples?
I am new to Kong, so maybe I am missing something. Can somebody explain me why I am able to GET my api endpoint even when I did not allowed it?
Thank in advance.
Kong version: 2.8.0