[ci skip] Fix rewrite-body plugin corrupting compressed responses

The packruler/rewrite-body plugin (used for rybbit analytics injection) fails to decompress gzip responses with "flate: corrupt input before offset 5", corrupting the response body. This broke HA Companion app's external_auth flow and WebSocket connections on ha-sofia. Fix: add a strip-accept-encoding middleware that removes Accept-Encoding from requests when rybbit is active, forcing backends to send uncompressed responses that the plugin can safely process. Also add extra_middlewares variable to reverse_proxy factory for extensibility.
2026-02-11 21:40:11 +00:00 · 2026-02-11 21:40:11 +00:00 · f03b8a055b
commit f03b8a055b
parent 036ec06256
3 changed files with 31 additions and 2 deletions
--- a/modules/kubernetes/reverse_proxy/factory/main.tf
+++ b/modules/kubernetes/reverse_proxy/factory/main.tf
@ -37,6 +37,10 @@ variable "strip_auth_headers" {
  type    = bool
  default = false
 }
+variable "extra_middlewares" {
+  type    = list(string)
+  default = []
+}


 resource "kubernetes_service" "proxied-service" {
@ -66,15 +70,16 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
    name      = var.name
    namespace = var.namespace
    annotations = merge({
-      "traefik.ingress.kubernetes.io/router.middlewares" = join(",", compact([
+      "traefik.ingress.kubernetes.io/router.middlewares" = join(",", compact(concat([
        "traefik-rate-limit@kubernetescrd",
        var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
        "traefik-crowdsec@kubernetescrd",
        var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
        var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
+        var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,
        var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
        var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
-      ]))
+      ], var.extra_middlewares)))
      "traefik.ingress.kubernetes.io/router.entrypoints"       = "websecure"
      "traefik.ingress.kubernetes.io/service.serversscheme"    = var.backend_protocol == "HTTPS" ? "https" : null
      "traefik.ingress.kubernetes.io/service.serverstransport" = var.backend_protocol == "HTTPS" ? "traefik-insecure-skip-verify@kubernetescrd" : null