# | |
# Wide-open CORS config for nginx | |
# | |
location / { | |
if ($request_method = 'OPTIONS') { | |
add_header 'Access-Control-Allow-Origin' '*'; | |
# | |
# Om nom nom cookies | |
# | |
add_header 'Access-Control-Allow-Credentials' 'true'; | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
# | |
# Custom headers and headers various browsers *should* be OK with but aren't | |
# | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
# | |
# Tell client that this pre-flight info is valid for 20 days | |
# | |
add_header 'Access-Control-Max-Age' 1728000; | |
add_header 'Content-Type' 'text/plain charset=UTF-8'; | |
add_header 'Content-Length' 0; | |
return 204; | |
} | |
if ($request_method = 'POST') { | |
add_header 'Access-Control-Allow-Origin' '*'; | |
add_header 'Access-Control-Allow-Credentials' 'true'; | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
} | |
if ($request_method = 'GET') { | |
add_header 'Access-Control-Allow-Origin' '*'; | |
add_header 'Access-Control-Allow-Credentials' 'true'; | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
} | |
} |
This comment has been minimized.
This comment has been minimized.
Thanks a lot. This saved my day :) |
This comment has been minimized.
This comment has been minimized.
good example for config options |
This comment has been minimized.
This comment has been minimized.
If only I could see this before wasting 5 hours of time... Thanks a lot for saving the rest of my day! :) |
This comment has been minimized.
This comment has been minimized.
For me I hade to return 204 otherwise the browser would hang and then timeout on the option request:
|
This comment has been minimized.
This comment has been minimized.
Updated with 204 return for OPTIONS (mrdevin) and wildcard '*' for Access-Control-Allow-Origin (epicserve). |
This comment has been minimized.
This comment has been minimized.
I've updated this in https://gist.github.com/4165271 to add a poor man's whitelist. I'm not really sure where having Access-Control-Allow-Origin as wildcard would cause too many issues, but some people may be extra conscious. We use a simple-ish regexp to match valid URLs. Please note that I haven't load tested this, so I don't know what kind of effect it'll have. |
This comment has been minimized.
This comment has been minimized.
Thanks for this. I use: add_header "Access-Control-Allow-Origin" $http_origin; |
This comment has been minimized.
This comment has been minimized.
FWIW HTTP/1.1 RFC says response from OPTIONS is not cacheable. Doesn't that mean a browser must ignore your Access-Control-Max-Age header? |
This comment has been minimized.
This comment has been minimized.
Thanks a lot! |
This comment has been minimized.
This comment has been minimized.
From MDN:
I've confirmed that at least Firefox will block a request with cookies if the Access-Control-Allow-Origin is set to '*'. |
This comment has been minimized.
This comment has been minimized.
This does not work for me
|
This comment has been minimized.
This comment has been minimized.
You cannot use a wildcard
|
This comment has been minimized.
This comment has been minimized.
When starting to use this Chrome will cache the earlier (CORS failed) requests. Reset the cache to get things working! |
This comment has been minimized.
This comment has been minimized.
Place this in nginx.conf or server blocks? |
This comment has been minimized.
This comment has been minimized.
As stated in the docs So save the two hours I just wasted and add |
This comment has been minimized.
This comment has been minimized.
By adding this CORS block to my nginx config I now see my initial OPTIONS request followed by an identical GET request (incorrect duplicate) - Any idea what could be causing this? https://gist.github.com/brupm/1b2c69cbf8f9612ee304 I suspect it's the |
This comment has been minimized.
This comment has been minimized.
There is a better page http://enable-cors.org/server.html |
This comment has been minimized.
This comment has been minimized.
If you use a cache server, you must add a
|
This comment has been minimized.
This comment has been minimized.
where do i put them? |
This comment has been minimized.
This comment has been minimized.
for anybody on ubuntu first install turn all add_header into more_set_headers |
This comment has been minimized.
This comment has been minimized.
On So instead of
Use
|
This comment has been minimized.
This comment has been minimized.
When I add
I get: Any idea? |
This comment has been minimized.
This comment has been minimized.
@maxim25, Are you sure that your nginx is 1.7.5 or newer? |
This comment has been minimized.
This comment has been minimized.
If 'Access-Control-Allow-Credentials' is set "TRUE" |
This comment has been minimized.
This comment has been minimized.
Thanks. |
This comment has been minimized.
This comment has been minimized.
Line 28 add_header 'Content-Type' 'text/plain charset=UTF-8'; It seems the semicolon is missing, maybe ' text/plain; charset=UTF-8' is more standard |
This comment has been minimized.
This comment has been minimized.
In case you want to use the wildcard origin where possible but also allow credentials if the origin was sent along use following:
|
This comment has been minimized.
This comment has been minimized.
why do you specify content-type related headers if no body for 204 response? |
This comment has been minimized.
This comment has been minimized.
Here is shorter version of access control allow origin for Nginx that should get you started. |
This comment has been minimized.
This comment has been minimized.
I having problem in this code This giving me error. |
This comment has been minimized.
This comment has been minimized.
I have put this code in location inside /site-enabled/ but its still giving error on http://defaultwallpaper.com Please help. |
This comment has been minimized.
This comment has been minimized.
syntax error. missing closing ' in checking OPTIONS. 'Content-Length should be 'Content-Length' |
This comment has been minimized.
This comment has been minimized.
Thanks for the snippet but |
This comment has been minimized.
This comment has been minimized.
set $cors_origin "https://your.domain";
if ($http_origin ~* ^(https?://[\w\.\-]+(:\d+)?)/?.*?$ ) {
set $cors_origin $1;
}
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
|
This comment has been minimized.
This comment has been minimized.
If you want a wild card domain, I'd set the default to that. The problem is, the origin header isn't always set from what I'm seeing. Vary seems to fix that. The always directive just means use it for any status code. That can be some confusion as not everyone who wants "withCredentials" actually wants anything to do with credentials so the security concern goes poof. There's another option not included of also falling back to the referrer. It's really hard to find out how if actually works in nginx. Nginx configuration doesn't appear to make use of an ordered map or ordered list and the most prevalent documentation on the matter is confusing. Once you need to go into if space, you might find yourself really wanting a module for this. If the sample you posted goes into something with another if statement then it can be wiped out if another if matches. My instinct for security also tells me that you might want to validate the origin header though I have to wonder how far to really go with this. Can the user inject anything malicious? If they try to inject a new line then they'll just be sending another header rather than injecting a response header. I suppose the only thing they might do with something reflecting what's sent is try to exploit some client header handling exploit which seems a bit far fetched (and the use of . doesn't do much to prevent that).
|
This comment has been minimized.
This comment has been minimized.
I'm facing the following error message. Any idea how to solve it please?
Here is my config:
I have also tried with the following in all 3 "if" blocks:
I get the same error message as above. I ahve also added the following in all 3 "if" blocks in addition to "$http_origin":
I get the following error message:
|
This comment has been minimized.
This comment has been minimized.
thx! |
This comment has been minimized.
This comment has been minimized.
I hope my recent solution help to someone, check this https://gist.github.com/alexjs/4165271#gistcomment-3138623 |
This comment has been minimized.
This comment has been minimized.
This is fantastic. It helped me solve my issue! |
This comment has been minimized.
This comment has been minimized.
would work |
This comment has been minimized.
This comment has been minimized.
Hi, Is anyone able to assist with my issue. I am seeing that my cookie is coming through in the response headers, but not being saved on the browser. I am only noticing this in production (where I am using Nginx and SSL) and not in development (which is not using a proxy and not using SSL). I am using My configurations are as follows: Nginx (/etc/nginx/sites-available/default)
Cookie values, using
|
This comment has been minimized.
This comment has been minimized.
So, i've never done anything with Nginx, cors, and have absolutely zero coding knowledge or experience, in a layman's terms, how in the world am i supposed to use any of this? It doesn't seem to work no matter how i do it. I'm using nginx 1.19.2 |
This comment has been minimized.
This comment has been minimized.
@DictatorL -- you'll find a file
|
This comment has been minimized.
This comment has been minimized.
That worked! |
This comment has been minimized.
This doesn't seem to work for me ... I'm uisng nginx/1.0.5. For testing I replaced http://10.140.10.40 with *.