Enabling CORS on nginx - nginx

I have followed this example to enable CORS on my API subdomain so that I can send requests to it from SwaggerUI. This is the output I get from running OPTIONS on that subdomain:
curl -i -X OPTIONS http://api.MYDOMAIN.com/v1/data/extraction
HTTP/1.1 204 No Content
Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 18 Apr 2018 20:45:52 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,X-API-Key
Access-Control-Max-Age: 1728000
Content-Type: text/plain charset=UTF-8
Content-Length: 0
I'm stuck on where to go to figure out why in Chrome on my docs subdomain (same DOMAIN.com server) it still gives me this. Can anyone advise where I should look to?

I had a similar issue and couldn't get it to work. This setup finally worked for me. https://gist.github.com/Stanback/7145487 this is what it looks like. I just set $cors 'true' to test if it worked. It worked for me. This is all in the /location {...} area
set $cors '';
if ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)') {
set $cors 'true';
}
if ($cors = 'true') {
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
# required to be able to read Authorization header in frontend
#add_header 'Access-Control-Expose-Headers' 'Authorization' always;
}
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
# required to be able to read Authorization header in frontend
#add_header 'Access-Control-Expose-Headers' 'Authorization' always;
# Tell client that this pre-flight info is valid for 20 days
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}

All it came down to the fact that NGINX had used more_set_headers instead of add_header (it may've been that NGINX had this module enabled) and after that using one of the above examples with it made it working.

You might want to test a call to api.MYDOMAIN.com/v1/data/extraction with curl and a CORS origin header.
curl -i -X POST -H "Origin: http://docs.whatever.com" \
--verbose http://api.MYDOMAIN.com/v1/data/extraction
The response should come back with the header:
Access-Control-Allow-Origin: *
If that header does not come back with the response, chrome will throw an error like what you saw.
P.S. there is a mention in the error that nginx responded with a 404, which might have something to do with it.

The problem might well be that Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true are incompatible - if you want to pass credentials, you will need to respond with Access-Control-Allow-Origin: {value-of-Origin-request-header} and Access-Control-Allow-Credentials: true.

Related

Nginx uinit cors

I want to handle cors on nginx unit level but I don't know how it make on nginx unit.
Example config for nginx
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS, DELETE, PATCH';
add_header 'Access-Control-Allow-Headers' 'Authorization,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range';
add_header 'Access-Control-Expose-Headers' 'Gc-Export-Errors';
return 204;
}
How I can do this for nginx unit?
Currently, Nginx Unit doesn't support functionality equal to add_header so if you need custom headers for 204 response it should be done using application. And configuration will looks like this:
{
"match":{
"method": "OPTIONS"
},
"action":{
"proxy": "path/to/app_return_204_with_custom_headers"
}
}

Nginx Cors with POST

I'm trying to send a post request from a client-side javascript (fetch) to my server which uses Nginx as the web server. The client-side javascript runs on a different domain.
I'm having trouble configuring Nginx to reply with the proper headers, when I try the config below, I get a 405 Not Allowed on the preflight request:
location /cookie/ {
root /myPlace;
add_header Allow 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Origin' '$http_origin' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
index index.php;
}
When I try the configuration below, the preflight is successful and it contains all the headers needed for CORS, but the main request errors to MissingAllowOriginHeader the console error is the familiar No 'Access-Control-Allow-Origin' header is present on the requested resource.
Here is the config which results in the behavior described above:
location /cookie/ {
root /myPlace;
add_header Allow 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Origin' '$http_origin' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
add_header 'Access-Control-Allow-Origin' '$http_origin' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-headers' 'Content-Type' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
return 204;
}
index index.php;
}
The strange thing is that the main request in this case doesn't return any CORS headers, although the preflight has all the necessary headers and doesn't error out.
Any idea how can I get past these CORS errors
If it helps, this is the javascript code I use on the client-side:
let theData = {
id: "123",
};
fetch("https://myServer.com/cookie/", {
method: 'POST',
mode: 'cors',
cache: 'no-cache',
headers: {
'Content-Type': 'application/json'
},
redirect: 'follow',
body: JSON.stringify(theData),
});
Thank you

Setting up HTTPS for a website hosted in AWS, but points to a webAPI in the local area network

I'm working on a project where we're hosting a webpage on AWS. The webpage calls a webAPI from a local area network computer name IE: Server-24.Local.
This approach ensures data doesn't leave the network as Server-24.Local is not exposed to the internet.
This approach has worked well so far. However, I am facing issues when i enable HTTPS via certbot:
If i try proxy_pass nginx to a webapi hosted in AWS on localhost, HTTPS works fine.
However, if i proxy_pass nginx to Server-24.Local, it returns cross-origin errors.
Both webAPIs are CORS-enabled.
Might anyone have any suggestions?
you can research about Nginx CORS enabled in internet... It's about end user browser security in chrome etc...
Here is an example, put it inside location tag {}
#
# Wide-open CORS config for nginx
#
location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
}
you can help look at here [https://enable-cors.org/server_nginx.html] ...
hopefully this help you...

Axios send wrong cookies (CORS)

I am using local development server (on my computer) for frontend. Backend is located on another server and I sending requests from frontend to backend using CORS.
It works ok, but when I passing cookies from frontend, It passed incorrect: namely the csrf token is different from what is stored in cookies.
Examples:
Cookies on Chrome dev tools, Application tab: csrf_token: b2o3q06llj
Request headers:
As you can see, header Cookie is different from data viewed on Application tab. X-Csrf-Token is correct, but Cookie header is wrong. It must contain csrf_token which is available on Dev tools > Application > Storage > Cookies
CORS setup in Nginx config (remote server):
if ($request_method ~* "(GET|POST)") {
add_header 'Access-Control-Allow-Origin' 'http://192.168.1.127:3000' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range, X-Csrf-Token, Cache-Control' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
}
# Preflighted requests
if ($request_method = OPTIONS ) {
add_header "Access-Control-Allow-Origin" 'http://192.168.1.127:3000' always;
add_header "Access-Control-Allow-Credentials" 'true' always;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept, X-Csrf-Token, Cache-Control" always;
return 204;
}
Axios setup:
axios.create({
baseURL: window.location.protocol + '//' +window.location.hostname + (window.location.port ? ':' + window.location.port : '') + '/data',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'X-Csrf-Token': <token>,
'X-Requested-With': 'XMLHttpRequest'
},
withCredentials: true
});
I can not understand what the problem is. Why does axios not send correct cookies?

NGINX Reverse Proxy and Access-Control-Allow-Origin issue

I'm configuring an NGINX Reverse Proxy.
On the browser I go to:
client url: https://www.hollywood.com
Then the web page above needs to do requests to:
server url: https://server.hollywood.com/api/auth/login
This is the configuration corresponding to: server.hollywood.com:
server {
listen 443 ssl;
server_name server.hollywood.com;
# add_header 'Access-Control-Allow-Origin' "https://www.hollywood.com" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
ssl_certificate ../ssl/lets-encrypt/hollywood.com.crt;
ssl_certificate_key ../ssl/lets-encrypt/hollywood.com.key;
location /
{
proxy_pass http://localhost:9201;
include "../proxy_params.conf";
}
}
Experiment 1:
With the Access-Control-Allow-Origin line commented out, when I access to:
client url: https://www.hollywood.com
I get the following error on the browser console (Chrome in my case):
POST https://server.hollywood.com/api/auth/login/local 502 (Bad Gateway)
(index):1 Failed to load https://server.hollywood.com/api/auth/login/local: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.hollywood.com' is therefore not allowed access. The response had HTTP status code 502.
Experiment 2:
If I enable the Access-Control-Allow-Origin line above, then I get on the browser terminal:
Failed to load https://server.hollywood.com/api/auth/login/local: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values '*, https://www.hollywood.com', but only one is allowed. Origin 'https://www.hollywood.com' is therefore not allowed access.
I don't know why multiple when before that header was not present???
Experiment 3:
In the other hand, if I go directly on the browser to the:
server url: https://server.hollywood.com/api/auth/login
with the Access-Control-Allow-Origin line commented out, I get the following (on the Network section):
Response Headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 139
Content-Security-Policy: default-src 'self'
Content-Type: text/html; charset=utf-8
Date: Sat, 09 Jun 2018 06:34:00 GMT
Server: nginx/1.13.12
X-Content-Type-Options: nosniff
Before I got: "No 'Access-Control-Allow-Origin' header is present on the requested resource." but now I see above that field is in there on the Response Headers.
Experiment 4:
If I enable again the Access-Control-Allow-Origin line above, then I get the following (on the Network section):
Response Headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: https://www.hollywood.com
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 139
Content-Security-Policy: default-src 'self'
Content-Type: text/html; charset=utf-8
Date: Sat, 09 Jun 2018 06:34:58 GMT
Server: nginx/1.13.12
X-Content-Type-Options: nosniff
Now I get two times the field: Access-Control-Allow-Origin.
Do you have any idea why my first 2 experiments are failing getting the errors relative to: Access-Control-Allow-Origin?
Thanks!
It could be that the server behind your proxy_pass was setting the Access-Control-Allow-Origin header as well.
For what it's worth for future readers with a similar problem, I found that my node.js server was passing an Access-Control-Allow-Origin: '*' header for some reason, as well as the actual header I'd set in node.js to restrict CORS. When commenting out my node.js cors middleware, the Access-Control-Allow-Origin: '*' header still remained.
To resolve this, I used the nginx proxy_hide_header directive to remove the header coming from node.js and manually adding it as it should be:
# proxying the
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# local node.js server
upstream websocket {
server 127.0.0.1:3000;
}
server {
server_name ...;
# ...;
# add the header here
add_header Access-Control-Allow-Origin https://www.hollywood.com;
# Websockets config
location /socket.io/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# do not pass the CORS header from the response of the proxied server to the
# client
proxy_hide_header 'Access-Control-Allow-Origin';
proxy_pass http://websocket;
proxy_http_version 1.1;
}
location / {
# ...
try_files $uri /index.html;
}
}
Googling this issue was pretty hard since most people are trying to fix CORS by making the Access-Control wide open! Here was another issue with similar problems:
https://serverfault.com/questions/751678/how-can-i-replace-access-control-allow-origin-header-in-proxy-response-with-ngin
Try this configuration:
server {
listen 443 ssl;
server_name server.hollywood.com;
ssl_certificate ../ssl/lets-encrypt/hollywood.com.crt;
ssl_certificate_key ../ssl/lets-encrypt/hollywood.com.key;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
proxy_pass http://localhost:9201;
include "../proxy_params.conf";
}
if ($request_method = 'GET') {
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
proxy_pass http://localhost:9201;
include "../proxy_params.conf";
}
}
}
Code based on https://enable-cors.org/server_nginx.html
Hope it helps.

Resources