Nginx configuration for enabling CORS

Question

I am following the reference trying to have my nginx accept CORS. http://enable-cors.org/server_nginx.html

But no matter how i config my /etc/nginx/site-enable/default as following. It just doesn't work. Is anything wrong about my configuration?

Thanks.

server {
  listen 80 default_server;
  listen [::]:80 default_server ipv6only=on;

  root /usr/share/nginx/html;
  index index.html index.htm;

  # Make site accessible from http://localhost/
  server_name localhost;
  #add_header Access-Control-Allow-Origin *; # < this is the needed header

  location / { 
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    #try_files $uri $uri/ =404;
    # Uncomment to enable naxsi on this location
    # include /etc/nginx/naxsi.rules

    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Origin' '*';
      #   
      # Om nom nom cookies
      #   
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
      #   
      # Custom headers and headers various browsers *should* be OK with but aren't
      #   
      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
      #   
      # Tell client that this pre-flight info is valid for 20 days
      #   
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
    }   
    if ($request_method = 'POST') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    }   
    if ($request_method = 'GET') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    }   
  }    
}

Ben · Answer 1 · 2015-06-15T05:33:11.350

0

The Nginx CORS-Filter only gets triggered when all the headers you send within your requests are propagated in the allowed-headers field. Once you send only one header which is not mentioned in this section, the CORS-Filter will simply do nothing. Did you check your request headers?

In addition, your configuration will not work with PUT-Requests. Which type of requests do you send? Did you check the Response-headers?

Try to set ipv6only=off;

edited Jun 15 '15 at 05:33

answered Jun 15 '15 at 05:24

Ben

1,579
4
20
34

I am trying to reproduce the steps: $ curl -I "http://petstore.swagger.io/v2/swagger.json" within document below: https://github.com/swagger-api/swagger-ui/blob/master/README.md#cors-support But I only got curl -I "http://ebc-vm:8080/swagger.json" HTTP/1.1 200 OK Server: nginx/1.4.6 (Ubuntu) Date: Mon, 15 Jun 2015 05:30:16 GMT Content-Type: application/json Content-Length: 8875 Last-Modified: Mon, 15 Jun 2015 03:36:29 GMT Connection: keep-alive – Chandler.Huang Jun 15 '15 at 05:33
Since you use this API, you must add: Content-Type, api_key, Authorization to the Access-Control-Allowed-Headers – Ben Jun 15 '15 at 05:36
Thanks for the tips. I have update my configuration but still can't make swagger-ui works. – Chandler.Huang Jun 15 '15 at 05:48
# curl -I "http://petstore.swagger.io/v2/swagger.json" HTTP/1.1 200 OK Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, DELETE, PUT Access-Control-Allow-Headers: Content-Type, api_key, Authorization Content-Type: application/json Content-Length: 0 Connection: close Server: Jetty(9.2.7.v20150116) – Chandler.Huang Jun 15 '15 at 05:48
# curl -I "http://ebc-vm/swagger.json" HTTP/1.1 200 OK Server: nginx/1.4.6 (Ubuntu) Date: Mon, 15 Jun 2015 05:45:54 GMT Content-Type: application/json Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT Access-Control-Allow-Headers: Origin, Authorization, Accept, Content-Type, api_key Access-Control-Allow-Credentials: true Accept-Ranges: bytes – Chandler.Huang Jun 15 '15 at 05:48
But now, your Nginx is setting the Access-Control-Allow-Origin: * as you described in your comment above. Could you describe your problem a bit more detailed? – Ben Jun 15 '15 at 06:33

Nginx configuration for enabling CORS

1 Answers1