Unable to use X-Forwarded-Prefix

[Saljack]

Describe the bug
I think that I have a normal widespread use case of Spring Cloud Gateway (WebFlux version) with a combination of proxy (ingress). I have a proxy (Nginx ingress in Kubernetes) that has a path prefix /api. This prefix is removed from the path and sent as X-Forwarded-Prefix to SCG. SCG has routes without this prefix and striping the next prefix which is an id of another service. See SCG configuration:

spring
  cloud:
    gateway:
      routes:
      - id: users
        uri: http://localhost:8089
        predicates:
          - Path= /users/**
        filters:
          - StripPrefix=1

Then another services (Spring Boot applications) maps the path without these two prefixes e.g. @GetMapping("/foo").

So I have an url /api/users/foo

User /api/users/foo => proxy /users/foo + X-Forwarded-Prefix: /api => SCG /foo + X-Forwarded-Prefix: /api,/users => service

I used server.forward-headers-strategy: NATIVE but the last release updated Reactor Netty that supports X-Forwarded-Prefix reactor/reactor-netty#3436 and it totally broke my configuration.

I would expect that setting server.forward-headers-strategy to NATIVE or FRAMEWORK does not affect routing matching. So if I have the route with the predicate /users it would ignore everything from X-Forwarded-Prefix. But it is not right now. Currently, if there is the forwarded headers strategy then also the matching predicate must contain the prefix /api/users. It looks like it is similar to this ticket spring-projects/spring-framework#25270 (comment) where WebFlux behaved differently for mapping annotations and router functions but it was already fixed and aligned.

The whole problem is with the unsupported context path (base path) in SCG WebFlux #1759 because ForwardedHeaderTransformer sets X-Forwarded-Prefix to contextPath.
Then there is also a problem with some filters that are not able to strip the context path: #1935

I need to set server.forward-headers-strategy because of Spring Security and correct redirections (in my case I use OAuth2 Login). So I tried these configuration for this properties and none of them worked:

• NONE - SCG works but Spring Security redirecting does not work and error responses from SCG do not contain the correct path (because the header is not processed). It correctly sends an additional X-Forwarded-Prefix that was striped by the strip prefix filter.
• FRAMEWORK - I had to change routing predicates and add the prefix and also use custom strip prefix filter with support of removing contextPath
• NATIVE - similar to FRAMEWORK but Spring Security does not handle redirects (it is not issue in SCG) so it is unusable.

Sample
If possible, please provide a test case or sample application that reproduces
the problem. This makes it much easier for us to diagnose the problem and to verify that
we have fixed it.

[spencergibb]

The whole problem is with the unsupported context path (base path) in SCG WebFlux #1759 because ForwardedHeaderTransformer sets X-Forwarded-Prefix to contextPath.
Then there is also a problem with some filters that are not able to strip the context path: #1935

So, can I close this as duplicates of those others?

[Saljack]

I would not close it. I see three issues connected to contextPath:

• Unsupported base path Webflux base path does not work with Path predicates #1759
• Unsupported contextPath in filters Support webflux.base-path in StripFilter and possibly others #1935
• Problems with X-Forwarded-Prefix this issue

All of them can be (more or less) superseded by a new ticket with support contextPath and aligning SCG WebFlux with MVC (I have not tested it yet but I think SCG MVC would work with contextPath).
Without the support of contextPath is SCG very limited in these use cases. Or is my setup something uncommon and other developers do not strip any prefix on their proxy? I do not think so.

I would like to help with it but you have already claimed #1759 (comment) that you do not want to support it. And I am not sure that I am able to see all possible problems.