/cors-nginx.conf
forked from michiel/cors-nginx.conf
| # | |
| # Slightly tighter CORS config for nginx | |
| # | |
| # A modification of https://gist.github.com/1064640/ to include a white-list of URLs | |
| # | |
| # Despite the W3C guidance suggesting that a list of origins can be passed as part of | |
| # Access-Control-Allow-Origin headers, several browsers (well, at least Firefox) | |
| # don't seem to play nicely with this. | |
| # | |
| # To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting | |
| # method to control access instead. | |
| # | |
| # NB: This relies on the use of the 'Origin' HTTP Header. | |
| location / { | |
| if ($http_origin ~* (whitelist\.address\.one|whitelist\.address\.two)) { | |
| set $cors "true"; | |
| } | |
| # Nginx doesn't support nested If statements. This is where things get slightly nasty. | |
| # Determine the HTTP request method used | |
| if ($request_method = 'OPTIONS') { | |
| set $cors "${cors}options"; | |
| } | |
| if ($request_method = 'GET') { | |
| set $cors "${cors}get"; | |
| } | |
| if ($request_method = 'POST') { | |
| set $cors "${cors}post"; | |
| } | |
| if ($cors = "true") { | |
| # Catch all incase there's a request method we're not dealing with properly | |
| add_header 'Access-Control-Allow-Origin' "$http_origin"; | |
| } | |
| if ($cors = "trueget") { | |
| add_header 'Access-Control-Allow-Origin' "$http_origin"; | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
| } | |
| if ($cors = "trueoptions") { | |
| add_header 'Access-Control-Allow-Origin' "$http_origin"; | |
| # | |
| # Om nom nom cookies | |
| # | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
| # | |
| # Custom headers and headers various browsers *should* be OK with but aren't | |
| # | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
| # | |
| # Tell client that this pre-flight info is valid for 20 days | |
| # | |
| add_header 'Access-Control-Max-Age' 1728000; | |
| add_header 'Content-Type' 'text/plain charset=UTF-8'; | |
| add_header 'Content-Length' 0; | |
| return 204; | |
| } | |
| if ($cors = "truepost") { | |
| add_header 'Access-Control-Allow-Origin' "$http_origin"; | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
| } | |
| } |
Thanks for this. I think you want a $ at the end of the regex on line 18. Without it my site http://whitelist.address.one.evil.com will pass and show up in the Access-Control-Allow-Origin header.
$http_origin is empty on my system. Is there some mechanism needed to have this available?
curl -I -X OPTIONS -H "Origin: http://www.example.com" http://www.yourdomain.com
Hi,
I have observed when I use an if statement within a location then nginx returns a 404.
So the below does not work:
if ($cors = "true") {
add_header 'Access-Control-Allow-Origin' "$http_origin";
}
try_files $uri $uri/ /index.php?$args;
causes nginx to not reach the try_files directive and return a 404.
Anyone else with this issue?
@spyrospph I have the same problem, and it's also documented at IfIsEvil.
imho, if there are no ways to add cors headers without using ifs, don't use nginx.
What does 'X-Mx-ReqToken' header actually do? I see it in all CORS tutorials for nginx but can't find any info otherwise.
This is very great. I commented it, updated various parts (e.g., not returning preflight response headers to actual requests), and put the result here: https://gist.github.com/algal/5480916 .