Answer the question
In order to leave comments, you need to log in
A
A
Alexey Yarkov2017-02-05 19:55:25
Alexey Yarkov, 2017-02-05 19:55:25
How to overcome CORS in Nginx?
Allocated a separate subdomain and a separate SSL certificate for the API. Here is a config:
upstream keeper_app {
server 127.0.0.1:8080;
}
server {
listen 443 ssl http2;
server_name api.domain.ru www.api.domain.ru;
access_log /var/log/nginx/api.domain.ru/access.log combined;
error_log /var/log/nginx/api.domain.ru/error.log warn;
ssl_certificate /etc/ssl/api.domain.ru/api.domain.ru.crt;
ssl_certificate_key /etc/ssl/api.domain.ru/api.domain.ru.key;
resolver 8.8.8.8 8.8.8.4 valid=300s;
ssl_stapling on;
ssl on;
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 24h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
ssl_dhparam /etc/ssl/api.domain.ru/api.domain.ru.dh2048.pem;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
add_header 'Access-Control-Allow-Origin' 'https://domain.ru';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header Access-Control-Allow-Credentials 'true';
location ~ ^/(favicon\.ico)$ {
access_log off;
}
location / {
proxy_pass http://keeper_app/api/v1$request_uri;
}
}Requests from the main domain are made using the Angular $http service. Added a line to the angular module config:
$httpProvider.defaults.withCredentials = true;As a result, with any access from domain.ru to api.domain.ru, I get this:
XMLHttpRequest cannot load https://api.domain.ru/user/valid. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://domain.ru' is therefore not allowed access. The response had HTTP status code 401.What's wrong?
3 answer(s)
@yarkov
@AMar4enko
@virtual_hack2root
A
Alexey Yarkov, 2017-02-06 @yarkov
And as usual, there is nothing better than the documentation ))
https://enable-cors.org/server_nginx.html
_
_ _, 2017-02-06 @AMar4enko
Your setup assumes that add_header will add headers to the response from proxy_pass, but it doesn't.
Either set headers in keeper_app itself, or google a module that can change headers after proxy_pass (like modify proxy_pass headers nginx in google)
A
Arthur Mustafin, 2020-05-31 @virtual_hack2root
Options:
- Remove localhost from ALLOWRD_HOSTS in DJANGO
- Do it on the server node in Node.js - Specify
in OPTIONS in Nginx
location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Length' 0;
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type$
return 204;
}
Similar questions
B
A
N
Norm3892014-11-11 16:46:52
How to do rewrite in Nginx without changing the URL in the address bar?
2Reply
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question