Redirects are completely broken when "Crowdsec On"

[catharsis71]

With Crowdsec On, Apache-generated redirects become completely broken, namely due to the Location: header being stripped from the response, as well as the link in the HTML response body becoming blank.

With Crowdsec Off (normal behavior):

# curl -i https://website/links
HTTP/2 301
location: https://website/links/
content-length: 360
content-type: text/html; charset=iso-8859-1
date: Thu, 01 May 2025 23:12:39 GMT
server: Apache

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://website/links/">here</a>.</p>
<hr>
<address>Apache Server at <a href="mailto:xxx">hostname</a> Port 443</address>
</body></html>

With Crowdsec On (broken):

# curl -i https://website/links
HTTP/2 301
content-length: 325
content-type: text/html; charset=iso-8859-1
date: Thu, 01 May 2025 23:11:26 GMT
server: Apache

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="">here</a>.</p>
<hr>
<address>Apache Server at <a href="mailto:xxx">hostname</a> Port 443</address>
</body></html>

note that the Location: header is gone, and the href target has become blank.

a strange message also appears in the Apache error log:

[Thu May 01 18:08:53.664067 2025] [crowdsec:error] [pid 1401022:tid 253409144008992] [remote 1.1.1.1:55744] crowdsec: service 'http://127.0.0.1:8080/v1/decisions?ip=1.1.1.1' returned 301, request rejected: /links

the message makes it sound like the local API is returning a 301, but it's not

[DragoMlakar]

@sabban any eta on this redirect problems? We are using shibboleth and redirect can happen on every url. So this bug prevents us to enable also crowdsec feature. There are already posted solutions/branches that solves this problem.