Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx CORS maps
map $http_origin $allow_origin {
default "";
"~^https?://(?:[^/]*\.)?(stevebuzonas\.(?:com|local))(?::[0-9]+)?$" "$http_origin";
}
map $request_method $cors_method {
default "allowed";
"OPTIONS" "preflight";
}
map $cors_method $cors_max_age {
default "";
"preflight" 1728000;
}
map $cors_method $cors_allow_methods {
default "";
"preflight" "GET, POST, OPTIONS";
}
map $cors_method $cors_allow_headers {
default "";
"preflight" "Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since";
}
map $cors_method $cors_content_length {
default $initial_content_length;
"preflight" 0;
}
map $cors_method $cors_content_type {
default $initial_content_type;
"preflight" "text/plain charset=UTF-8";
}
add_header Access-Control-Allow-Origin $allow_origin;
add_header Access-Control-Allow-Credentials 'true';
add_header Access-Control-Max-Age $cors_max_age;
add_header Access-Control-Allow-Methods $cors_allow_methods;
add_header Access-Control-Allow-Headers $cors_allow_headers;
set $initial_content_length $sent_http_content_length;
add_header 'Content-Length' "";
add_header 'Content-Length' $cors_content_length;
set $initial_content_type $sent_http_content_type;
add_header Content-Type "";
add_header Content-Type $cors_content_type;
if ($request_method = 'OPTIONS') {
return 204;
}
@rmalenko

This comment has been minimized.

Copy link

rmalenko commented Nov 11, 2016

Thank you.
May need change
"~^https?://(?:[^/]*\.)?(stevebuzonas\.(?:com|local))(?::[0-9]+)?$" "$http_origin";
to
"~^https?:\/\/(?:[^/]*\.)?(stevebuzonas\.(?:com|local))(?::[0-9]+)?$" "$http_origin";

@sbuzonas

This comment has been minimized.

Copy link
Owner Author

sbuzonas commented Sep 12, 2017

The / character only needs escaped in a regex if it is used at the delimiter. The nginx patterns do not use a delimiter, so escaping the character is unnecessary.

@dabajabaza

This comment has been minimized.

Copy link

dabajabaza commented Mar 29, 2018

In what block - http{} , server{}, location{} - it should be included? If I include it in server or http it says 'map directive is not allowed here', if it included in location it says 'set directive is not allowed here'

@miend

This comment has been minimized.

Copy link

miend commented Apr 11, 2018

@dabajabaza Did you ever figure out the answer to this? I'm trying to implement if statements for CORS, and every option I find seems to be disallowed somewhere. Likewise this one is not allowed in http, server, or location blocks...

@vasike

This comment has been minimized.

Copy link

vasike commented Jul 10, 2018

@dabajabaza / @miend : i was able to make it work with "maps" directives outside {server} and "add_header" directives inside {server} block
maybe it helps

@sbuzonas

This comment has been minimized.

Copy link
Owner Author

sbuzonas commented Oct 30, 2018

I typically include this in the http block. But, if you have more than one server and don't want cors configured for it, the maps need to be in http... And the add_header parts can pretty much go anywhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.