Develop Reference

http request with ec2 aws server is not working

i have an EC2 instance on AWS that i have deployed a MERN stack on, i have defined nginx as follows:
server {
#listen 80;
listen 80 default_server;
listen [::]:80 default_server;
server_name yourdomain.com;
access_log /home/ubuntu/client/server_logs/host.access.log main;
client_max_body_size 10M;
location /api/ {
add_header X-debug-message innnnnnnnnnnnnn;
proxy_pass http://localhost:3000/;
}
location /admin-dashboard {
root /home/ubuntu;
index index.html;
add_header X-uri "$uri";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}
location / {
root /home/ubuntu/client/deploy;
index index.html index.htm;
try_files $uri $uri/ /index.html;
add_header X-uri "$uri";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}
location = /49x.html {
root /usr/share/nginx/html;
}
server_tokens off;
location ~ /\.ht {
deny all;
}
}
And i have attached the security groups as an screenshots.
when i tried to fetch data with this url http://clikjo.com/api/ , using browser or postman it works perfectly, but when i try it using javascript with fetch or Axios it fails with this error:
[TypeError: Network request failed]
can anybody solve my problem?
i have tried to:
change my security groups
add headers, specify mode , fetch options , ... etc

If you load a page in your browser using HTTPS, the browser will refuse to load any resources over HTTP. As you've tried, changing the API URL to have HTTPS instead of HTTP typically resolves this issue. However, your API must not allow for HTTPS connections. Because of this, you must either force HTTP on the main page or request that they allow HTTPS connections.
Note on this: The request will still work if you go to the API URL instead of attempting to load it with AJAX. This is because the browser is not loading a resource from within a secured page, instead it's loading an insecure page and it's accepting that. In order for it to be available through AJAX, though, the protocols should match.
You are getting CORS error.
You need to fix it on server-side with additional header.
add_header Access-Control-Allow-Origin *;

How to Set Security Headers in Nginx Conf

I added the following header in Nginx conf
add_header X-Frame-Options “SAMEORIGIN” and then it's working fine.
Then I added another header like this
add_header X-Frame-Options “SAMEORIGIN”
add_header X-XSS-Protection "1; mode=block";
But the X-XSS-Protection is not getting reflected in the Response Headers, only X-Frame-Options is getting added.
Then I removed the X-Frame-Options from the Nginx conf file, then also it is showing the X-Frame-Options in the Response Headers but not the other one.
I am not sure if Nginx cached the previous conf file or it is happening due to some other configurations.

How to allow access to domain from subdomain in nginx?

Using nginx, I have an html file served at sub.example.com which needs to get its json data from example.com
But the json is not loaded. Instead, in Chrome browser I get:
The 'Access-Control-Allow-Origin' header has a value 'https://example.com' that is not equal to the supplied origin. Origin 'http://sub.example.com' is therefore not allowed access.
How can I fix this?

You need to set CORS headers on your example.com server to allow the domain sub.example.com to use this resource, for example:
Access-Control-Allow-Origin
add_header Access-Control-Allow-Origin "https://sub.example.com" always;
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS, DELETE" always;
OR
add_header Access-Control-Allow-Origin "https://*.example.com" always;
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS, DELETE" always;
You need to set it in a server that handles the Json. You can allow * in CORS, but it isn't recommended.

Why not always inherit add_header directives (rationale)?

What was (could be) the rationale behind Nginx's decision to only inherit add_header statements from the lowest level that has any?
For instance:
server {
server_name example.com;
root my/root;
listen 443 ssl;
ssl_certificate my.cert;
ssl_certificate_key my.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy: default-src 'self' https:;
location ~* \.(gif|jpeg|jpg|png|css|js|ico|txt)$ {
add_header Cache-Control "public, max-age=86400";
}
}
None of those security-related headers are added to the assets which match the location block, dedicated to increasing cache time, just because it adds another header.
The fix would be to duplicate all add_header directives into the block which seems counter intuitive to how the rest of Nginx works, e.g. the root directive.
The behaviour is documented here:
There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.
http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
I guess there is a good explanation and I'm curious about what it is.

Leverage browser caching on nginx

I run page speed and I am getting:
"Leverage browser caching"
I have added the following directive in to my nginx.conf
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
}
but I am still getting the same message from google.