/cors-nginx.conf
forked from michiel/cors-nginx.conf
Created Nov 28, 2012
| # | |
| # Slightly tighter CORS config for nginx | |
| # | |
| # A modification of https://gist.github.com/1064640/ to include a white-list of URLs | |
| # | |
| # Despite the W3C guidance suggesting that a list of origins can be passed as part of | |
| # Access-Control-Allow-Origin headers, several browsers (well, at least Firefox) | |
| # don't seem to play nicely with this. | |
| # | |
| # To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting | |
| # method to control access instead. | |
| # | |
| # NB: This relies on the use of the 'Origin' HTTP Header. | |
| location / { | |
| if ($http_origin ~* (whitelist\.address\.one|whitelist\.address\.two)) { | |
| set $cors "true"; | |
| } | |
| # Nginx doesn't support nested If statements. This is where things get slightly nasty. | |
| # Determine the HTTP request method used | |
| if ($request_method = 'OPTIONS') { | |
| set $cors "${cors}options"; | |
| } | |
| if ($request_method = 'GET') { | |
| set $cors "${cors}get"; | |
| } | |
| if ($request_method = 'POST') { | |
| set $cors "${cors}post"; | |
| } | |
| if ($cors = "true") { | |
| # Catch all incase there's a request method we're not dealing with properly | |
| add_header 'Access-Control-Allow-Origin' "$http_origin"; | |
| } | |
| if ($cors = "trueget") { | |
| add_header 'Access-Control-Allow-Origin' "$http_origin"; | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
| } | |
| if ($cors = "trueoptions") { | |
| add_header 'Access-Control-Allow-Origin' "$http_origin"; | |
| # | |
| # Om nom nom cookies | |
| # | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
| # | |
| # Custom headers and headers various browsers *should* be OK with but aren't | |
| # | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
| # | |
| # Tell client that this pre-flight info is valid for 20 days | |
| # | |
| add_header 'Access-Control-Max-Age' 1728000; | |
| add_header 'Content-Type' 'text/plain charset=UTF-8'; | |
| add_header 'Content-Length' 0; | |
| return 204; | |
| } | |
| if ($cors = "truepost") { | |
| add_header 'Access-Control-Allow-Origin' "$http_origin"; | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
| } | |
| } |
This comment has been minimized.
This comment has been minimized.
Ry4an
commented
Aug 9, 2013
|
Thanks for this. I think you want a |
This comment has been minimized.
This comment has been minimized.
jmenchacavr
commented
Aug 5, 2014
|
$http_origin is empty on my system. Is there some mechanism needed to have this available? |
This comment has been minimized.
This comment has been minimized.
kaitsche
commented
Nov 18, 2014
|
curl -I -X OPTIONS -H "Origin: http://www.example.com" http://www.yourdomain.com |
This comment has been minimized.
This comment has been minimized.
spyrospph
commented
Mar 12, 2015
|
Hi, I have observed when I use an if statement within a location then nginx returns a 404. So the below does not work: if ($cors = "true") { try_files $uri $uri/ /index.php?$args; causes nginx to not reach the try_files directive and return a 404. Anyone else with this issue? |
This comment has been minimized.
This comment has been minimized.
mox601
commented
Mar 17, 2015
|
@spyrospph I have the same problem, and it's also documented at IfIsEvil. |
This comment has been minimized.
This comment has been minimized.
thoughtless
commented
Mar 18, 2015
This comment has been minimized.
This comment has been minimized.
lainjiang
commented
Feb 26, 2016
|
What does 'X-Mx-ReqToken' header actually do? I see it in all CORS tutorials for nginx but can't find any info otherwise. |
This comment has been minimized.
This comment has been minimized.
c-shang
commented
Jan 11, 2017
|
This is very helpful |
This comment has been minimized.
This comment has been minimized.
bfricka
commented
Jan 4, 2018
|
According to nginx, |
This comment has been minimized.
This comment has been minimized.
thiagof
commented
Feb 13, 2018
|
Correct ^ |
This comment has been minimized.
This comment has been minimized.
michalzvolanek
commented
Mar 29, 2018
|
Very well, thanks |
This comment has been minimized.
This comment has been minimized.
vlad-vintila-hs
commented
Oct 30, 2018
+1 came here to say this |
This comment has been minimized.
algal commentedApr 29, 2013
This is very great. I commented it, updated various parts (e.g., not returning preflight response headers to actual requests), and put the result here: https://gist.github.com/algal/5480916 .