Skip to content

Instantly share code, notes, and snippets.

@nasrulhazim

nasrulhazim/haproxy-cors.md

Last active January 22, 2024 06:12
Show Gist options
  • Star 15 You must be signed in to star a gist
  • Fork 11 You must be signed in to fork a gist
  • Save nasrulhazim/3f726dbe91c0fa87730809a014f89a02 to your computer and use it in GitHub Desktop.
Save nasrulhazim/3f726dbe91c0fa87730809a014f89a02 to your computer and use it in GitHub Desktop.
Download ZIP
Setting Up CORS in HAProxy
Raw
haproxy-cors.md 
frontend localnodes
    bind *:80
    reqadd X-Forwarded-Proto:\ http

    # Add CORS headers when Origin header is present
    capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }

    default_backend backend_apps

frontend localnodes-https
    # Certificate
    bind *:443 ssl crt /etc/ssl/private/domain_com.pem
    reqadd X-Forwarded-Proto:\ https

    # Add CORS headers when Origin header is present
    capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }

    default_backend backend_apps
        
backend backend_apps
    # Force HTTPS
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    redirect scheme https if !{ ssl_fc }
    server App1 192.168.1.201:80 check
    server App2 192.168.1.202:80 check
    server App3 192.168.1.203:80 check
    server App4 192.168.1.204:80 check
    server App5 192.168.1.205:80 check
@DBassel
Copy link

DBassel commented Jun 20, 2019

:)
http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
why not simply use http-response add-header Access-Control-Allow-Origin * ?

@Nordalf
Copy link

Nordalf commented Jul 18, 2019
edited

If you are using the wildcard ( * ) in the header, please be aware if you are using authentication, then is not allowed. Then the domain has to be exact. If what you are developing is public and with no authentication, use the wildcard. Otherwise: be cautious :)

@csaltos
Copy link

csaltos commented Apr 5, 2021

If you do this you screw the whole security concept of CORS ... please just add the origins you actually allow (instead of opening the door wide open with the capture origin header)

@lafada
Copy link

lafada commented Sep 7, 2021

Anyone get the solution with backend and authentication as true?

@vishalk663
Copy link

vishalk663 commented Sep 14, 2021
edited

using the above configuration we getting the below error

Access-Control-Allow-Origin contains muliple headers. but only one is allowed

we using this configuration in haproxy

    # Add CORS headers when Origin header is present
    capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }

    default_backend backend_apps

@akshatkalkhanda
Copy link

Need this type of configuration for HAProxy version 2.4.12-4b7772e 2022/01/11.

As above configuration is working for me on HaProxy Version 1.5,1.8.

BUt after upgrading Haproxy to 2.4 its not working.

@nicovs
Copy link

nicovs commented Mar 31, 2022
edited

@akshatkalkhanda , might be a little late, but:

    capture request header origin len 128
    http-response set-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    http-response set-header Access-Control-Allow-Headers "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization" if { capture.req.hdr(0) -m found }
    http-response set-header Access-Control-Allow-Methods "GET, HEAD, OPTIONS, POST, PUT" if { capture.req.hdr(0) -m found }
    http-response set-header Access-Control-Allow-Credentials true if { capture.req.hdr(0) -m found }

    http-response set-header Strict-Transport-Security max-age=15768000 if { ssl_fc }
    http-response set-header X-Frame-Options "SAMEORIGIN"
    http-response set-header X-Xss-Protection "1; mode=block"
    http-response set-header X-Content-Type-Options "nosniff"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment