Adding CORS for NGINX Proxy

Adding CORS for NGINX Proxy

NGINX config example


server {
listen 80;
server_name _;

root /var/www;

location / {
try_files $uri @proxy_to_app;
}

location @proxy_to_app {

# START CORS
set $cors 'on';

if ($request_method = OPTIONS) {
set $cors "${cors}_options";
}

# Allow CORS on preflight request
if ($cors = 'on_options') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Origin,Accept';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
# END CORS

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy truehttp;

proxy_pass http://app_server;
proxy_redirect off;

# START CORS
# Allow CORS on other requests after returning from the upstreams
if ($cors = 'on') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Origin,Accept';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
# END CORS

}
}

Make sure everything works well


curl -s -H "Origin: http://example.com" \
-H "Access-Control-Request-Method: POST" \
-H "Access-Control-Request-Headers: X-Requested-With" \
-X OPTIONS --verbose \
http://127.0.0.1:80/

* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> OPTIONS / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.58.0
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: X-Requested-With
>
> HTTP/1.1 204 No Content
> Server: nginx
> Date: Fri, 15 Feb 2019 12:23:04 GMT
> Connection: keep-alive
> Access-Control-Allow-Origin: *
> Access-Control-Allow-Methods: GET, POST, OPTIONS
> Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Origin,Accept
> Access-Control-Max-Age: 1728000
> Content-Type: text/plain; charset=utf-8
> Content-Length: 0
>
* Connection #0 to host 127.0.0.1 left intact


curl -s -H "Origin: http://example.com" \
-H "Access-Control-Request-Method: GET" \
-X GET --verbose \
http://127.0.0.1:80/ | head

* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.58.0
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: GET
>
> HTTP/1.1 200 OK
> Server: nginx
> Date: Fri, 15 Feb 2019 12:21:44 GMT
> Content-Type: text/html; charset=utf-8
> Content-Length: 619519
> Connection: keep-alive
> Vary: Accept-Encoding
> X-Powered-By: Express
> ETag: W/"973ff-armooGZGQl12PwcscUhYye6d6AM"
> Vary: Accept-Encoding
> Access-Control-Allow-Origin: *
> Access-Control-Allow-Methods: GET, POST, OPTIONS
> Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Origin,Accept
> Access-Control-Expose-Headers: Content-Length,Content-Range
>
{ [97760 bytes data]


Hello World!

* Failed writing body (8192 != 16384)
* stopped the pause stream!
* Closing connection 0

Comments are closed.